nixos/postgresql: support 0750 for data directory
This is rework of part of https://github.com/NixOS/nixpkgs/pull/46670. My usecase was to be able to inspect PG datadir as wheel user. PG11 now allows starting server with 0750 mask for data dir. `groupAccess = true` now does this automatically. The only thing you have to do is to set group ownership. For PG10 and below, I've described a hack how this can be done. Before this PR hack was impossible. The hack isn't ideal, because there is short period of time when dir mode is 0700, so I didn't want to make it official. Test/example is present too.
This commit is contained in:
danbst
parent
104f8a0e1a
commit
92a015d35d
@ -38,6 +38,8 @@ let
|
|||||||
${cfg.extraConfig}
|
${cfg.extraConfig}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
dirMode = if cfg.groupAccess then "0750" else "0700";
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
@ -80,6 +82,23 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
groupAccess = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
example = true;
|
||||||
|
description = ''
|
||||||
|
Allow read access for group (0750 mask for data directory).
|
||||||
|
Supported only for PostgreSQL 11+. PostgreSQL 10 and lower doesn't
|
||||||
|
support starting server with 0750 mask, but a workaround like
|
||||||
|
<programlisting>
|
||||||
|
systemd.services.postgresql.postStart = lib.mkAfter '''
|
||||||
|
chmod 750 ''${config.services.postgresql.dataDir}
|
||||||
|
''';
|
||||||
|
</programlisting>
|
||||||
|
may be used instead.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
authentication = mkOption {
|
authentication = mkOption {
|
||||||
type = types.lines;
|
type = types.lines;
|
||||||
default = "";
|
default = "";
|
||||||
@ -240,6 +259,14 @@ in
|
|||||||
|
|
||||||
config = mkIf config.services.postgresql.enable {
|
config = mkIf config.services.postgresql.enable {
|
||||||
|
|
||||||
|
assertions = [
|
||||||
|
{ assertion = cfg.groupAccess -> builtins.compareVersions cfg.package.version "11.0" >= 0;
|
||||||
|
message = ''
|
||||||
|
'groupAccess' is not available for PostgreSQL < 11.
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
services.postgresql.package =
|
services.postgresql.package =
|
||||||
# Note: when changing the default, make it conditional on
|
# Note: when changing the default, make it conditional on
|
||||||
# ‘system.stateVersion’ to maintain compatibility with existing
|
# ‘system.stateVersion’ to maintain compatibility with existing
|
||||||
@ -287,9 +314,9 @@ in
|
|||||||
''
|
''
|
||||||
# Create data directory.
|
# Create data directory.
|
||||||
if ! test -e ${cfg.dataDir}/PG_VERSION; then
|
if ! test -e ${cfg.dataDir}/PG_VERSION; then
|
||||||
mkdir -m 0700 -p ${cfg.dataDir}
|
mkdir -m ${dirMode} -p ${cfg.dataDir}
|
||||||
rm -f ${cfg.dataDir}/*.conf
|
rm -f ${cfg.dataDir}/*.conf
|
||||||
chown -R postgres:postgres ${cfg.dataDir}
|
chown -R postgres ${cfg.dataDir}
|
||||||
fi
|
fi
|
||||||
''; # */
|
''; # */
|
||||||
|
|
||||||
@ -297,7 +324,9 @@ in
|
|||||||
''
|
''
|
||||||
# Initialise the database.
|
# Initialise the database.
|
||||||
if ! test -e ${cfg.dataDir}/PG_VERSION; then
|
if ! test -e ${cfg.dataDir}/PG_VERSION; then
|
||||||
initdb -U ${cfg.superUser}
|
initdb -U ${cfg.superUser} ${
|
||||||
|
lib.optionalString cfg.groupAccess "--allow-group-access"
