addressed review comments and some fixes
This commit is contained in:
parent
7e4e37fff4
commit
b643e0aee3
2 changed files with 15 additions and 44 deletions
|
@ -85,17 +85,9 @@ in
|
||||||
groupAccess = mkOption {
|
groupAccess = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
example = true;
|
|
||||||
description = ''
|
description = ''
|
||||||
Allow read access for group (0750 mask for data directory).
|
Allow read access for group (0750 mask for data directory).
|
||||||
Supported only for PostgreSQL 11+. PostgreSQL 10 and lower doesn't
|
Supported only for PostgreSQL 11+.
|
||||||
support starting server with 0750 mask, but a workaround like
|
|
||||||
<programlisting>
|
|
||||||
systemd.services.postgresql.postStart = lib.mkAfter '''
|
|
||||||
chmod 750 ''${config.services.postgresql.dataDir}
|
|
||||||
''';
|
|
||||||
</programlisting>
|
|
||||||
may be used instead.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -119,11 +111,12 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
initdbFlags = mkOption {
|
initdbArgs = mkOption {
|
||||||
type = with types; listOf str;
|
type = with types; listOf str;
|
||||||
default = [];
|
default = [];
|
||||||
|
example = [ "--data-checksums" ];
|
||||||
description = ''
|
description = ''
|
||||||
Additional flags passed to <literal>initdb<literal> during data dir
|
Additional arguments passed to <literal>initdb<literal> during data dir
|
||||||
initialisation.
|
initialisation.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -289,8 +282,8 @@ in
|
||||||
then "/var/lib/postgresql/${cfg.package.psqlSchema}"
|
then "/var/lib/postgresql/${cfg.package.psqlSchema}"
|
||||||
else "/var/db/postgresql");
|
else "/var/db/postgresql");
|
||||||
|
|
||||||
services.postgresql.initdbFlags =
|
services.postgresql.initdbArgs =
|
||||||
mkDefault (lib.optional cfg.groupAccess "--allow-group-access");
|
mkBefore (optional cfg.groupAccess "--allow-group-access");
|
||||||
|
|
||||||
services.postgresql.authentication = mkAfter
|
services.postgresql.authentication = mkAfter
|
||||||
''
|
''
|
||||||
|
@ -329,7 +322,7 @@ in
|
||||||
if ! test -e ${cfg.dataDir}/PG_VERSION; then
|
if ! test -e ${cfg.dataDir}/PG_VERSION; then
|
||||||
mkdir -m ${dirMode} -p ${cfg.dataDir}
|
mkdir -m ${dirMode} -p ${cfg.dataDir}
|
||||||
rm -f ${cfg.dataDir}/*.conf
|
rm -f ${cfg.dataDir}/*.conf
|
||||||
chown -R postgres ${cfg.dataDir}
|
chown -R postgres:postgres ${cfg.dataDir}
|
||||||
fi
|
fi
|
||||||
''; # */
|
''; # */
|
||||||
|
|
||||||
|
@ -337,7 +330,7 @@ in
|
||||||
''
|
''
