nixos/postgresql: run ExecStartPost as an unprivileged user
This commit is contained in:
parent
edd758839c
commit
ec82ae3c39
@ -666,11 +666,19 @@ services.dokuwiki."mywiki" = {
|
||||
<listitem>
|
||||
<para>
|
||||
The <xref linkend="opt-services.postgresql.dataDir"/> option is now set to <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal> regardless of your
|
||||
<xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.09</literal> or below
|
||||
<xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below
|
||||
should double check what the value of their <xref linkend="opt-services.postgresql.dataDir"/> option is (<literal>/var/db/postgresql</literal>) and then explicitly
|
||||
set this value to maintain compatibility:
|
||||
<programlisting>
|
||||
services.postgresql.dataDir = "/var/db/postgresql";
|
||||
</programlisting>
|
||||
</para>
|
||||
<para>
|
||||
The postgresql module now expects there to be a database super user account called <literal>postgres</literal> regardless of your <xref linkend="opt-system.stateVersion"/>. Users
|
||||
with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below should run the following SQL statements as a
|
||||
database super admin user before upgrading:
|
||||
<programlisting>
|
||||
CREATE ROLE postgres LOGIN SUPERUSER;
|
||||
</programlisting>
|
||||
</para>
|
||||
</listitem>
|
||||
|
@ -225,14 +225,15 @@ in
|
||||
Contents of the <filename>recovery.conf</filename> file.
|
||||
'';
|
||||
};
|
||||
|
||||
superUser = mkOption {
|
||||
type = types.str;
|
||||
default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root";
|
||||
default = "postgres";
|
||||
internal = true;
|
||||
readOnly = true;
|
||||
description = ''
|
||||
NixOS traditionally used 'root' as superuser, most other distros use 'postgres'.
|
||||
From 17.09 we also try to follow this standard. Internal since changing this value
|
||||
would lead to breakage while setting up databases.
|
||||
PostgreSQL superuser account to use for various operations. Internal since changing
|
||||
this value would lead to breakage while setting up databases.
|
||||
'';
|
||||
};
|
||||
};
|
||||
@ -336,7 +337,7 @@ in
|
||||
setupScript = pkgs.writeScript "postgresql-setup" (''
|
||||
#!${pkgs.runtimeShell} -e
|
||||
|
||||
PSQL="${pkgs.utillinux}/bin/runuser -u ${cfg.superUser} -- psql --port=${toString cfg.port}"
|
||||
PSQL="psql --port=${toString cfg.port}"
|
||||
|
||||
while ! $PSQL -d postgres -c "" 2> /dev/null; do
|
||||
if ! kill -0 "$MAINPID"; then exit 1; fi
|
||||
@ -362,7 +363,7 @@ in
|
||||
'') cfg.ensureUsers}
|
||||
'');
|
||||
in
|
||||
"+${setupScript}";
|
||||
"${setupScript}";
|
||||
}
|
||||
(mkIf (cfg.dataDir == "/var/lib/postgresql/${cfg.package.psqlSchema}") {
|
||||
StateDirectory = "postgresql postgresql/${cfg.package.psqlSchema}";
|
||||
|
Loading…
Reference in New Issue
Block a user