|
||||||
|
}
|
||||||
# See postStart!
|
# See postStart!
|
||||||
touch "${cfg.dataDir}/.first_startup"
|
touch "${cfg.dataDir}/.first_startup"
|
||||||
fi
|
fi
|
||||||
@ -306,6 +335,7 @@ in
|
|||||||
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
|
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
|
||||||
"${cfg.dataDir}/recovery.conf"
|
"${cfg.dataDir}/recovery.conf"
|
||||||
''}
|
''}
|
||||||
|
chmod ${dirMode} "${cfg.dataDir}"
|
||||||
|
|
||||||
exec postgres
|
exec postgres
|
||||||
'';
|
'';
|
||||||
@ -365,5 +395,5 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
meta.doc = ./postgresql.xml;
|
meta.doc = ./postgresql.xml;
|
||||||
meta.maintainers = with lib.maintainers; [ thoughtpolice ];
|
meta.maintainers = with lib.maintainers; [ thoughtpolice danbst ];
|
||||||
}
|
}
|
||||||
|
|||||||
@ -69,5 +69,71 @@ let
|
|||||||
in
|
in
|
||||||
(mapAttrs' (name: package: { inherit name; value=make-postgresql-test name package false;}) postgresql-versions) // {
|
(mapAttrs' (name: package: { inherit name; value=make-postgresql-test name package false;}) postgresql-versions) // {
|
||||||
postgresql_11-backup-all = make-postgresql-test "postgresql_11-backup-all" postgresql-versions.postgresql_11 true;
|
postgresql_11-backup-all = make-postgresql-test "postgresql_11-backup-all" postgresql-versions.postgresql_11 true;
|
||||||
|
|
||||||
|
postgresql_dirmode_change =
|
||||||
|
let dataDir = "/db";
|
||||||
|
in makeTest {
|
||||||
|
name = "postgresql_dirmode_change";
|
||||||
|
meta = with pkgs.stdenv.lib.maintainers; {
|
||||||
|
maintainers = [ danbst ];
|
||||||
|
};
|
||||||
|
|
||||||
|
machine = { config, ...}:
|
||||||
|
{
|
||||||
|
services.postgresql.enable = true;
|
||||||
|
services.postgresql.package = pkgs.postgresql_11;
|
||||||
|
services.postgresql.dataDir = dataDir;
|
||||||
|
|
||||||
|
# users.groups.backup = {};
|
||||||
|
users.users.backup.isNormalUser = true;
|
||||||
|
users.users.backup.group = "wheel";
|
||||||
|
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${dataDir} 0750 postgres wheel -"
|
||||||
|
];
|
||||||
|
|
||||||
|
nesting.clone = [
|
||||||
|
{
|
||||||
|
services.postgresql.groupAccess = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
({ config, lib, ... }: {
|
||||||
|
services.postgresql.package = lib.mkForce pkgs.postgresql_10;
|
||||||
|
services.postgresql.dataDir = lib.mkForce (dataDir + "_10");
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${dataDir}_10 0750 postgres wheel -"
|
||||||
|
];
|
||||||
|
systemd.services.postgresql.postStart = lib.mkAfter ''
|
||||||
|
chmod 750 ${config.services.postgresql.dataDir}
|
||||||
|
'';
|
||||||
|
})
|
||||||
|
];
|
||||||
|
};
|
||||||
|
testScript = { nodes, ... }: let
|
||||||
|
c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
|
||||||
|
c2 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-2";
|
||||||
|
in ''
|
||||||
|
$machine->start;
|
||||||
|
$machine->waitForUnit("postgresql");
|
||||||
|
$machine->succeed("echo select 1 | sudo -u postgres psql");
|
||||||
|
|
||||||
|
# by default, mode is 0700
|
||||||
|
$machine->fail("sudo -u backup ls ${dataDir}");
|
||||||
|
|
||||||
|
$machine->succeed("${c1}/bin/switch-to-configuration test >&2");
|
||||||
|
$machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
|
||||||
|
$machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
|
||||||
|
$machine->succeed("sudo -u backup ls ${dataDir}");
|
||||||
|
|
||||||
|
# This tests a hack for PG <11: restore permissions to 0700 just before PG starts
|
||||||
|
# and put it back to 0750 after PG had started
|
||||||
|
$machine->succeed("${c2}/bin/switch-to-configuration test >&2");
|
||||||
|
$machine->succeed("systemctl restart postgresql");
|
||||||
|
$machine->waitForUnit("postgresql"); # works after restart
|
||||||
|
$machine->succeed("sudo -u backup ls ${dataDir}_10");
|
||||||
|
|
||||||
|
$machine->shutdown;
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -157,6 +157,9 @@ let
|
|||||||
cp --target-directory=$out/bin ${postgresql}/bin/{postgres,pg_config,pg_ctl}
|
cp --target-directory=$out/bin ${postgresql}/bin/{postgres,pg_config,pg_ctl}
|
||||||
wrapProgram $out/bin/postgres --set NIX_PGLIBDIR $out/lib
|
wrapProgram $out/bin/postgres --set NIX_PGLIBDIR $out/lib
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
passthru.version = postgresql.version;
|
||||||
|
passthru.psqlSchema = postgresql.psqlSchema;
|
||||||
};
|
};
|
||||||
|
|
||||||
in self: {
|
in self: {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user