ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-11-13 21:32:23 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #266270 from Ma27/postgresql-ownership-15

Browse Source
This commit is contained in:
Ryan Lahfa 2023-11-17 18:02:17 +01:00 committed by GitHub
commit ccfe07c316
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
49 changed files with 205 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/doc/manual/release-notes/rl-2311.section.md
View File

@ -145,6 +145,9 @@
## Backward Incompatibilities {#sec-release-23.11-incompatibilities}
- `services.postgresql.ensurePermissions` has been deprecated in favor of `services.postgresql.ensureUsers.*.ensureDBOwnership` which simplifies the setup of database owned by a certain system user
in local database contexts (which make use of peer authentication via UNIX sockets), migration guidelines were provided in the NixOS manual, please refer to them if you are affected by a PostgreSQL 15 changing the way `GRANT ALL PRIVILEGES` is working. `services.postgresql.ensurePermissions` will be removed in 24.05. All NixOS modules were migrated using one of the strategy, e.g. `ensureDBOwnership` or `postStart`. More about this situation can be learnt in https://github.com/NixOS/nixpkgs/pull/266270.
- `network-online.target` has been fixed to no longer time out for systems with `networking.useDHCP = true` and `networking.useNetworkd = true`.
Workarounds for this can be removed.

58
nixos/modules/services/databases/postgresql.nix
View File

@ -168,7 +168,12 @@ in
ensurePermissions = mkOption {
type = types.attrsOf types.str;
default = {};
visible = false; # This option has been deprecated.
description = lib.mdDoc ''
This option is DEPRECATED and should not be used in nixpkgs anymore,
use `ensureDBOwnership` instead. It can also break with newer
versions of PostgreSQL ( 15).
Permissions to ensure for the user, specified as an attribute set.
The attribute names specify the database and tables to grant the permissions for.
The attribute values specify the permissions to grant. You may specify one or
@ -187,6 +192,16 @@ in
'';
};
ensureDBOwnership = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Grants the user ownership to a database with the same name.
This database must be defined manually in
[](#opt-services.postgresql.ensureDatabases).
'';
};
ensureClauses = mkOption {
description = lib.mdDoc ''
An attrset of clauses to grant to the user. Under the hood this uses the
@ -338,26 +353,21 @@ in
});
default = [];
description = lib.mdDoc ''
Ensures that the specified users exist and have at least the ensured permissions.
Ensures that the specified users exist.
The PostgreSQL users will be identified using peer authentication. This authenticates the Unix user with the
same name only, and that without the need for a password.
This option will never delete existing users or remove permissions, especially not when the value of this
option is changed. This means that users created and permissions assigned once through this option or
otherwise have to be removed manually.
This option will never delete existing users or remove DB ownership of databases
once granted with `ensureDBOwnership = true;`. This means that this must be
cleaned up manually when changing after changing the config in here.
'';
example = literalExpression ''
[
{
name = "nextcloud";
ensurePermissions = {
"DATABASE nextcloud" = "ALL PRIVILEGES";
};
}
{
name = "superuser";
ensurePermissions = {
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
]
'';
@ -445,6 +455,27 @@ in
config = mkIf cfg.enable {
assertions = map ({ name, ensureDBOwnership, ... }: {
assertion = ensureDBOwnership -> builtins.elem name cfg.ensureDatabases;
message = ''
For each database user defined with `services.postgresql.ensureUsers` and
`ensureDBOwnership = true;`, a database with the same name must be defined
in `services.postgresql.ensureDatabases`.
Offender: ${name} has not been found among databases.
'';
}) cfg.ensureUsers;
# `ensurePermissions` is now deprecated, let's avoid it.
warnings = lib.optional (any ({ ensurePermissions, ... }: ensurePermissions != {}) cfg.ensureUsers) "
`services.postgresql.*.ensurePermissions` is used in your expressions,
this option is known to be broken with newer PostgreSQL versions,
consider migrating to `services.postgresql.*.ensureDBOwnership` or
consult the release notes or manual for more migration guidelines.
This option will be removed in NixOS 24.05 unless it sees significant
maintenance improvements.
";
services.postgresql.settings =
{
hba_file = "${pkgs.writeText "pg_hba.conf" cfg.authentication}";
@ -556,12 +587,15 @@ in
${
concatMapStrings
(user:
let
let
userPermissions = concatStringsSep "\n"
(mapAttrsToList
(database: permission: ''$PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '')
user.ensurePermissions
);
dbOwnershipStmt = optionalString
user.ensureDBOwnership
''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' '';
filteredClauses = filterAttrs (name: value: value != null) user.ensureClauses;
@ -572,6 +606,8 @@ in
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"'
${userPermissions}
${userClauses}
${dbOwnershipStmt}
''
)
cfg.ensureUsers

