From 92a015d35d0450708438f68466027707b18188bd Mon Sep 17 00:00:00 2001
From: danbst <abcz2.uprola@gmail.com>
Date: Mon, 22 Jul 2019 02:57:16 +0300
Subject: [PATCH 1/7] nixos/postgresql: support 0750 for data directory

This is rework of part of https://github.com/NixOS/nixpkgs/pull/46670.
My usecase was to be able to inspect PG datadir as wheel user.

PG11 now allows starting server with 0750 mask for data dir.
`groupAccess = true` now does this automatically. The only thing you have to do
is to set group ownership.

For PG10 and below, I've described a hack how this can be done. Before this PR
hack was impossible. The hack isn't ideal, because there is short
period of time when dir mode is 0700, so I didn't want to make it official.

Test/example is present too.
---
 .../modules/services/databases/postgresql.nix | 40 +++++++++--
 nixos/tests/postgresql.nix                    | 66 +++++++++++++++++++
 pkgs/servers/sql/postgresql/default.nix       |  3 +
 3 files changed, 104 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index bc47e7e1e0dc..7dddebfc28dd 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -38,6 +38,8 @@ let
       ${cfg.extraConfig}
     '';
 
+    dirMode = if cfg.groupAccess then "0750" else "0700";
+
 in
 
 {
@@ -80,6 +82,23 @@ in
         '';
       };
 
+      groupAccess = mkOption {
+        type = types.bool;
+        default = false;
+        example = true;
+        description = ''
+          Allow read access for group (0750 mask for data directory).
+          Supported only for PostgreSQL 11+. PostgreSQL 10 and lower doesn't
+          support starting server with 0750 mask, but a workaround like
+          <programlisting>
+          systemd.services.postgresql.postStart = lib.mkAfter '''
+            chmod 750 ''${config.services.postgresql.dataDir}
+          ''';
+          </programlisting>
+          may be used instead.
+        '';
+      };
+
       authentication = mkOption {
         type = types.lines;
         default = "";
@@ -240,6 +259,14 @@ in
 
   config = mkIf config.services.postgresql.enable {
 
+    assertions = [
+      { assertion = cfg.groupAccess -> builtins.compareVersions cfg.package.version "11.0" >= 0;
+        message = ''
+          'groupAccess' is not available for PostgreSQL < 11.
+        '';
+      }
+    ];
+
     services.postgresql.package =
       # Note: when changing the default, make it conditional on
       # ‘system.stateVersion’ to maintain compatibility with existing
@@ -287,9 +314,9 @@ in
           ''
             # Create data directory.
             if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              mkdir -m 0700 -p ${cfg.dataDir}
+              mkdir -m ${dirMode} -p ${cfg.dataDir}
               rm -f ${cfg.dataDir}/*.conf
-              chown -R postgres:postgres ${cfg.dataDir}
+              chown -R postgres ${cfg.dataDir}
             fi
           ''; # */
 
@@ -297,7 +324,9 @@ in
           ''
             # Initialise the database.
             if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              initdb -U ${cfg.superUser}
+              initdb -U ${cfg.superUser} ${
+                lib.optionalString cfg.groupAccess "--allow-group-access"
+              }
               # See postStart!
               touch "${cfg.dataDir}/.first_startup"
             fi
@@ -306,8 +335,9 @@ in
               ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                 "${cfg.dataDir}/recovery.conf"
             ''}
+            chmod ${dirMode} "${cfg.dataDir}"
 
-             exec postgres
+            exec postgres
           '';
 
         serviceConfig =
@@ -365,5 +395,5 @@ in
   };
 