|
||||||
# Initialise the database.
|
# Initialise the database.
|
||||||
if ! test -e ${cfg.dataDir}/PG_VERSION; then
|
if ! test -e ${cfg.dataDir}/PG_VERSION; then
|
||||||
initdb -U ${cfg.superUser} ${lib.concatStringsSep " " cfg.initdbFlags}
|
initdb -U ${cfg.superUser} ${concatStringsSep " " cfg.initdbArgs}
|
||||||
# See postStart!
|
# See postStart!
|
||||||
touch "${cfg.dataDir}/.first_startup"
|
touch "${cfg.dataDir}/.first_startup"
|
||||||
fi
|
fi
|
||||||
|
@ -346,6 +339,7 @@ in
|
||||||
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
|
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
|
||||||
"${cfg.dataDir}/recovery.conf"
|
"${cfg.dataDir}/recovery.conf"
|
||||||
''}
|
''}
|
||||||
|
echo chmod ${dirMode} "${cfg.dataDir}"
|
||||||
chmod ${dirMode} "${cfg.dataDir}"
|
chmod ${dirMode} "${cfg.dataDir}"
|
||||||
|
|
||||||
exec postgres
|
exec postgres
|
||||||
|
@ -357,7 +351,7 @@ in
|
||||||
Group = "postgres";
|
Group = "postgres";
|
||||||
PermissionsStartOnly = true;
|
PermissionsStartOnly = true;
|
||||||
RuntimeDirectory = "postgresql";
|
RuntimeDirectory = "postgresql";
|
||||||
Type = if lib.versionAtLeast cfg.package.version "9.6"
|
Type = if versionAtLeast cfg.package.version "9.6"
|
||||||
then "notify"
|
then "notify"
|
||||||
else "simple";
|
else "simple";
|
||||||
|
|
||||||
|
|
|
@ -84,53 +84,30 @@ in
|
||||||
services.postgresql.package = pkgs.postgresql_11;
|
services.postgresql.package = pkgs.postgresql_11;
|
||||||
services.postgresql.dataDir = dataDir;
|
services.postgresql.dataDir = dataDir;
|
||||||
|
|
||||||
# users.groups.backup = {};
|
users.users.admin.isNormalUser = true;
|
||||||
users.users.backup.isNormalUser = true;
|
users.users.admin.extraGroups = [ "postgres" ];
|
||||||
users.users.backup.group = "wheel";
|
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d ${dataDir} 0750 postgres wheel -"
|
|
||||||
];
|
|
||||||
|
|
||||||
nesting.clone = [
|
nesting.clone = [
|
||||||
{
|
{
|
||||||
services.postgresql.groupAccess = true;
|
services.postgresql.groupAccess = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
({ config, lib, ... }: {
|
|
||||||
services.postgresql.package = lib.mkForce pkgs.postgresql_10;
|
|
||||||
services.postgresql.dataDir = lib.mkForce (dataDir + "_10");
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d ${dataDir}_10 0750 postgres wheel -"
|
|
||||||
];
|
|
||||||
systemd.services.postgresql.postStart = lib.mkAfter ''
|
|
||||||
chmod 750 ${config.services.postgresql.dataDir}
|
|
||||||
'';
|
|
||||||
})
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
testScript = { nodes, ... }: let
|
testScript = { nodes, ... }: let
|
||||||
c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
|
c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
|
||||||
c2 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-2";
|
|
||||||
in ''
|
in ''
|
||||||
$machine->start;
|
$machine->start;
|
||||||
$machine->waitForUnit("postgresql");
|
$machine->waitForUnit("postgresql");
|
||||||
$machine->succeed("echo select 1 | sudo -u postgres psql");
|
$machine->succeed("echo select 1 | sudo -u postgres psql");
|
||||||
|
|
||||||
# by default, mode is 0700
|
# by default, mode is 0700
|
||||||
$machine->fail("sudo -u backup ls ${dataDir}");
|
$machine->fail("sudo -u admin ls ${dataDir}");
|
||||||
|
|
||||||
$machine->succeed("${c1}/bin/switch-to-configuration test >&2");
|
$machine->succeed("${c1}/bin/switch-to-configuration test >&2");
|
||||||
$machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
|
$machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
|
||||||
$machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
|
$machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
|
||||||
$machine->succeed("sudo -u backup ls ${dataDir}");
|
$machine->succeed("sudo -u admin ls -la / >&2");
|
||||||
|
$machine->succeed("sudo -u admin ls ${dataDir}");
|
||||||
# This tests a hack for PG <11: restore permissions to 0700 just before PG starts
|
|
||||||
# and put it back to 0750 after PG had started
|
|
||||||
$machine->succeed("${c2}/bin/switch-to-configuration test >&2");
|
|
||||||
$machine->succeed("systemctl restart postgresql");
|
|
||||||
$machine->waitForUnit("postgresql"); # works after restart
|
|
||||||
$machine->succeed("sudo -u backup ls ${dataDir}_10");
|
|
||||||
|
|
||||||
$machine->shutdown;
|
$machine->shutdown;
|
||||||
'';
|
'';
|
||||||
|
|
Loading…
Reference in a new issue