4
nixos/modules/services/development/zammad.nix
View File

@ -204,7 +204,7 @@ in
assertions = [
{
assertion = cfg.database.createLocally -> cfg.database.user == "zammad";
assertion = cfg.database.createLocally -> cfg.database.user == "zammad" && cfg.database.name == "zammad";
message = "services.zammad.database.user must be set to \"zammad\" if services.zammad.database.createLocally is set to true";
}
{
@ -231,7 +231,7 @@ in
ensureUsers = [
{
name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

2
nixos/modules/services/finance/odoo.nix
View File

@ -121,7 +121,7 @@ in
ensureDatabases = [ "odoo" ];
ensureUsers = [{
name = "odoo";
ensurePermissions = { "DATABASE odoo" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
};
});

2
nixos/modules/services/mail/listmonk.nix
View File

@ -168,7 +168,7 @@ in {
ensureUsers = [{
name = "listmonk";
ensurePermissions = { "DATABASE listmonk" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
ensureDatabases = [ "listmonk" ];

14
nixos/modules/services/mail/roundcube.nix
View File

@ -179,14 +179,22 @@ in
};
};
assertions = [
{
assertion = localDB -> cfg.database.username == cfg.database.dbname;
message = ''
When setting up a DB and its owner user, the owner and the DB name must be
equal!
'';
}
];
services.postgresql = mkIf localDB {
enable = true;
ensureDatabases = [ cfg.database.dbname ];
ensureUsers = [ {
name = cfg.database.username;
ensurePermissions = {
"DATABASE ${cfg.database.username}" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
} ];
};

10
nixos/modules/services/mail/sympa.nix
View File

@ -218,7 +218,7 @@ in
default = null;
example = "/run/keys/sympa-dbpassword";
description = lib.mdDoc ''
A file containing the password for {option}`services.sympa.database.user`.
A file containing the password for {option}`services.sympa.database.name`.
'';
};
@ -342,6 +342,7 @@ in
db_type = cfg.database.type;
db_name = cfg.database.name;
db_user = cfg.database.name;
}
// (optionalAttrs (cfg.database.host != null) {
db_host = cfg.database.host;
@ -355,9 +356,6 @@ in
// (optionalAttrs (cfg.database.port != null) {
db_port = cfg.database.port;
})
// (optionalAttrs (cfg.database.user != null) {
db_user = cfg.database.user;
})
// (optionalAttrs (cfg.mta.type == "postfix") {
sendmail_aliases = "${dataDir}/sympa_transport";
aliases_program = "${pkgs.postfix}/bin/postmap";
@ -393,7 +391,7 @@ in
users.groups.${group} = {};
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
{ assertion = cfg.database.createLocally -> cfg.database.user == user && cfg.database.name == cfg.database.user;
message = "services.sympa.database.user must be set to ${user} if services.sympa.database.createLocally is set to true";
}
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
@ -579,7 +577,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/matrix/matrix-sliding-sync.nix
View File

@ -74,9 +74,9 @@ in
services.postgresql = lib.optionalAttrs cfg.createDatabase {
enable = true;
ensureDatabases = [ "matrix-sliding-sync" ];
ensureUsers = [ rec {
ensureUsers = [ {
name = "matrix-sliding-sync";
ensurePermissions."DATABASE \"${name}\"" = "ALL PRIVILEGES";
ensureDBOwnership = true;
} ];
};

4
nixos/modules/services/matrix/mautrix-facebook.nix
View File

@ -135,9 +135,7 @@ in {
ensureDatabases = ["mautrix-facebook"];
ensureUsers = [{
name = "mautrix-facebook";
ensurePermissions = {
"DATABASE \"mautrix-facebook\"" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}];
};

4
nixos/modules/services/misc/atuin.nix
View File

@ -73,9 +73,7 @@ in
enable = true;
ensureUsers = [{
name = "atuin";
ensurePermissions = {
"DATABASE atuin" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}];
ensureDatabases = [ "atuin" ];
};

