addressed review comments and some fixes

This commit is contained in:
danbst 2019-07-24 23:34:21 +03:00
parent 7e4e37fff4
commit b643e0aee3
2 changed files with 15 additions and 44 deletions

View file

@ -85,17 +85,9 @@ in
groupAccess = mkOption { groupAccess = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
example = true;
description = '' description = ''
Allow read access for group (0750 mask for data directory). Allow read access for group (0750 mask for data directory).
Supported only for PostgreSQL 11+. PostgreSQL 10 and lower doesn't Supported only for PostgreSQL 11+.
support starting server with 0750 mask, but a workaround like
<programlisting>
systemd.services.postgresql.postStart = lib.mkAfter '''
chmod 750 ''${config.services.postgresql.dataDir}
''';
</programlisting>
may be used instead.
''; '';
}; };
@ -119,11 +111,12 @@ in
''; '';
}; };
initdbFlags = mkOption { initdbArgs = mkOption {
type = with types; listOf str; type = with types; listOf str;
default = []; default = [];
example = [ "--data-checksums" ];
description = '' description = ''
Additional flags passed to <literal>initdb<literal> during data dir Additional arguments passed to <literal>initdb<literal> during data dir
initialisation. initialisation.
''; '';
}; };
@ -289,8 +282,8 @@ in
then "/var/lib/postgresql/${cfg.package.psqlSchema}" then "/var/lib/postgresql/${cfg.package.psqlSchema}"
else "/var/db/postgresql"); else "/var/db/postgresql");
services.postgresql.initdbFlags = services.postgresql.initdbArgs =
mkDefault (lib.optional cfg.groupAccess "--allow-group-access"); mkBefore (optional cfg.groupAccess "--allow-group-access");
services.postgresql.authentication = mkAfter services.postgresql.authentication = mkAfter
'' ''
@ -329,7 +322,7 @@ in
if ! test -e ${cfg.dataDir}/PG_VERSION; then if ! test -e ${cfg.dataDir}/PG_VERSION; then
mkdir -m ${dirMode} -p ${cfg.dataDir} mkdir -m ${dirMode} -p ${cfg.dataDir}
rm -f ${cfg.dataDir}/*.conf rm -f ${cfg.dataDir}/*.conf
chown -R postgres ${cfg.dataDir} chown -R postgres:postgres ${cfg.dataDir}
fi fi
''; # */ ''; # */
@ -337,7 +330,7 @@ in
'' ''
# Initialise the database. # Initialise the database.
if ! test -e ${cfg.dataDir}/PG_VERSION; then if ! test -e ${cfg.dataDir}/PG_VERSION; then
initdb -U ${cfg.superUser} ${lib.concatStringsSep " " cfg.initdbFlags} initdb -U ${cfg.superUser} ${concatStringsSep " " cfg.initdbArgs}
# See postStart! # See postStart!
touch "${cfg.dataDir}/.first_startup" touch "${cfg.dataDir}/.first_startup"
fi fi
@ -346,6 +339,7 @@ in
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \ ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
"${cfg.dataDir}/recovery.conf" "${cfg.dataDir}/recovery.conf"
''} ''}
echo chmod ${dirMode} "${cfg.dataDir}"
chmod ${dirMode} "${cfg.dataDir}" chmod ${dirMode} "${cfg.dataDir}"
exec postgres exec postgres
@ -357,7 +351,7 @@ in
Group = "postgres"; Group = "postgres";
PermissionsStartOnly = true; PermissionsStartOnly = true;
RuntimeDirectory = "postgresql"; RuntimeDirectory = "postgresql";
Type = if lib.versionAtLeast cfg.package.version "9.6" Type = if versionAtLeast cfg.package.version "9.6"
then "notify" then "notify"
else "simple"; else "simple";

View file

@ -84,53 +84,30 @@ in
services.postgresql.package = pkgs.postgresql_11; services.postgresql.package = pkgs.postgresql_11;
services.postgresql.dataDir = dataDir; services.postgresql.dataDir = dataDir;
# users.groups.backup = {}; users.users.admin.isNormalUser = true;
users.users.backup.isNormalUser = true; users.users.admin.extraGroups = [ "postgres" ];
users.users.backup.group = "wheel";
systemd.tmpfiles.rules = [
"d ${dataDir} 0750 postgres wheel -"
];
nesting.clone = [ nesting.clone = [
{ {
services.postgresql.groupAccess = true; services.postgresql.groupAccess = true;
} }
({ config, lib, ... }: {
services.postgresql.package = lib.mkForce pkgs.postgresql_10;
services.postgresql.dataDir = lib.mkForce (dataDir + "_10");
systemd.tmpfiles.rules = [
"d ${dataDir}_10 0750 postgres wheel -"
];
systemd.services.postgresql.postStart = lib.mkAfter ''
chmod 750 ${config.services.postgresql.dataDir}
'';
})
]; ];
}; };
testScript = { nodes, ... }: let testScript = { nodes, ... }: let
c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1"; c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
c2 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-2";
in '' in ''
$machine->start; $machine->start;
$machine->waitForUnit("postgresql"); $machine->waitForUnit("postgresql");
$machine->succeed("echo select 1 | sudo -u postgres psql"); $machine->succeed("echo select 1 | sudo -u postgres psql");
# by default, mode is 0700 # by default, mode is 0700
$machine->fail("sudo -u backup ls ${dataDir}"); $machine->fail("sudo -u admin ls ${dataDir}");
$machine->succeed("${c1}/bin/switch-to-configuration test >&2"); $machine->succeed("${c1}/bin/switch-to-configuration test >&2");
$machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted $machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
$machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart $machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
$machine->succeed("sudo -u backup ls ${dataDir}"); $machine->succeed("sudo -u admin ls -la / >&2");
$machine->succeed("sudo -u admin ls ${dataDir}");
# This tests a hack for PG <11: restore permissions to 0700 just before PG starts
# and put it back to 0750 after PG had started
$machine->succeed("${c2}/bin/switch-to-configuration test >&2");
$machine->succeed("systemctl restart postgresql");
$machine->waitForUnit("postgresql"); # works after restart
$machine->succeed("sudo -u backup ls ${dataDir}_10");
$machine->shutdown; $machine->shutdown;
''; '';