summaryrefslogtreecommitdiffstats
path: root/profiles/postgresql.nix
blob: f1772f6809ffde2fd0fe6e376b8c6cad11847053 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
{ config, lib, pkgs, ... }:

{
  services.postgresql.enable = true;

  systemd.services.postgresql = {
    serviceConfig.BindPaths = [
      "/var/lib/postgresql"
      "/run/postgresql"
      # mem?
      "/dev/shm"
    ];
    serviceConfig.BindReadOnlyPaths = [
      # logs on error & notify
      "/run/systemd/journal/socket"
      "/run/systemd/notify"
      # wants to check own fd usage
      "/proc/self/fd"
      # resolve 'localhost' hardcoded in config :|
      "/etc/hosts" "/etc/nsswitch.conf"
      # needs /etc/passwd for peer auth
      "/etc/passwd" "/etc/group"
      # /dev/null only needed for initdb but won't hurt much
      "/dev/null"
      # confined locale should be fixed eventually
      "${config.i18n.glibcLocales}"
    ];
    # default postStart requires sudo which is a pain to make work
    # with confinement; psql now has notify type so it is not required
    # note that it disables initialScript run though, temporarily
    # disable confinment and re-enable postStart if required.
    # initdb also needs binSh so first run really needs more rights
    postStart = lib.mkForce "";
    confinement = {
      enable = true;
      binSh = null;
      mode = "chroot-only";
      packages = [
        # init script is stupid (exec without path)
        pkgs.postgresql
      ];
    };
  };
}