10
nixos/modules/services/misc/forgejo.nix
View File

@ -357,6 +357,14 @@ in
assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user;
message = "services.forgejo.database.user must match services.forgejo.user if the database is to be automatically provisioned";
}
{ assertion = cfg.database.createDatabase && usePostgresql -> cfg.database.user == cfg.database.name;
message = ''
When creating a database via NixOS, the db user and db name must be equal!
If you already have an existing DB+user and this assertion is new, you can safely set
`services.forgejo.createDatabase` to `false` because removal of `ensureUsers`
and `ensureDatabases` doesn't have any effect.
'';
}
];
services.forgejo.settings = {
@ -423,7 +431,7 @@ in
ensureUsers = [
{
name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

10
nixos/modules/services/misc/gitea.nix
View File

@ -394,6 +394,14 @@ in
{ assertion = cfg.database.createDatabase -> useSqlite || cfg.database.user == cfg.user;
message = "services.gitea.database.user must match services.gitea.user if the database is to be automatically provisioned";
}
{ assertion = cfg.database.createDatabase && usePostgresql -> cfg.database.user == cfg.database.name;
message = ''
When creating a database via NixOS, the db user and db name must be equal!
If you already have an existing DB+user and this assertion is new, you can safely set
`services.gitea.createDatabase` to `false` because removal of `ensureUsers`
and `ensureDatabases` doesn't have any effect.
'';
}
];
services.gitea.settings = {
@ -461,7 +469,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/misc/redmine.nix
View File

@ -267,7 +267,7 @@ in
{ assertion = cfg.database.passwordFile != null || cfg.database.socket != null;
message = "one of services.redmine.database.socket or services.redmine.database.passwordFile must be set";
}
{ assertion = cfg.database.createLocally -> cfg.database.user == cfg.user;
{ assertion = cfg.database.createLocally -> cfg.database.user == cfg.user && cfg.database.user == cfg.database.name;
message = "services.redmine.database.user must be set to ${cfg.user} if services.redmine.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.socket != null;
@ -315,7 +315,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

10
nixos/modules/services/misc/sourcehut/service.nix
View File

@ -249,10 +249,13 @@ in
ensureDatabases = [ srvCfg.postgresql.database ];
ensureUsers = map (name: {
inherit name;
ensurePermissions = { "DATABASE \"${srvCfg.postgresql.database}\"" = "ALL PRIVILEGES"; };
# We don't use it because we have a special default database name with dots.
# TODO(for maintainers of sourcehut): migrate away from custom preStart script.
ensureDBOwnership = false;
}) [srvCfg.user];
};
services.sourcehut.settings = mkMerge [
{
"${srv}.sr.ht".origin = mkDefault "https://${srv}.${cfg.settings."sr.ht".global-domain}";
@ -378,10 +381,11 @@ in
extraService
])) extraServices)
# Work around 'pq: permission denied for schema public' with postgres v15, until a
# solution for `services.postgresql.ensureUsers` is found.
# Work around 'pq: permission denied for schema public' with postgres v15.
# See https://github.com/NixOS/nixpkgs/issues/216989
# Workaround taken from nixos/forgejo: https://github.com/NixOS/nixpkgs/pull/262741
# TODO(to maintainers of sourcehut): please migrate away from this workaround
# by migrating away from database name defaults with dots.
(lib.mkIf (
cfg.postgresql.enable
&& lib.strings.versionAtLeast config.services.postgresql.package.version "15.0"

4
nixos/modules/services/monitoring/zabbix-proxy.nix
View File

@ -203,7 +203,7 @@ in
{ assertion = !config.services.zabbixServer.enable;
message = "Please choose one of services.zabbixServer or services.zabbixProxy.";
}
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
{ assertion = cfg.database.createLocally -> cfg.database.user == user && cfg.database.name == cfg.database.user;
message = "services.zabbixProxy.database.user must be set to ${user} if services.zabbixProxy.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
@ -252,7 +252,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/monitoring/zabbix-server.nix
View File

@ -191,7 +191,7 @@ in
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
{ assertion = cfg.database.createLocally -> cfg.database.user == user && cfg.database.user == cfg.database.name;
message = "services.zabbixServer.database.user must be set to ${user} if services.zabbixServer.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
@ -240,7 +240,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