   meta.doc = ./postgresql.xml;
-  meta.maintainers = with lib.maintainers; [ thoughtpolice ];
+  meta.maintainers = with lib.maintainers; [ thoughtpolice danbst ];
 }
diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix
index ae5d6d095ea2..81ec4d698b66 100644
--- a/nixos/tests/postgresql.nix
+++ b/nixos/tests/postgresql.nix
@@ -69,5 +69,71 @@ let
 in
   (mapAttrs' (name: package: { inherit name; value=make-postgresql-test name package false;}) postgresql-versions) // {
     postgresql_11-backup-all = make-postgresql-test "postgresql_11-backup-all" postgresql-versions.postgresql_11 true;
+
+    postgresql_dirmode_change =
+      let dataDir = "/db";
+    in makeTest {
+      name = "postgresql_dirmode_change";
+      meta = with pkgs.stdenv.lib.maintainers; {
+        maintainers = [ danbst ];
+      };
+
+      machine = { config, ...}:
+        {
+          services.postgresql.enable = true;
+          services.postgresql.package = pkgs.postgresql_11;
+          services.postgresql.dataDir = dataDir;
+
+          # users.groups.backup = {};
+          users.users.backup.isNormalUser = true;
+          users.users.backup.group = "wheel";
+
+          systemd.tmpfiles.rules = [
+            "d ${dataDir} 0750 postgres wheel -"
+          ];
+
+          nesting.clone = [
+            {
+              services.postgresql.groupAccess = true;
+            }
+
+            ({ config, lib, ... }: {
+              services.postgresql.package = lib.mkForce pkgs.postgresql_10;
+              services.postgresql.dataDir = lib.mkForce (dataDir + "_10");
+              systemd.tmpfiles.rules = [
+                "d ${dataDir}_10 0750 postgres wheel -"
+              ];
+              systemd.services.postgresql.postStart = lib.mkAfter ''
+                chmod 750 ${config.services.postgresql.dataDir}
+              '';
+            })
+          ];
+        };
+    testScript = { nodes, ... }: let
+      c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
+      c2 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-2";
+    in ''
+      $machine->start;
+      $machine->waitForUnit("postgresql");
+      $machine->succeed("echo select 1 | sudo -u postgres psql");
+
+      # by default, mode is 0700
+      $machine->fail("sudo -u backup ls ${dataDir}");
+
+      $machine->succeed("${c1}/bin/switch-to-configuration test >&2");
+      $machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
+      $machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
+      $machine->succeed("sudo -u backup ls ${dataDir}");
+
+      # This tests a hack for PG <11: restore permissions to 0700 just before PG starts
+      # and put it back to 0750 after PG had started
+      $machine->succeed("${c2}/bin/switch-to-configuration test >&2");
+      $machine->succeed("systemctl restart postgresql");
+      $machine->waitForUnit("postgresql");   # works after restart
+      $machine->succeed("sudo -u backup ls ${dataDir}_10");
+
+      $machine->shutdown;
+    '';
+    };
   }
 
diff --git a/pkgs/servers/sql/postgresql/default.nix b/pkgs/servers/sql/postgresql/default.nix
index 440ee15a5180..e2703a549d3b 100644
--- a/pkgs/servers/sql/postgresql/default.nix
+++ b/pkgs/servers/sql/postgresql/default.nix
@@ -157,6 +157,9 @@ let
       cp --target-directory=$out/bin ${postgresql}/bin/{postgres,pg_config,pg_ctl}
       wrapProgram $out/bin/postgres --set NIX_PGLIBDIR $out/lib
     '';
+
+    passthru.version = postgresql.version;
+    passthru.psqlSchema = postgresql.psqlSchema;
   };
 
 in self: {

From 7e4e37fff4cd97cc7fed26c9e1060761ed1379a7 Mon Sep 17 00:00:00 2001
From: danbst <abcz2.uprola@gmail.com>
Date: Tue, 23 Jul 2019 21:53:59 +0300
Subject: [PATCH 2/7] postgresql: allow changing initidb arguments via module
 system

Closes https://github.com/NixOS/nixpkgs/issues/18829

+ some cleanups
---
 .../modules/services/databases/postgresql.nix | 25 +++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index 7dddebfc28dd..b89f4a57253a 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -119,6 +119,15 @@ in
         '';
       };
 
+      initdbFlags = mkOption {
+        type = with types; listOf str;
+        default = [];
+        description = ''
+          Additional flags passed to <literal>initdb<literal> during data dir
+          initialisation.
+        '';
+      };
+
       initialScript = mkOption {
         type = types.nullOr types.path;
         default = null;
@@ -257,10 +266,10 @@ in
 
   ###### implementation
 
-  config = mkIf config.services.postgresql.enable {
+  config = mkIf cfg.enable {
 
     assertions = [
-      { assertion = cfg.groupAccess -> builtins.compareVersions cfg.package.version "11.0" >= 0;
+      { assertion = cfg.groupAccess -> versionAtLeast cfg.package.version "11.0";
         message = ''
           'groupAccess' is not available for PostgreSQL < 11.
         '';
@@ -276,8 +285,12 @@ in
             else pkgs.postgresql_9_4);
 
