diff options
author | Raito Bezarius <masterancpp@gmail.com> | 2023-11-13 14:55:16 +0100 |
---|---|---|
committer | Raito Bezarius <masterancpp@gmail.com> | 2023-11-13 17:16:25 +0100 |
commit | 12797a6a39393c61b00d6e0085eeaffbb1ba1d3c (patch) | |
tree | 0cd07ce1780e205b059ca32efe4be7e24e386ef7 /nixos | |
parent | 48459567ae3e532a87267e186170eb931d7156a3 (diff) | |
download | nixlib-12797a6a39393c61b00d6e0085eeaffbb1ba1d3c.tar nixlib-12797a6a39393c61b00d6e0085eeaffbb1ba1d3c.tar.gz nixlib-12797a6a39393c61b00d6e0085eeaffbb1ba1d3c.tar.bz2 nixlib-12797a6a39393c61b00d6e0085eeaffbb1ba1d3c.tar.lz nixlib-12797a6a39393c61b00d6e0085eeaffbb1ba1d3c.tar.xz nixlib-12797a6a39393c61b00d6e0085eeaffbb1ba1d3c.tar.zst nixlib-12797a6a39393c61b00d6e0085eeaffbb1ba1d3c.zip |
nixos/postgresql: restore `ensurePermissions` and strong-deprecate it
As it is technically a breaking change, we should at least make a strong deprecation of `ensurePermissions` and leave it in the broken state it is, for out of tree users. We give them a 6 months notice to migrate away by doing so, which is honest. In the meantime, we forbid usage of `ensurePermissions` inside of nixpkgs.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/databases/postgresql.nix | 46 |
1 files changed, 45 insertions, 1 deletions
diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 3d2205b63555..1c5de85bf2bc 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -165,6 +165,33 @@ in ''; }; + ensurePermissions = mkOption { + type = types.attrsOf types.str; + default = {}; + visible = false; # This option has been deprecated. + description = lib.mdDoc '' + This option is DEPRECATED and should not be used in nixpkgs anymore, + use `ensureDBOwnership` instead. It can also break with newer + versions of PostgreSQL (≥ 15). + + Permissions to ensure for the user, specified as an attribute set. + The attribute names specify the database and tables to grant the permissions for. + The attribute values specify the permissions to grant. You may specify one or + multiple comma-separated SQL privileges here. + + For more information on how to specify the target + and on which privileges exist, see the + [GRANT syntax](https://www.postgresql.org/docs/current/sql-grant.html). + The attributes are used as `GRANT ''${attrValue} ON ''${attrName}`. + ''; + example = literalExpression '' + { + "DATABASE \"nextcloud\"" = "ALL PRIVILEGES"; + "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; + } + ''; + }; + ensureDBOwnership = mkOption { type = types.bool; default = false; @@ -441,6 +468,17 @@ in } ]; + # `ensurePermissions` is now deprecated, let's avoid it. + warnings = lib.optional (any ({ ensurePermissions, ... }: ensurePermissions != {}) cfg.ensureUsers) " + `services.postgresql.*.ensurePermissions` is used in your expressions, + this option is known to be broken with newer PostgreSQL versions, + consider migrating to `services.postgresql.*.ensureDBOwnership` or + consult the release notes or manual for more migration guidelines. + + This option will be removed in NixOS 24.05 unless it sees significant + maintenance improvements. + "; + services.postgresql.settings = { hba_file = "${pkgs.writeText "pg_hba.conf" cfg.authentication}"; @@ -552,7 +590,12 @@ in ${ concatMapStrings (user: - let + let + userPermissions = concatStringsSep "\n" + (mapAttrsToList + (database: permission: ''$PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '') + user.ensurePermissions + ); dbOwnershipStmt = optionalString user.ensureDBOwnership ''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' ''; @@ -564,6 +607,7 @@ in userClauses = ''$PSQL -tAc 'ALTER ROLE "${user.name}" ${concatStringsSep " " clauseSqlStatements}' ''; in '' $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"' + ${userPermissions} ${userClauses} ${dbOwnershipStmt} |