2
nixos/modules/services/security/hockeypuck.nix
View File

@ -55,7 +55,7 @@ in {
ensureDatabases = [ "hockeypuck" ];
ensureUsers = [{
name = "hockeypuck";
ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};
```

10
nixos/modules/services/web-apps/coder.nix
View File

@ -149,8 +149,8 @@ in {
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.username == name;
message = "services.coder.database.username must be set to ${user} if services.coder.database.createLocally is set true";
{ assertion = cfg.database.createLocally -> cfg.database.username == name && cfg.database.database == cfg.database.username;
message = "services.coder.database.username must be set to ${name} if services.coder.database.createLocally is set true";
}
];
@ -193,10 +193,8 @@ in {
cfg.database.database
];
ensureUsers = [{
name = cfg.database.username;
ensurePermissions = {
"DATABASE \"${cfg.database.database}\"" = "ALL PRIVILEGES";
};
name = cfg.user;
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/web-apps/gotosocial.nix
View File

@ -128,9 +128,7 @@ in
ensureUsers = [
{
name = "gotosocial";
ensurePermissions = {
"DATABASE gotosocial" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
};

15
nixos/modules/services/web-apps/invidious.nix
View File

@ -109,15 +109,17 @@ let
# Default to using the local database if we create it
services.invidious.database.host = lib.mkDefault null;
# TODO(raitobezarius to maintainers of invidious): I strongly advise to clean up the kemal specific
# thing for 24.05 and use `ensureDBOwnership`.
# See https://github.com/NixOS/nixpkgs/issues/216989
systemd.services.postgresql.postStart = lib.mkAfter ''
$PSQL -tAc 'ALTER DATABASE "${cfg.settings.db.dbname}" OWNER TO "${cfg.settings.db.user}";'
'';
services.postgresql = {
enable = true;
ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = false; };
ensureDatabases = lib.singleton cfg.settings.db.dbname;
ensureUsers = lib.singleton {
name = cfg.settings.db.user;
ensurePermissions = {
"DATABASE ${cfg.settings.db.dbname}" = "ALL PRIVILEGES";
};
};
# This is only needed because the unix user invidious isn't the same as
# the database user. This tells postgres to map one to the other.
identMap = ''
@ -136,6 +138,7 @@ let
documentation = [ "https://docs.invidious.io/Database-Information-and-Maintenance.md" ];
startAt = lib.mkDefault "weekly";
path = [ config.services.postgresql.package ];
after = [ "postgresql.service" ];
script = ''
psql ${cfg.settings.db.dbname} ${cfg.settings.db.user} -c "DELETE FROM nonces * WHERE expire < current_timestamp"
psql ${cfg.settings.db.dbname} ${cfg.settings.db.user} -c "TRUNCATE TABLE videos"

2
nixos/modules/services/web-apps/lemmy.nix
View File

@ -146,7 +146,7 @@ in
ensureDatabases = [ cfg.settings.database.database ];
ensureUsers = [{
name = cfg.settings.database.user;
ensurePermissions."DATABASE ${cfg.settings.database.database}" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};

6
nixos/modules/services/web-apps/mastodon.nix
View File

@ -612,7 +612,7 @@ in {
config = lib.mkIf cfg.enable (lib.mkMerge [{
assertions = [
{
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user);
assertion = databaseActuallyCreateLocally -> (cfg.user == cfg.database.user && cfg.database.user == cfg.database.name);
message = ''
For local automatic database provisioning (services.mastodon.database.createLocally == true) with peer
authentication (services.mastodon.database.host == "/run/postgresql") to work services.mastodon.user
@ -845,8 +845,8 @@ in {
enable = true;
ensureUsers = [
{
name = cfg.database.user;
ensurePermissions."DATABASE ${cfg.database.name}" = "ALL PRIVILEGES";
name = cfg.database.name;
ensureDBOwnership = true;
}
];
ensureDatabases = [ cfg.database.name ];

4
nixos/modules/services/web-apps/mediawiki.nix
View File

@ -454,7 +454,7 @@ in
{ assertion = cfg.database.createLocally -> (cfg.database.type == "mysql" || cfg.database.type == "postgres");
