addressed review comments and some fixes

This commit is contained in:
danbst 2019-07-24 23:34:21 +03:00
parent 7e4e37fff4
commit b643e0aee3
2 changed files with 15 additions and 44 deletions

View file

@ -85,17 +85,9 @@ in
groupAccess = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Allow read access for group (0750 mask for data directory).
Supported only for PostgreSQL 11+. PostgreSQL 10 and lower doesn't
support starting server with 0750 mask, but a workaround like
<programlisting>
systemd.services.postgresql.postStart = lib.mkAfter '''
chmod 750 ''${config.services.postgresql.dataDir}
''';
</programlisting>
may be used instead.
Supported only for PostgreSQL 11+.
'';
};
@ -119,11 +111,12 @@ in
'';
};
initdbFlags = mkOption {
initdbArgs = mkOption {
type = with types; listOf str;
default = [];
example = [ "--data-checksums" ];
description = ''
Additional flags passed to <literal>initdb<literal> during data dir
Additional arguments passed to <literal>initdb<literal> during data dir
initialisation.
'';
};
@ -289,8 +282,8 @@ in
then "/var/lib/postgresql/${cfg.package.psqlSchema}"
else "/var/db/postgresql");
services.postgresql.initdbFlags =
mkDefault (lib.optional cfg.groupAccess "--allow-group-access");
services.postgresql.initdbArgs =
mkBefore (optional cfg.groupAccess "--allow-group-access");
services.postgresql.authentication = mkAfter
''
@ -329,7 +322,7 @@ in
if ! test -e ${cfg.dataDir}/PG_VERSION; then
mkdir -m ${dirMode} -p ${cfg.dataDir}
rm -f ${cfg.dataDir}/*.conf
chown -R postgres ${cfg.dataDir}
chown -R postgres:postgres ${cfg.dataDir}
fi
''; # */
@ -337,7 +330,7 @@ in
''
# Initialise the database.
if ! test -e ${cfg.dataDir}/PG_VERSION; then
initdb -U ${cfg.superUser} ${lib.concatStringsSep " " cfg.initdbFlags}
initdb -U ${cfg.superUser} ${concatStringsSep " " cfg.initdbArgs}
# See postStart!
touch "${cfg.dataDir}/.first_startup"
fi
@ -346,6 +339,7 @@ in
ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
"${cfg.dataDir}/recovery.conf"
''}
echo chmod ${dirMode} "${cfg.dataDir}"
chmod ${dirMode} "${cfg.dataDir}"
exec postgres
@ -357,7 +351,7 @@ in
Group = "postgres";
PermissionsStartOnly = true;
RuntimeDirectory = "postgresql";
Type = if lib.versionAtLeast cfg.package.version "9.6"
Type = if versionAtLeast cfg.package.version "9.6"
then "notify"
else "simple";

View file

@ -84,53 +84,30 @@ in
services.postgresql.package = pkgs.postgresql_11;
services.postgresql.dataDir = dataDir;
# users.groups.backup = {};
users.users.backup.isNormalUser = true;
users.users.backup.group = "wheel";
systemd.tmpfiles.rules = [
"d ${dataDir} 0750 postgres wheel -"
];
users.users.admin.isNormalUser = true;
users.users.admin.extraGroups = [ "postgres" ];
nesting.clone = [
{
services.postgresql.groupAccess = true;
}
({ config, lib, ... }: {
services.postgresql.package = lib.mkForce pkgs.postgresql_10;
services.postgresql.dataDir = lib.mkForce (dataDir + "_10");
systemd.tmpfiles.rules = [
"d ${dataDir}_10 0750 postgres wheel -"
];
systemd.services.postgresql.postStart = lib.mkAfter ''
chmod 750 ${config.services.postgresql.dataDir}
'';
})
];
};
testScript = { nodes, ... }: let
c1 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-1";
c2 = "${nodes.machine.config.system.build.toplevel}/fine-tune/child-2";
in ''
$machine->start;
$machine->waitForUnit("postgresql");
$machine->succeed("echo select 1 | sudo -u postgres psql");
# by default, mode is 0700
$machine->fail("sudo -u backup ls ${dataDir}");
$machine->fail("sudo -u admin ls ${dataDir}");
$machine->succeed("${c1}/bin/switch-to-configuration test >&2");
$machine->succeed("journalctl -u postgresql | grep -q -i stopped"); # was restarted
$machine->succeed("echo select 1 | sudo -u postgres psql"); # works after restart
$machine->succeed("sudo -u backup ls ${dataDir}");
# This tests a hack for PG <11: restore permissions to 0700 just before PG starts
# and put it back to 0750 after PG had started
$machine->succeed("${c2}/bin/switch-to-configuration test >&2");
$machine->succeed("systemctl restart postgresql");
$machine->waitForUnit("postgresql"); # works after restart
$machine->succeed("sudo -u backup ls ${dataDir}_10");
$machine->succeed("sudo -u admin ls -la / >&2");
$machine->succeed("sudo -u admin ls ${dataDir}");
$machine->shutdown;
'';