nixos/postgresql: support 0750 for data directory (#65245)

* nixos/postgresql: support 0750 for data directory This is rework of part of https://github.com/NixOS/nixpkgs/pull/46670. My usecase was to be able to inspect PG datadir as wheel user. PG11 now allows starting server with 0750 mask for data dir. `groupAccess = true` now does this automatically. The only thing you have to do is to set group ownership. For PG10 and below, I've described a hack how this can be done. Before this PR hack was impossible. The hack isn't ideal, because there is short period of time when dir mode is 0700, so I didn't want to make it official. Test/example is present too. * postgresql: allow changing initidb arguments via module system Closes https://github.com/NixOS/nixpkgs/issues/18829 + some cleanups * addressed review comments and some fixes * whoops * change groupAccess to tristate, to not force `chmod` on dataDir. Making mask either 0700 or 0750 is too restrictive.. * WIP * let's not support group mode for versions pre-11. The only fix is to change mode to 0700 before start, because otherwise postgresql doesn't start, and error is non-obvious.
2020-02-14 20:51:20 +02:00 · 2020-02-14 20:51:20 +02:00 · 5443eee47c
commit 5443eee47c
parent c8d53312a5 84535e0a47
2 changed files with 28 additions and 8 deletions
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -20,7 +20,9 @@ let
      listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}'
      port = ${toString cfg.port}
      ${cfg.extraConfig}
-    '';
+    ''; 
+
+  groupAccessAvailable = versionAtLeast postgresql.version "11.0";

 in

@ -88,6 +90,16 @@ in
        '';
      };

+      initdbArgs = mkOption {
+        type = with types; listOf str;
+        default = [];
+        example = [ "--data-checksums" "--allow-group-access" ];
+        description = ''
+          Additional arguments passed to <literal>initdb<literal> during data dir
+          initialisation.
+        '';
+      };
+
      initialScript = mkOption {
        type = types.nullOr types.path;
        default = null;
@ -220,7 +232,7 @@ in

  ###### implementation

-  config = mkIf config.services.postgresql.enable {
+  config = mkIf cfg.enable {

    services.postgresql.package =
      # Note: when changing the default, make it conditional on
@ -232,8 +244,9 @@ in
            else throw "postgresql_9_4 was removed, please upgrade your postgresql version.");

    services.postgresql.dataDir =
-      mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"
-                 else "/var/db/postgresql");
+      mkDefault (if versionAtLeast config.system.stateVersion "17.09"
+                  then "/var/lib/postgresql/${cfg.package.psqlSchema}"
+                  else "/var/db/postgresql");

    services.postgresql.authentication = mkAfter
      ''
@ -284,7 +297,7 @@ in
          ''
            # Initialise the database.
            if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              initdb -U ${cfg.superUser}
+              initdb -U ${cfg.superUser} ${concatStringsSep " " cfg.initdbArgs}
              # See postStart!
              touch "${cfg.dataDir}/.first_startup"
            fi
@ -293,8 +306,12 @@ in
              ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                "${cfg.dataDir}/recovery.conf"
            ''}
+            ${optionalString (!groupAccessAvailable) ''
+              # postgresql pre 11.0 doesn't start if state directory mode is group accessible
+              chmod 0700 "${cfg.dataDir}"
+            ''}

-             exec postgres
+            exec postgres
          '';

        serviceConfig =
@ -303,7 +320,7 @@ in
            Group = "postgres";
            PermissionsStartOnly = true;
            RuntimeDirectory = "postgresql";
-            Type = if lib.versionAtLeast cfg.package.version "9.6"
+            Type = if versionAtLeast cfg.package.version "9.6"
                   then "notify"
                   else "simple";

@ -352,5 +369,5 @@ in
  };

  meta.doc = ./postgresql.xml;
-  meta.maintainers = with lib.maintainers; [ thoughtpolice ];
+  meta.maintainers = with lib.maintainers; [ thoughtpolice danbst ];
 }
--- a/pkgs/servers/sql/postgresql/default.nix
+++ b/pkgs/servers/sql/postgresql/default.nix
@ -175,6 +175,9 @@ let
      cp --target-directory=$out/bin ${postgresql}/bin/{postgres,pg_config,pg_ctl}
      wrapProgram $out/bin/postgres --set NIX_PGLIBDIR $out/lib
    '';
+
+    passthru.version = postgresql.version;
+    passthru.psqlSchema = postgresql.psqlSchema;
  };

 in self: {