diff options
author | danbst <abcz2.uprola@gmail.com> | 2019-07-25 01:00:26 +0300 |
---|---|---|
committer | danbst <abcz2.uprola@gmail.com> | 2019-07-25 01:00:26 +0300 |
commit | 363ba3f40371f5c016aecf07bf62f3a33f755f29 (patch) | |
tree | 9ac8952449cae2168bf3d4b2d0e41186a89e0031 /nixos | |
parent | e54ad9812bf4f91782cde477f405e015ee5cbdbc (diff) | |
download | nixlib-363ba3f40371f5c016aecf07bf62f3a33f755f29.tar nixlib-363ba3f40371f5c016aecf07bf62f3a33f755f29.tar.gz nixlib-363ba3f40371f5c016aecf07bf62f3a33f755f29.tar.bz2 nixlib-363ba3f40371f5c016aecf07bf62f3a33f755f29.tar.lz nixlib-363ba3f40371f5c016aecf07bf62f3a33f755f29.tar.xz nixlib-363ba3f40371f5c016aecf07bf62f3a33f755f29.tar.zst nixlib-363ba3f40371f5c016aecf07bf62f3a33f755f29.zip |
change groupAccess to tristate, to not force `chmod` on dataDir.
Making mask either 0700 or 0750 is too restrictive..
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/databases/postgresql.nix | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 510e8f17133b..4b3693d689c9 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -38,7 +38,7 @@ let ${cfg.extraConfig} ''; - dirMode = if cfg.groupAccess then "0750" else "0700"; + dirMode = if cfg.groupAccess == true then "0750" else "0700"; in @@ -83,11 +83,14 @@ in }; groupAccess = mkOption { - type = types.bool; - default = false; + type = with types; nullOr bool; + default = null; description = '' - Allow read access for group (0750 mask for data directory). + When true, allow read access for group (<literal>0750</literal> mask for data directory). Supported only for PostgreSQL 11+. + </para><para> + When false, force a restrictive <literal>0700</literal> mask on data directory, so + PostgreSQL won't fail due to too permissive mask. ''; }; @@ -262,7 +265,7 @@ in config = mkIf cfg.enable { assertions = [ - { assertion = cfg.groupAccess -> versionAtLeast cfg.package.version "11.0"; + { assertion = cfg.groupAccess == true -> versionAtLeast cfg.package.version "11.0"; message = '' 'groupAccess' is not available for PostgreSQL < 11. ''; @@ -283,7 +286,7 @@ in else "/var/db/postgresql"); services.postgresql.initdbArgs = - mkBefore (optional cfg.groupAccess "--allow-group-access"); + mkBefore (optional (cfg.groupAccess == true) "--allow-group-access"); services.postgresql.authentication = mkAfter '' @@ -339,7 +342,9 @@ in ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \ "${cfg.dataDir}/recovery.conf" ''} - chmod ${dirMode} "${cfg.dataDir}" + ${optionalString (cfg.groupAccess != null) '' + chmod ${dirMode} "${cfg.dataDir}" + ''} exec postgres ''; |