cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #287602 from Ma27/drop-postgres-ensurePermissions

Browse source 
nixos/postgresql: drop ensurePermissions option
This commit is contained in:
Maximilian Bosch 2024-03-07 19:50:44 +00:00 committed by GitHub
commit 3c8f4e06e6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 5 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
nixos/doc/manual/release-notes/rl-2405.section.md
View file

@ -129,6 +129,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
[v0.31](https://github.com/derailed/k9s/releases/tag/v0.31.0) for details. It is recommended
to back up your current configuration and let k9s recreate the new base configuration.
- The option `services.postgresql.ensureUsers._.ensurePermissions` has been removed as it's
not declarative and is broken with newer postgresql versions. Consider using
[](#opt-services.postgresql.ensureUsers._.ensureDBOwnership)
instead or a tool that's more suited for managing the data inside a postgresql database.
- `idris2` was updated to v0.7.0. This version introduces breaking changes. Check out the [changelog](https://github.com/idris-lang/Idris2/blob/v0.7.0/CHANGELOG.md#v070) for details.
- `neo4j` has been updated to 5, you may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/)

43
nixos/modules/services/databases/postgresql.nix
View file

@ -161,33 +161,6 @@ in
'';
};
ensurePermissions = mkOption {
type = types.attrsOf types.str;
default = {};
visible = false; # This option has been deprecated.
description = lib.mdDoc ''
This option is DEPRECATED and should not be used in nixpkgs anymore,
use `ensureDBOwnership` instead. It can also break with newer
versions of PostgreSQL ( 15).
Permissions to ensure for the user, specified as an attribute set.
The attribute names specify the database and tables to grant the permissions for.
The attribute values specify the permissions to grant. You may specify one or
multiple comma-separated SQL privileges here.
For more information on how to specify the target
and on which privileges exist, see the
[GRANT syntax](https://www.postgresql.org/docs/current/sql-grant.html).
The attributes are used as `GRANT ''${attrValue} ON ''${attrName}`.
'';
example = literalExpression ''
{
"DATABASE \"nextcloud\"" = "ALL PRIVILEGES";
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
}
'';
};
ensureDBOwnership = mkOption {
type = types.bool;
default = false;
@ -460,16 +433,6 @@ in
Offender: ${name} has not been found among databases.
'';
}) cfg.ensureUsers;
# `ensurePermissions` is now deprecated, let's avoid it.
warnings = lib.optional (any ({ ensurePermissions, ... }: ensurePermissions != {}) cfg.ensureUsers) "
`services.postgresql.ensureUsers.*.ensurePermissions` is used in your expressions,
this option is known to be broken with newer PostgreSQL versions,
consider migrating to `services.postgresql.ensureUsers.*.ensureDBOwnership` or
consult the release notes or manual for more migration guidelines.
This option will be removed in NixOS 24.05 unless it sees significant
maintenance improvements.
";
services.postgresql.settings =
{
@ -583,11 +546,6 @@ in
concatMapStrings
(user:
let
userPermissions = concatStringsSep "\n"
(mapAttrsToList
(database: permission: ''$PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '')
user.ensurePermissions
);
dbOwnershipStmt = optionalString
user.ensureDBOwnership
''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' '';
@ -599,7 +557,6 @@ in
userClauses = ''$PSQL -tAc 'ALTER ROLE "${user.name}" ${concatStringsSep " " clauseSqlStatements}' '';
in ''
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"'
${userPermissions}
${userClauses}
${dbOwnershipStmt}