nixpkgs/nixos/modules/services/databases
aszlig ef553788d0
postgresql: Move socket dir to /run/postgresql
The default, which is /tmp, has a few issues associated with it:

One being that it makes it easy for users on the system to spoof a
PostgreSQL server if it's not running, causing applications to connect
to their provided sockets instead of just failing to connect.

Another one is that it makes sandboxing of PostgreSQL and other services
unnecessarily difficult. This is already the case if only PrivateTmp is
used in a systemd service, so in order for such a service to be able to
connect to PostgreSQL, a bind mount needs to be done from /tmp to some
other path, so the service can access it. This pretty much defeats the
whole purpose of PrivateTmp.

We regularily run into issues with this in the past already (one example
would be https://github.com/NixOS/nixpkgs/pull/24317) and with the new
systemd-confinement mode upcoming in
https://github.com/NixOS/nixpkgs/pull/57519, it makes it even more
tedious to sandbox services.

I've tested this change against all the postgresql NixOS VM tests and
they still succeed and I also grepped through the source tree to replace
other occasions where we might have /tmp hardcoded. Luckily there were
very few occasions.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @ocharles, @thoughtpolice, @danbst
2019-03-15 04:52:35 +01:00
..
4store-endpoint.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
4store.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
aerospike.nix aerospike: Disables build on aarch64 2018-12-10 14:55:19 -05:00
cassandra.nix cassandra: add option to configure logging 2018-12-05 15:17:37 +01:00
clickhouse.nix clickhouse: fix module and package runtime 2018-12-20 13:03:41 +01:00
cockroachdb.nix nixos/cockroachdb: simplify dataDir management, tweaks 2018-12-04 19:44:16 -06:00
couchdb.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
firebird.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
foundationdb.nix nixos/manual: fix inclusion of FoundationDB documentation 2018-07-30 18:30:40 -05:00
foundationdb.xml docs: format 2018-09-29 20:51:11 -04:00
hbase.nix nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
influxdb.nix nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
memcached.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
monetdb.nix nixos/monetdb: init (#39812) 2018-05-01 16:44:12 +02:00
mongodb.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
mysql.nix Merge pull request #54475 from Izorkin/mysql-restartTrigger 2019-01-29 19:54:24 +01:00
neo4j.nix nixos/neo4j: Update module, make compatible with neo4j 3.4 2018-07-12 19:28:40 -07:00
openldap.nix nixos/openldap: Fix quoting of log level 2019-03-07 14:19:50 +01:00
opentsdb.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
pgmanage.nix pgmanage: remove deprecated postage alias 2018-06-23 13:32:13 +02:00
postgresql.nix postgresql: Move socket dir to /run/postgresql 2019-03-15 04:52:35 +01:00
postgresql.xml postgresql*: use underscores in version numbers 2018-10-30 14:32:21 +00:00
redis.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
rethinkdb.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
riak-cs.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
riak.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
stanchion.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
virtuoso.nix nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00