Skip to content

Commit

Permalink
nixos/postgresql: support 0750 for data directory
Browse files Browse the repository at this point in the history 
This is rework of part of NixOS#46670.
My usecase was to be able to inspect PG datadir as wheel user.

PG11 now allows starting server with 0750 mask for data dir.
`groupAccess = true` now does this automatically. The only thing you have to do
is to set group ownership.

For PG10 and below, I've described a hack how this can be done. Before this PR
hack was impossible. The hack isn't ideal, because there is short
period of time when dir mode is 0700, so I didn't want to make it official.

Test/example is present too.
  • Loading branch information
@danbst
danbst committed Jul 23, 2019
1 parent 104f8a0 commit 92a015d
Show file tree
Hide file tree
Showing 3 changed files with 104 additions and 5 deletions.
40 changes: 35 additions & 5 deletions nixos/modules/services/databases/postgresql.nix
View file
Expand Up @@ -38,6 +38,8 @@ let
${cfg.extraConfig}
'';

dirMode = if cfg.groupAccess then "0750" else "0700";

in

{
Expand Down Expand Up @@ -80,6 +82,23 @@ in
'';
};

groupAccess = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Allow read access for group (0750 mask for data directory).
Supported only for PostgreSQL 11+. PostgreSQL 10 and lower doesn't
support starting server with 0750 mask, but a workaround like
<programlisting>
systemd.services.postgresql.postStart = lib.mkAfter '''
chmod 750 ''${config.services.postgresql.dataDir}
''';
</programlisting>
may be used instead.
'';
};

authentication = mkOption {
type = types.lines;
default = "";
Expand Down Expand Up @@ -240,6 +259,14 @@ in

config = mkIf config.services.postgresql.enable {

assertions = [
{ assertion = cfg.groupAccess -> builtins.compareVersions cfg.package.version "11.0" >= 0;
message = ''
'groupAccess' is not available for PostgreSQL < 11.
'';
}
];

services.postgresql.package =
# Note: when changing the default, make it conditional on
# ‘system.stateVersion’ to maintain compatibility with existing
Expand Down Expand Up @@ -287,17 +314,19 @@ in
''
# Create data directory.
if ! test -e ${cfg.dataDir}/PG_VERSION; then
mkdir -m 0700 -p ${cfg.dataDir}
mkdir -m ${dirMode} -p ${cfg.dataDir}
rm -f ${cfg.dataDir}/*.conf
chown -R postgres:postgres ${cfg.dataDir}
chown -R postgres ${cfg.dataDir}
fi
''; # */

script =
''
# Initialise the database.
if ! test -e ${cfg.dataDir}/PG_VERSION; then
initdb -U ${cfg.superUser}
initdb -U ${cfg.superUser} ${
lib.optionalString cfg.groupAccess "--allow-group-access"
}
# See postStart!
touch "${cfg.dataDir}/.first_startup"
fi
Expand All @@ -306,8 +335,9 @@ in
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
"${cfg.dataDir}/recovery.conf"
''}
chmod ${dirMode} "${cfg.dataDir}"
exec postgres
exec postgres
'';

serviceConfig =
Expand Down Expand Up @@ -365,5 +395,5 @@ in
};

meta.doc = ./postgresql.xml;
meta.maintainers = with lib.maintainers; [ thoughtpolice ];
meta.maintainers = with lib.maintainers; [ thoughtpolice danbst ];
}
66 changes: 66 additions & 0 deletions nixos/tests/postgresql.nix
View file
Expand Up @@ -69,5 +69,71 @@ let
in
(mapAttrs' (name: package: { inherit name; value=make-postgresql-test name package false;}) postgresql-versions) // {
postgresql_11-backup-all = make-postgresql-test "postgresql_11-backup-all" postgresql-versions.postgresql_11 true;

postgresql_dirmode_change =
let dataDir = "/db";
in makeTest {
name = "postgresql_dirmode_change";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ danbst ];
};

machine = { config, ...}:
{
services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql_11;
services.postgresql.dataDir = dataDir;

# users.groups.backup = {};
users.users.backup.isNormalUser = true;
users.users.backup.group = "wheel";

systemd.tmpfiles.rules = [
"d ${dataDir} 0750 postgres wheel -"
];

nesting.clone = [
{
services.postgresql.groupAccess = true;
}

({ config, lib, ... }: {
services.postgresql.package = lib.mkForce pkgs.postgresql_10;
services.postgresql.dataDir = lib.mkForce (dataDir + "_10");
systemd.tmpfiles.rules = [
"d ${dataDir}_10 0750 postgres wheel -"
];
systemd.services.postgresql.postStart = lib.mkAfter ''
chmod 750 ${config.services.postgresql.dataDir}
'';
})
];
};
testScript = { nodes, ... }: let
c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
c2 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-2";
in ''
$machine->start;
$machine->waitForUnit("postgresql");
$machine->succeed("echo select 1 | sudo -u postgres psql");
# by default, mode is 0700
$machine->fail("sudo -u backup ls ${dataDir}");
$machine->succeed("${c1}/bin/switch-to-configuration test >&2");
$machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
$machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
$machine->succeed("sudo -u backup ls ${dataDir}");
# This tests a hack for PG <11: restore permissions to 0700 just before PG starts
# and put it back to 0750 after PG had started
$machine->succeed("${c2}/bin/switch-to-configuration test >&2");
$machine->succeed("systemctl restart postgresql");
$machine->waitForUnit("postgresql"); # works after restart
$machine->succeed("sudo -u backup ls ${dataDir}_10");
$machine->shutdown;
'';
};
}

3 changes: 3 additions & 0 deletions pkgs/servers/sql/postgresql/default.nix
View file
Expand Up @@ -157,6 +157,9 @@ let
cp --target-directory=$out/bin ${postgresql}/bin/{postgres,pg_config,pg_ctl}
wrapProgram $out/bin/postgres --set NIX_PGLIBDIR $out/lib
'';

passthru.version = postgresql.version;
passthru.psqlSchema = postgresql.psqlSchema;
};

in self: {
Expand Down

0 comments on commit 92a015d

Please sign in to comment.