btcpayserver: fix PostgreSQL 15 user permissions

Since PostgreSQL 15, DB users need to be DB owners to be able to create tables. We can't use the new `ensureDBOwnerhip` NixOS option [1] to set this up, because it requires the PostgreSQL user name and the database name to be identical, which is not the case for btcpayserver. Instead, we manually issue a PostgreSQL admin statement similar to the one used by `ensureDBOwnerhip`. This method of setting up the user is also compatible with older PostgreSQL versions that come with older NixOS `system.stateVersion`s. [1] NixOS/nixpkgs#266270
erikarvstedt · Dec 2, 2023 · 1aad9b8 · 1aad9b8
1 parent 741cdd7
commit 1aad9b8
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix
@@ -138,16 +138,16 @@ in {
       enable = true;
       ensureDatabases = [ "btcpaydb" "nbxplorer" ];
       ensureUsers = [
-        {
-          name = cfg.btcpayserver.user;
-          ensurePermissions."DATABASE btcpaydb" = "ALL PRIVILEGES";
-        }
-        {
-          name = cfg.nbxplorer.user;
-          ensurePermissions."DATABASE nbxplorer" = "ALL PRIVILEGES";
-        }
+        { name = cfg.btcpayserver.user; }
+        { name = cfg.nbxplorer.user; }
       ];
     };
+    systemd.services.postgresql.postStart = lib.mkAfter ''
+      $PSQL -tAc '
+        ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}";
+        ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}";
+      '
+    '';
 
     systemd.tmpfiles.rules = [
       "d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"