diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 224261957844..af19676d37db 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -2,6 +2,7 @@ let inherit (lib) + any attrValues concatMapStrings concatStringsSep @@ -9,6 +10,7 @@ let elem escapeShellArgs filterAttrs + getName isString literalExpression mapAttrs @@ -30,19 +32,19 @@ let cfg = config.services.postgresql; - postgresql = - let - # ensure that - # services.postgresql = { - # enableJIT = true; - # package = pkgs.postgresql_; - # }; - # works. - base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT; - in - if cfg.extensions == [] - then base - else base.withPackages cfg.extensions; + # ensure that + # services.postgresql = { + # enableJIT = true; + # package = pkgs.postgresql_; + # }; + # works. + basePackage = if cfg.enableJIT + then cfg.package.withJIT + else cfg.package.withoutJIT; + + postgresql = if cfg.extensions == [] + then basePackage + else basePackage.withPackages cfg.extensions; toStr = value: if true == value then "yes" @@ -59,6 +61,9 @@ let ''; groupAccessAvailable = versionAtLeast postgresql.version "11.0"; + + extensionNames = map getName postgresql.installedExtensions; + extensionInstalled = extension: elem extension extensionNames; in { @@ -630,7 +635,7 @@ in PrivateTmp = true; ProtectHome = true; ProtectSystem = "strict"; - MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off"); + MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ])); NoNewPrivileges = true; LockPersonality = true; PrivateDevices = true; @@ -654,10 +659,12 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@privileged @resources" - ]; + SystemCallFilter = + [ + "@system-service" + "~@privileged @resources" + ] + ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ]; UMask = if groupAccessAvailable then "0027" else "0077"; } (mkIf (cfg.dataDir != "/var/lib/postgresql") { diff --git a/pkgs/servers/sql/postgresql/generic.nix b/pkgs/servers/sql/postgresql/generic.nix index 546dbf1e284c..eaa4ef844426 100644 --- a/pkgs/servers/sql/postgresql/generic.nix +++ b/pkgs/servers/sql/postgresql/generic.nix @@ -323,25 +323,33 @@ let }; }); - postgresqlWithPackages = { postgresql, buildEnv }: f: buildEnv { + postgresqlWithPackages = { postgresql, buildEnv }: f: let + installedExtensions = f postgresql.pkgs; + in buildEnv { name = "${postgresql.pname}-and-plugins-${postgresql.version}"; - paths = f postgresql.pkgs ++ [ + paths = installedExtensions ++ [ postgresql postgresql.man # in case user installs this into environment ]; pathsToLink = ["/"]; - passthru.version = postgresql.version; - passthru.psqlSchema = postgresql.psqlSchema; - passthru.withJIT = postgresqlWithPackages { - inherit buildEnv; - postgresql = postgresql.withJIT; - } f; - passthru.withoutJIT = postgresqlWithPackages { - inherit buildEnv; - postgresql = postgresql.withoutJIT; - } f; + passthru = { + inherit installedExtensions; + inherit (postgresql) + psqlSchema + version + ; + + withJIT = postgresqlWithPackages { + inherit buildEnv; + postgresql = postgresql.withJIT; + } f; + withoutJIT = postgresqlWithPackages { + inherit buildEnv; + postgresql = postgresql.withoutJIT; + } f; + }; }; in