message = "services.mediawiki.createLocally is currently only supported for database type 'mysql' and 'postgres'";
}
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
{ assertion = cfg.database.createLocally -> cfg.database.user == user && cfg.database.name == cfg.database.user;
message = "services.mediawiki.database.user must be set to ${user} if services.mediawiki.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.socket != null;
@ -486,7 +486,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [{
name = cfg.database.user;
ensurePermissions = { "DATABASE \"${cfg.database.name}\"" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
};

17
nixos/modules/services/web-apps/miniflux.nix
View File

@ -6,13 +6,10 @@ let
defaultAddress = "localhost:8080";
dbUser = "miniflux";
dbName = "miniflux";
pgbin = "${config.services.postgresql.package}/bin";
preStart = pkgs.writeScript "miniflux-pre-start" ''
#!${pkgs.runtimeShell}
${pgbin}/psql "${dbName}" -c "CREATE EXTENSION IF NOT EXISTS hstore"
${pgbin}/psql "miniflux" -c "CREATE EXTENSION IF NOT EXISTS hstore"
'';
in
@ -62,7 +59,7 @@ in
services.miniflux.config = {
LISTEN_ADDR = mkDefault defaultAddress;
DATABASE_URL = "user=${dbUser} host=/run/postgresql dbname=${dbName}";
DATABASE_URL = "user=miniflux host=/run/postgresql dbname=miniflux";
RUN_MIGRATIONS = "1";
CREATE_ADMIN = "1";
};
@ -70,12 +67,10 @@ in
services.postgresql = {
enable = true;
ensureUsers = [ {
name = dbUser;
ensurePermissions = {
"DATABASE ${dbName}" = "ALL PRIVILEGES";
};
name = "miniflux";
ensureDBOwnership = true;
} ];
ensureDatabases = [ dbName ];
ensureDatabases = [ "miniflux" ];
};
systemd.services.miniflux-dbsetup = {
@ -97,7 +92,7 @@ in
serviceConfig = {
ExecStart = "${cfg.package}/bin/miniflux";
User = dbUser;
User = "miniflux";
DynamicUser = true;
RuntimeDirectory = "miniflux";
RuntimeDirectoryMode = "0700";

13
nixos/modules/services/web-apps/mobilizon.nix
View File

@ -347,12 +347,18 @@ in
# Taken from here:
# https://framagit.org/framasoft/mobilizon/-/blob/1.1.0/priv/templates/setup_db.eex
# TODO(to maintainers of mobilizon): the owner database alteration is necessary
# as PostgreSQL 15 changed their behaviors w.r.t. to privileges.
# See https://github.com/NixOS/nixpkgs/issues/216989 to get rid
# of that workaround.
script =
''
psql "${repoSettings.database}" -c "\
CREATE EXTENSION IF NOT EXISTS postgis; \
CREATE EXTENSION IF NOT EXISTS pg_trgm; \
CREATE EXTENSION IF NOT EXISTS unaccent;"
psql -tAc 'ALTER DATABASE "${repoSettings.database}" OWNER TO "${dbUser}";'
'';
serviceConfig = {
@ -372,9 +378,10 @@ in
ensureUsers = [
{
name = dbUser;
ensurePermissions = {
"DATABASE \"${repoSettings.database}\"" = "ALL PRIVILEGES";
};
# Given that `dbUser` is potentially arbitrarily custom, we will perform
# manual fixups in mobilizon-postgres.
# TODO(to maintainers of mobilizon): Feel free to simplify your setup by using `ensureDBOwnership`.
ensureDBOwnership = false;
}
];
extraPlugins = with postgresql.pkgs; [ postgis ];

4
nixos/modules/services/web-apps/moodle.nix
View File

@ -194,7 +194,7 @@ in
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
{ assertion = cfg.database.createLocally -> cfg.database.user == user && cfg.database.user == cfg.database.name;
message = "services.moodle.database.user must be set to ${user} if services.moodle.database.createLocally is set true";
}
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
@ -220,7 +220,7 @@ in
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

4
nixos/modules/services/web-apps/netbox.nix
View File

@ -257,9 +257,7 @@ in {
ensureUsers = [
{
name = "netbox";
ensurePermissions = {
"DATABASE netbox" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
};

2
nixos/modules/services/web-apps/nextcloud.nix
View File

@ -1042,7 +1042,7 @@ in {
ensureDatabases = [ cfg.config.dbname ];
ensureUsers = [{
name = cfg.config.dbuser;
ensurePermissions = { "DATABASE ${cfg.config.dbname}" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