     services.postgresql.dataDir =
-      mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"
-                 else "/var/db/postgresql");
+      mkDefault (if versionAtLeast config.system.stateVersion "17.09"
+                  then "/var/lib/postgresql/${cfg.package.psqlSchema}"
+                  else "/var/db/postgresql");
+
+    services.postgresql.initdbFlags =
+      mkDefault (lib.optional cfg.groupAccess "--allow-group-access");
 
     services.postgresql.authentication = mkAfter
       ''
@@ -324,9 +337,7 @@ in
           ''
             # Initialise the database.
             if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              initdb -U ${cfg.superUser} ${
-                lib.optionalString cfg.groupAccess "--allow-group-access"
-              }
+              initdb -U ${cfg.superUser} ${lib.concatStringsSep " " cfg.initdbFlags}
               # See postStart!
               touch "${cfg.dataDir}/.first_startup"
             fi

From b643e0aee32a1c12ee48da3d62895e4f8f77af79 Mon Sep 17 00:00:00 2001
From: danbst <abcz2.uprola@gmail.com>
Date: Wed, 24 Jul 2019 23:34:21 +0300
Subject: [PATCH 3/7] addressed review comments and some fixes

---
 .../modules/services/databases/postgresql.nix | 26 ++++++---------
 nixos/tests/postgresql.nix                    | 33 +++----------------
 2 files changed, 15 insertions(+), 44 deletions(-)

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index b89f4a57253a..eb1ac6bcb307 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -85,17 +85,9 @@ in
       groupAccess = mkOption {
         type = types.bool;
         default = false;
-        example = true;
         description = ''
           Allow read access for group (0750 mask for data directory).
-          Supported only for PostgreSQL 11+. PostgreSQL 10 and lower doesn't
-          support starting server with 0750 mask, but a workaround like
-          <programlisting>
-          systemd.services.postgresql.postStart = lib.mkAfter '''
-            chmod 750 ''${config.services.postgresql.dataDir}
-          ''';
-          </programlisting>
-          may be used instead.
+          Supported only for PostgreSQL 11+.
         '';
       };
 
@@ -119,11 +111,12 @@ in
         '';
       };
 
-      initdbFlags = mkOption {
+      initdbArgs = mkOption {
         type = with types; listOf str;
         default = [];
+        example = [ "--data-checksums" ];
         description = ''
-          Additional flags passed to <literal>initdb<literal> during data dir
+          Additional arguments passed to <literal>initdb<literal> during data dir
           initialisation.
         '';
       };
@@ -289,8 +282,8 @@ in
                   then "/var/lib/postgresql/${cfg.package.psqlSchema}"
                   else "/var/db/postgresql");
 
-    services.postgresql.initdbFlags =
-      mkDefault (lib.optional cfg.groupAccess "--allow-group-access");
+    services.postgresql.initdbArgs =
+      mkBefore (optional cfg.groupAccess "--allow-group-access");
 
     services.postgresql.authentication = mkAfter
       ''
@@ -329,7 +322,7 @@ in
             if ! test -e ${cfg.dataDir}/PG_VERSION; then
               mkdir -m ${dirMode} -p ${cfg.dataDir}
               rm -f ${cfg.dataDir}/*.conf
-              chown -R postgres ${cfg.dataDir}
+              chown -R postgres:postgres ${cfg.dataDir}
             fi
           ''; # */
 
@@ -337,7 +330,7 @@ in
           ''
             # Initialise the database.
             if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              initdb -U ${cfg.superUser} ${lib.concatStringsSep " " cfg.initdbFlags}
+              initdb -U ${cfg.superUser} ${concatStringsSep " " cfg.initdbArgs}
               # See postStart!
               touch "${cfg.dataDir}/.first_startup"
             fi
@@ -346,6 +339,7 @@ in
               ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                 "${cfg.dataDir}/recovery.conf"
             ''}
+            echo chmod ${dirMode} "${cfg.dataDir}"
             chmod ${dirMode} "${cfg.dataDir}"
 
             exec postgres
@@ -357,7 +351,7 @@ in
             Group = "postgres";
             PermissionsStartOnly = true;
             RuntimeDirectory = "postgresql";
-            Type = if lib.versionAtLeast cfg.package.version "9.6"
+            Type = if versionAtLeast cfg.package.version "9.6"
                    then "notify"
                    else "simple";
 
diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix
index 81ec4d698b66..433a64e9fab8 100644
--- a/nixos/tests/postgresql.nix
+++ b/nixos/tests/postgresql.nix
@@ -84,53 +84,30 @@ in
           services.postgresql.package = pkgs.postgresql_11;
           services.postgresql.dataDir = dataDir;
 
