Commit e14483d6a6 fixed a bug in the `ini`
type with `listsAsDuplicatedKeys = true;`: multiple list declarations
weren't merged, but latter declarations shadowed the former without any
error.
The fix brought another issue to surface however: before, the
`plugin-load-add` declaration in the MySQL test shadowed the
`auth_socket.so` setting in the module. But now the attempt
to merge a list and a single declaration breaks because of
`types.either` seeing a mix of declarations from the left
AND right type.
Turning the `plugin-load-add` in the module into a list triggers the
correct merging behavior and thus fixes the evaluation error (and
merging behavior of `plugin-load-add`)!
This wasn't an issue for mysql itself (empty `plugin-load-add` in the
test) and neither for mariadb (the `auth_socket.so` isn't added for
this).
Commit bfb9d1825d added RFC42 support
which is a good thing in general, but this implementation has the
following flaws:
* `services.pgbouncer.logFile` was not renamed to `[...].log_file`, but
to `[...].logfile`. Also the use of `mkRenamedOptionModule` is
inappropriate here because the two options are not equivalent: the old
option took a path relative to the home directory, the new an absolute
path.
* Using `mkRenamedOptionModule` with options that don't exist (but are
keys in a freeform attr-set or an `attrsOf X`), you get the following
error when referencing an option you didn't declare:
error: evaluation aborted with the following error message: 'Renaming error: option `services.pgbouncer.settings.pgbouncer.listen_port' does not exist.'
This error is pretty bad because it's not actionable for an end-user of
the module. A possible use-case is doing
networking.firewall.allowedTCPPorts = [ config.services.pgbouncer.listenPort ];
without specifying a custom listen port. This is an example of why you
want to keep options, they already contain defaults and you can re-use
those defaults in other parts of your system configuration.
I decided to re-add a bunch of options where I figured that it's
either useful to be able to address those in the NixOS configuration
or having documentation directly in the options' reference in the
NixOS manual.
I didn't add all options, I'll leave that to the maintainers of
pgbouncer.
This will be EOL at the end of November, so there's little reason to
keep it in 24.11[1]. As discussed, we'd like to keep it for as long as
possible to make sure there's a state in nixpkgs that has the latest
minor of postgresql_12 available with the most recent CVEs fixed for
people who cannot upgrade[2].
This aspect has been made explicit in the manual now for the next .11
release.
During the discussions it has been brought up that if people just do
`services.postgresql.enable = true;` and let the code decide the
postgresql version based on `system.stateVersion`, there's a chance that
such EOL dates will be missed. To make this harder, a warning will now
be raised when using the stateVersion-condition and the oldest still
available major is selected.
Additionally regrouped the postgresql things in the release notes to
make sure these are all shown consecutively. Otherwise it's a little
hard to keep track of all the changes made to postgresql in 24.11.
[1] https://endoflife.date/postgresql
[2] https://github.com/NixOS/nixpkgs/pull/353158#issuecomment-2453056692
The test breaks like this otherwise:
machine # WARNING: error during JITing: Permission denied
machine # [ 14.012280] postgres[913]: [913] WARNING: error during JITing: Permission denied
machine # ERROR: failed to look up symbol "evalexpr_0_1": Failed to materialize symbols: { (main, { evalexpr_0_1, evalexpr_0_0 }) }
previously if you set the "user" option and did not create a group
account with the same name the module would create a service that would
fail to start.
with this change:
- the module is more explicit about this behaviour
- you can configure the group directly, so that you're not forced to a
particular user/group structure
- you can read the group name used by the redis service. this is useful
for giving other services permission to use the redis socket.
The issue was that the old test-case used `/tmp` to share data. Using
`JoinsNamespaceOf=` wasn't a real workaround since the private `/tmp` is
recreated when a service gets stopped/started which is the case here, so
the wals were still lost.
To keep the test building with `PrivateTmp=yes`, create a dedicated
directory in `/var/cache` with tmpfiles and allow the hardened
`postgresql.service` to access it via `ReadWritePaths`.
Factor out part of the provisioning script into a
wait-until-service-is-ready script, and put it unconditionally in
front of ExecStartPost=, so that services that depend on influxdb2 are
not started until influxdb2 responds to requests.
Fixes https://github.com/NixOS/nixpkgs/issues/317017 ("Scrutiny tries to start before influxdb has started")