};

2
nixos/modules/services/web-apps/onlyoffice.nix
View File

@ -198,7 +198,7 @@ in
ensureDatabases = [ "onlyoffice" ];
ensureUsers = [{
name = "onlyoffice";
ensurePermissions = { "DATABASE \"onlyoffice\"" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}];
};
};

2
nixos/modules/services/web-apps/outline.nix
View File

@ -581,7 +581,7 @@ in
enable = true;
ensureUsers = [{
name = "outline";
ensurePermissions."DATABASE outline" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
ensureDatabases = [ "outline" ];
};

4
nixos/modules/services/web-apps/peering-manager.nix
View File

@ -186,9 +186,7 @@ in {
ensureUsers = [
{
name = "peering-manager";
ensurePermissions = {
"DATABASE \"peering-manager\"" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
};

1
nixos/modules/services/web-apps/pixelfed.nix
View File

@ -271,7 +271,6 @@ in {
ensureDatabases = [ cfg.database.name ];
ensureUsers = [{
name = user;
ensurePermissions = { };
}];
};

13
nixos/modules/services/web-apps/tt-rss.nix
View File

@ -529,6 +529,15 @@ let
assertion = cfg.database.password != null -> cfg.database.passwordFile == null;
message = "Cannot set both password and passwordFile";
}
{
assertion = cfg.database.createLocally -> cfg.database.name == cfg.user && cfg.database.user == cfg.user;
message = ''
When creating a database via NixOS, the db user and db name must be equal!
If you already have an existing DB+user and this assertion is new, you can safely set
`services.tt-rss.database.createLocally` to `false` because removal of `ensureUsers`
and `ensureDatabases` doesn't have any effect.
'';
}
];
services.phpfpm.pools = mkIf (cfg.pool == "${poolName}") {
@ -632,8 +641,8 @@ let
enable = mkDefault true;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{ name = cfg.user;
ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
{ name = cfg.database.user;
ensureDBOwnership = true;
}
];
};

2
nixos/modules/services/web-servers/hydron.nix
View File

@ -93,7 +93,7 @@ in with lib; {
ensureDatabases = [ "hydron" ];
ensureUsers = [
{ name = "hydron";
ensurePermissions = { "DATABASE hydron" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

2
nixos/tests/dex-oidc.nix
View File

@ -49,7 +49,7 @@ import ./make-test-python.nix ({ lib, ... }: {
ensureUsers = [
{
name = "dex";
ensurePermissions = { "DATABASE dex" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

2
nixos/tests/ferretdb.nix
View File

@ -39,7 +39,7 @@ with import ../lib/testing-python.nix { inherit system; };
ensureDatabases = [ "ferretdb" ];
ensureUsers = [{
name = "ferretdb";
ensurePermissions."DATABASE ferretdb" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};

4
nixos/tests/freshrss-pgsql.nix
View File

@ -22,9 +22,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: {
ensureUsers = [
{
name = "freshrss";
ensurePermissions = {
"DATABASE freshrss" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
initialScript = pkgs.writeText "postgresql-password" ''

2
nixos/tests/grafana/basic.nix
View File

@ -55,7 +55,7 @@ let
ensureDatabases = [ "grafana" ];
ensureUsers = [{
name = "grafana";
ensurePermissions."DATABASE grafana" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};
systemd.services.grafana.after = [ "postgresql.service" ];

2
nixos/tests/hockeypuck.nix
View File

@ -35,7 +35,7 @@ in {
ensureDatabases = [ "hockeypuck" ];
ensureUsers = [{
name = "hockeypuck";
ensurePermissions."DATABASE hockeypuck" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};
};

12
nixos/tests/home-assistant.nix
View File

@ -9,13 +9,11 @@ in {
nodes.hass = { pkgs, ... }: {
services.postgresql = {
enable = true;
# FIXME: hack for https://github.com/NixOS/nixpkgs/issues/216989
# Should be replaced with ensureUsers again when a solution for that is found
initialScript = pkgs.writeText "hass-setup-db.sql" ''
CREATE ROLE hass WITH LOGIN;
CREATE DATABASE hass WITH OWNER hass;
'';
ensureDatabases = [ "hass" ];
ensureUsers = [{
name = "hass";
