blob: f1772f6809ffde2fd0fe6e376b8c6cad11847053 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
{ config, lib, pkgs, ... }:
{
services.postgresql.enable = true;
systemd.services.postgresql = {
serviceConfig.BindPaths = [
"/var/lib/postgresql"
"/run/postgresql"
# mem?
"/dev/shm"
];
serviceConfig.BindReadOnlyPaths = [
# logs on error & notify
"/run/systemd/journal/socket"
"/run/systemd/notify"
# wants to check own fd usage
"/proc/self/fd"
# resolve 'localhost' hardcoded in config :|
"/etc/hosts" "/etc/nsswitch.conf"
# needs /etc/passwd for peer auth
"/etc/passwd" "/etc/group"
# /dev/null only needed for initdb but won't hurt much
"/dev/null"
# confined locale should be fixed eventually
"${config.i18n.glibcLocales}"
];
# default postStart requires sudo which is a pain to make work
# with confinement; psql now has notify type so it is not required
# note that it disables initialScript run though, temporarily
# disable confinment and re-enable postStart if required.
# initdb also needs binSh so first run really needs more rights
postStart = lib.mkForce "";
confinement = {
enable = true;
binSh = null;
mode = "chroot-only";
packages = [
# init script is stupid (exec without path)
pkgs.postgresql
];
};
};
}
|