-          # users.groups.backup = {};
-          users.users.backup.isNormalUser = true;
-          users.users.backup.group = "wheel";
-
-          systemd.tmpfiles.rules = [
-            "d ${dataDir} 0750 postgres wheel -"
-          ];
+          users.users.admin.isNormalUser = true;
+          users.users.admin.extraGroups = [ "postgres" ];
 
           nesting.clone = [
             {
               services.postgresql.groupAccess = true;
             }
-
-            ({ config, lib, ... }: {
-              services.postgresql.package = lib.mkForce pkgs.postgresql_10;
-              services.postgresql.dataDir = lib.mkForce (dataDir + "_10");
-              systemd.tmpfiles.rules = [
-                "d ${dataDir}_10 0750 postgres wheel -"
-              ];
-              systemd.services.postgresql.postStart = lib.mkAfter ''
-                chmod 750 ${config.services.postgresql.dataDir}
-              '';
-            })
           ];
         };
     testScript = { nodes, ... }: let
       c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
-      c2 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-2";
     in ''
       $machine->start;
       $machine->waitForUnit("postgresql");
       $machine->succeed("echo select 1 | sudo -u postgres psql");
 
       # by default, mode is 0700
-      $machine->fail("sudo -u backup ls ${dataDir}");
+      $machine->fail("sudo -u admin ls ${dataDir}");
 
       $machine->succeed("${c1}/bin/switch-to-configuration test >&2");
       $machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
       $machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
-      $machine->succeed("sudo -u backup ls ${dataDir}");
-
-      # This tests a hack for PG <11: restore permissions to 0700 just before PG starts
-      # and put it back to 0750 after PG had started
-      $machine->succeed("${c2}/bin/switch-to-configuration test >&2");
-      $machine->succeed("systemctl restart postgresql");
-      $machine->waitForUnit("postgresql");   # works after restart
-      $machine->succeed("sudo -u backup ls ${dataDir}_10");
+      $machine->succeed("sudo -u admin ls -la / >&2");
+      $machine->succeed("sudo -u admin ls ${dataDir}");
 
       $machine->shutdown;
     '';

From e54ad9812bf4f91782cde477f405e015ee5cbdbc Mon Sep 17 00:00:00 2001
From: danbst <abcz2.uprola@gmail.com>
Date: Thu, 25 Jul 2019 00:17:01 +0300
Subject: [PATCH 4/7] whoops

---
 nixos/modules/services/databases/postgresql.nix | 1 -
 nixos/tests/postgresql.nix                      | 1 -
 2 files changed, 2 deletions(-)

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index eb1ac6bcb307..510e8f17133b 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -339,7 +339,6 @@ in
               ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                 "${cfg.dataDir}/recovery.conf"
             ''}
-            echo chmod ${dirMode} "${cfg.dataDir}"
             chmod ${dirMode} "${cfg.dataDir}"
 
             exec postgres
diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix
index 433a64e9fab8..a787d0f5976a 100644
--- a/nixos/tests/postgresql.nix
+++ b/nixos/tests/postgresql.nix
@@ -106,7 +106,6 @@ in
       $machine->succeed("${c1}/bin/switch-to-configuration test >&2");
       $machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
       $machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
-      $machine->succeed("sudo -u admin ls -la / >&2");
       $machine->succeed("sudo -u admin ls ${dataDir}");
 
       $machine->shutdown;

From 363ba3f40371f5c016aecf07bf62f3a33f755f29 Mon Sep 17 00:00:00 2001
From: danbst <abcz2.uprola@gmail.com>
Date: Thu, 25 Jul 2019 01:00:26 +0300
Subject: [PATCH 5/7] change groupAccess to tristate, to not force `chmod` on
 dataDir.

Making mask either 0700 or 0750 is too restrictive..
---
 .../modules/services/databases/postgresql.nix | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index 510e8f17133b..4b3693d689c9 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -38,7 +38,7 @@ let
       ${cfg.extraConfig}
     '';
 
-    dirMode = if cfg.groupAccess then "0750" else "0700";
+    dirMode = if cfg.groupAccess == true then "0750" else "0700";
 
 in
 
@@ -83,11 +83,14 @@ in
       };
 
       groupAccess = mkOption {
-        type = types.bool;
-        default = false;
+        type = with types; nullOr bool;
+        default = null;
         description = ''
-          Allow read access for group (0750 mask for data directory).
+          When true, allow read access for group (<literal>0750</literal> mask for data directory).
           Supported only for PostgreSQL 11+.
+          </para><para>
+          When false, force a restrictive <literal>0700</literal> mask on data directory, so
+          PostgreSQL won't fail due to too permissive mask.
         '';
       };
 