ensureDBOwnership = true;
}];
};
services.home-assistant = {

3
nixos/tests/invidious.nix
View File

@ -44,8 +44,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
enable = true;
initialScript = pkgs.writeText "init-postgres-with-password" ''
CREATE USER kemal WITH PASSWORD 'correct horse battery staple';
CREATE DATABASE invidious;
GRANT ALL PRIVILEGES ON DATABASE invidious TO kemal;
CREATE DATABASE invidious OWNER kemal;
'';
};
};

2
nixos/tests/paperless.nix
View File

@ -17,7 +17,7 @@ import ./make-test-python.nix ({ lib, ... }: {
ensureDatabases = [ "paperless" ];
ensureUsers = [
{ name = config.services.paperless.user;
ensurePermissions = { "DATABASE \"paperless\"" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

8
nixos/tests/pgadmin4.nix
View File

@ -19,14 +19,6 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
authentication = ''
host all all localhost trust
'';
ensureUsers = [
{
name = "postgres";
ensurePermissions = {
"DATABASE \"postgres\"" = "ALL PRIVILEGES";
};
}
];
};
services.pgadmin = {

10
nixos/tests/pgbouncer.nix
View File

@ -17,7 +17,8 @@ in
systemd.services.postgresql = {
postStart = ''
${pkgs.postgresql}/bin/psql -U postgres -c "ALTER ROLE testuser WITH LOGIN PASSWORD 'testpass'";
${pkgs.postgresql}/bin/psql -U postgres -c "ALTER ROLE testuser WITH LOGIN PASSWORD 'testpass'";
${pkgs.postgresql}/bin/psql -U postgres -c "ALTER DATABASE testdb OWNER TO testuser;";
'';
};
@ -28,9 +29,6 @@ in
ensureUsers = [
{
name = "testuser";
ensurePermissions = {
"DATABASE testdb" = "ALL PRIVILEGES";
};
}];
authentication = ''
local testdb testuser scram-sha-256
@ -40,7 +38,7 @@ in
pgbouncer = {
enable = true;
listenAddress = "localhost";
databases = { testdb = "host=/run/postgresql/ port=5432 auth_user=testuser dbname=testdb"; };
databases = { test = "host=/run/postgresql/ port=5432 auth_user=testuser dbname=testdb"; };
authType = "scram-sha-256";
authFile = testAuthFile;
};
@ -55,7 +53,7 @@ in
# Test if we can make a query through PgBouncer
one.wait_until_succeeds(
"psql 'postgres://testuser:testpass@localhost:6432/testdb' -c 'SELECT 1;'"
"psql 'postgres://testuser:testpass@localhost:6432/test' -c 'SELECT 1;'"
)
'';
})

4
nixos/tests/powerdns-admin.nix
View File

@ -87,9 +87,7 @@ let
ensureUsers = [
{
name = "powerdnsadmin";
ensurePermissions = {
"DATABASE powerdnsadmin" = "ALL PRIVILEGES";
};
ensureDBOwnership = true;
}
];
};

2
nixos/tests/sftpgo.nix
View File

@ -156,7 +156,7 @@ in
ensureDatabases = [ "sftpgo" ];
ensureUsers = [{
name = "sftpgo";
ensurePermissions."DATABASE sftpgo" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}];
};

23
nixos/tests/tandoor-recipes.nix
View File

@ -5,6 +5,29 @@ import ./make-test-python.nix ({ lib, ... }: {
nodes.machine = { pkgs, ... }: {
services.tandoor-recipes = {
enable = true;
extraConfig = {
DB_ENGINE = "django.db.backends.postgresql";
POSTGRES_HOST = "/run/postgresql";
POSTGRES_USER = "tandoor_recipes";
POSTGRES_DB = "tandoor_recipes";
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "tandoor_recipes" ];
ensureUsers = [
{
name = "tandoor_recipes";
ensureDBOwnership = true;
}
];
};
systemd.services = {
tandoor-recipes = {
after = [ "postgresql.service" ];
};
};
};

2
nixos/tests/vikunja.nix
View File

@ -33,7 +33,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
ensureDatabases = [ "vikunja-api" ];
ensureUsers = [
{ name = "vikunja-api";
ensurePermissions = { "DATABASE \"vikunja-api\"" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
}
];
};

5
nixos/tests/wiki-js.nix
View File

@ -10,14 +10,15 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
enable = true;
settings.db.host = "/run/postgresql";
settings.db.user = "wiki-js";
settings.db.db = "wiki-js";
settings.logLevel = "debug";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "wiki" ];
ensureDatabases = [ "wiki-js" ];
ensureUsers = [
{ name = "wiki-js";
ensurePermissions."DATABASE wiki" = "ALL PRIVILEGES";
ensureDBOwnership = true;
}
];
};