@@ -262,7 +265,7 @@ in
   config = mkIf cfg.enable {
 
     assertions = [
-      { assertion = cfg.groupAccess -> versionAtLeast cfg.package.version "11.0";
+      { assertion = cfg.groupAccess == true -> versionAtLeast cfg.package.version "11.0";
         message = ''
           'groupAccess' is not available for PostgreSQL < 11.
         '';
@@ -283,7 +286,7 @@ in
                   else "/var/db/postgresql");
 
     services.postgresql.initdbArgs =
-      mkBefore (optional cfg.groupAccess "--allow-group-access");
+      mkBefore (optional (cfg.groupAccess == true) "--allow-group-access");
 
     services.postgresql.authentication = mkAfter
       ''
@@ -339,7 +342,9 @@ in
               ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                 "${cfg.dataDir}/recovery.conf"
             ''}
-            chmod ${dirMode} "${cfg.dataDir}"
+            ${optionalString (cfg.groupAccess != null) ''
+              chmod ${dirMode} "${cfg.dataDir}"
+            ''}
 
             exec postgres
           '';

From d9ff157ee44d978aebed6f6a9c7d4de05d5576ad Mon Sep 17 00:00:00 2001
From: danbst <abcz2.uprola@gmail.com>
Date: Tue, 13 Aug 2019 09:17:50 +0300
Subject: [PATCH 6/7] WIP

---
 nixos/tests/postgresql.nix | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix
index a787d0f5976a..a6120c9c5d34 100644
--- a/nixos/tests/postgresql.nix
+++ b/nixos/tests/postgresql.nix
@@ -78,10 +78,10 @@ in
         maintainers = [ danbst ];
       };
 
-      machine = { config, ...}:
+      machine = { config, lib, ...}:
         {
           services.postgresql.enable = true;
-          services.postgresql.package = pkgs.postgresql_11;
+          services.postgresql.package = pkgs.postgresql_10;
           services.postgresql.dataDir = dataDir;
 
           users.users.admin.isNormalUser = true;
@@ -89,7 +89,13 @@ in
 
           nesting.clone = [
             {
-              services.postgresql.groupAccess = true;
+              systemd.services.postgresql.preStart = lib.mkAfter ''
+                chmod 0700 ${dataDir}
+              '';
+              systemd.services.postgresql.postStart = lib.mkAfter ''
+                chmod -R 750 ${dataDir}
+                ${pkgs.acl}/bin/setfacl -d -m g::r-x ${dataDir}
+              '';
             }
           ];
         };
@@ -105,6 +111,9 @@ in
 
       $machine->succeed("${c1}/bin/switch-to-configuration test >&2");
       $machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
+      $machine->succeed("systemctl restart postgresql"); # but we have to be sure
+                                                         # manual restart works too
+      $machine->waitForUnit("postgresql");
       $machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
       $machine->succeed("sudo -u admin ls ${dataDir}");
 

From 84535e0a47bf97d6d7ea6ea3764d45baab93fde9 Mon Sep 17 00:00:00 2001
From: danbst <abcz2.uprola@gmail.com>
Date: Fri, 14 Feb 2020 19:16:34 +0200
Subject: [PATCH 7/7] let's not support group mode for versions pre-11.

The only fix is to change mode to 0700 before start, because otherwise postgresql
doesn't start, and error is non-obvious.
---
 .../modules/services/databases/postgresql.nix | 36 +++----------
 nixos/tests/postgresql.nix                    | 51 -------------------
 2 files changed, 7 insertions(+), 80 deletions(-)

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index 8bbbf2d31fc7..f656e236b369 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -20,9 +20,9 @@ let
       listen_addresses = '${if cfg.enableTCPIP then "*" else "localhost"}'
       port = ${toString cfg.port}
       ${cfg.extraConfig}
-    '';
+    ''; 
 
-    dirMode = if cfg.groupAccess == true then "0750" else "0700";
+  groupAccessAvailable = versionAtLeast postgresql.version "11.0";
 
 in
 
@@ -66,18 +66,6 @@ in
         '';
       };
 
-      groupAccess = mkOption {
-        type = with types; nullOr bool;
-        default = null;
-        description = ''
-          When true, allow read access for group (<literal>0750</literal> mask for data directory).
-          Supported only for PostgreSQL 11+.
-          </para><para>
-          When false, force a restrictive <literal>0700</literal> mask on data directory, so
-          PostgreSQL won't fail due to too permissive mask.
-        '';
-      };
-
       authentication = mkOption {
         type = types.lines;
         default = "";
@@ -105,7 +93,7 @@ in
       initdbArgs = mkOption {
         type = with types; listOf str;
         default = [];
-        example = [ "--data-checksums" ];
+        example = [ "--data-checksums" "--allow-group-access" ];
         description = ''
           Additional arguments passed to <literal>initdb<literal> during data dir
           initialisation.
@@ -246,14 +234,6 @@ in
 
   config = mkIf cfg.enable {
 
-    assertions = [
-      { assertion = cfg.groupAccess == true -> versionAtLeast cfg.package.version "11.0";
-        message = ''
-          'groupAccess' is not available for PostgreSQL < 11.
-        '';
-      }
-    ];
-
     services.postgresql.package =
       # Note: when changing the default, make it conditional on
       # ‘system.stateVersion’ to maintain compatibility with existing
@@ -268,9 +248,6 @@ in
                   then "/var/lib/postgresql/${cfg.package.psqlSchema}"
                   else "/var/db/postgresql");
 
-    services.postgresql.initdbArgs =
-      mkBefore (optional (cfg.groupAccess == true) "--allow-group-access");
-
     services.postgresql.authentication = mkAfter
       ''
         # Generated file; do not edit!
@@ -310,7 +287,7 @@ in
           ''
             # Create data directory.
             if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              mkdir -m ${dirMode} -p ${cfg.dataDir}
+              mkdir -m 0700 -p ${cfg.dataDir}
               rm -f ${cfg.dataDir}/*.conf
               chown -R postgres:postgres ${cfg.dataDir}
             fi
@@ -329,8 +306,9 @@ in
               ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                 "${cfg.dataDir}/recovery.conf"
             ''}
-            ${optionalString (cfg.groupAccess != null) ''
-              chmod ${dirMode} "${cfg.dataDir}"
+            ${optionalString (!groupAccessAvailable) ''
+              # postgresql pre 11.0 doesn't start if state directory mode is group accessible
+              chmod 0700 "${cfg.dataDir}"
             ''}
 
             exec postgres
diff --git a/nixos/tests/postgresql.nix b/nixos/tests/postgresql.nix
index c36ce046efcd..3201e22555ea 100644
--- a/nixos/tests/postgresql.nix
+++ b/nixos/tests/postgresql.nix
@@ -86,56 +86,5 @@ let
 in
   (mapAttrs' (name: package: { inherit name; value=make-postgresql-test name package false;}) postgresql-versions) // {
     postgresql_11-backup-all = make-postgresql-test "postgresql_11-backup-all" postgresql-versions.postgresql_11 true;
-
-    postgresql_dirmode_change =
-      let dataDir = "/db";
-    in makeTest {
-      name = "postgresql_dirmode_change";
-      meta = with pkgs.stdenv.lib.maintainers; {
-        maintainers = [ danbst ];
-      };
-
-      machine = { config, lib, ...}:
-        {
-          services.postgresql.enable = true;
-          services.postgresql.package = pkgs.postgresql_10;
-          services.postgresql.dataDir = dataDir;
-
-          users.users.admin.isNormalUser = true;
-          users.users.admin.extraGroups = [ "postgres" ];
-
-          nesting.clone = [
-            {
-              systemd.services.postgresql.preStart = lib.mkAfter ''
-                chmod 0700 ${dataDir}
-              '';
-              systemd.services.postgresql.postStart = lib.mkAfter ''
-                chmod -R 750 ${dataDir}
-                ${pkgs.acl}/bin/setfacl -d -m g::r-x ${dataDir}
-              '';
-            }
-          ];
-        };
-    testScript = { nodes, ... }: let
-      c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
-    in ''
-      $machine->start;
-      $machine->waitForUnit("postgresql");
-      $machine->succeed("echo select 1 | sudo -u postgres psql");
-
-      # by default, mode is 0700
-      $machine->fail("sudo -u admin ls ${dataDir}");
-
-      $machine->succeed("${c1}/bin/switch-to-configuration test >&2");
-      $machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
-      $machine->succeed("systemctl restart postgresql"); # but we have to be sure
-                                                         # manual restart works too
-      $machine->waitForUnit("postgresql");
-      $machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
-      $machine->succeed("sudo -u admin ls ${dataDir}");
-
-      $machine->shutdown;
-    '';
-    };
   }