Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/postgresql: drop ensurePermissions option #287602

Merged
merged 1 commit into from
Mar 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions nixos/doc/manual/release-notes/rl-2405.section.md
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
[v0.31](https://github.com/derailed/k9s/releases/tag/v0.31.0) for details. It is recommended
to back up your current configuration and let k9s recreate the new base configuration.

- The option `services.postgresql.ensureUsers._.ensurePermissions` has been removed as it's
not declarative and is broken with newer postgresql versions. Consider using
[](#opt-services.postgresql.ensureUsers._.ensureDBOwnership)
instead or a tool that's more suited for managing the data inside a postgresql database.

- `idris2` was updated to v0.7.0. This version introduces breaking changes. Check out the [changelog](https://github.com/idris-lang/Idris2/blob/v0.7.0/CHANGELOG.md#v070) for details.

- `neo4j` has been updated to 5, you may want to read the [release notes for Neo4j 5](https://neo4j.com/release-notes/database/neo4j-5/)
Expand Down
43 changes: 0 additions & 43 deletions nixos/modules/services/databases/postgresql.nix
Original file line number Diff line number Diff line change
Expand Up @@ -161,33 +161,6 @@ in
'';
};

ensurePermissions = mkOption {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we have a mkRemovedOption?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SuperSandro2000 do you know how to reasonably implement this for submodules? I'm not aware of any way sadly.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't just place mkRemovedOptionModule in the submodule? 😅

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It generates a config.assertions block next to the options.option_that_is_removed and this won't work in a submodule.

type = types.attrsOf types.str;
default = {};
visible = false; # This option has been deprecated.
description = lib.mdDoc ''
This option is DEPRECATED and should not be used in nixpkgs anymore,
use `ensureDBOwnership` instead. It can also break with newer
versions of PostgreSQL (≥ 15).

Permissions to ensure for the user, specified as an attribute set.
The attribute names specify the database and tables to grant the permissions for.
The attribute values specify the permissions to grant. You may specify one or
multiple comma-separated SQL privileges here.

For more information on how to specify the target
and on which privileges exist, see the
[GRANT syntax](https://www.postgresql.org/docs/current/sql-grant.html).
The attributes are used as `GRANT ''${attrValue} ON ''${attrName}`.
'';
example = literalExpression ''
{
"DATABASE \"nextcloud\"" = "ALL PRIVILEGES";
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
}
'';
};

ensureDBOwnership = mkOption {
type = types.bool;
default = false;
Expand Down Expand Up @@ -460,16 +433,6 @@ in
Offender: ${name} has not been found among databases.
'';
}) cfg.ensureUsers;
# `ensurePermissions` is now deprecated, let's avoid it.
warnings = lib.optional (any ({ ensurePermissions, ... }: ensurePermissions != {}) cfg.ensureUsers) "
`services.postgresql.ensureUsers.*.ensurePermissions` is used in your expressions,
this option is known to be broken with newer PostgreSQL versions,
consider migrating to `services.postgresql.ensureUsers.*.ensureDBOwnership` or
consult the release notes or manual for more migration guidelines.

This option will be removed in NixOS 24.05 unless it sees significant
maintenance improvements.
";

services.postgresql.settings =
{
Expand Down Expand Up @@ -583,11 +546,6 @@ in
concatMapStrings
(user:
let
userPermissions = concatStringsSep "\n"
(mapAttrsToList
(database: permission: ''$PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '')
user.ensurePermissions
);
dbOwnershipStmt = optionalString
user.ensureDBOwnership
''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' '';
Expand All @@ -599,7 +557,6 @@ in
userClauses = ''$PSQL -tAc 'ALTER ROLE "${user.name}" ${concatStringsSep " " clauseSqlStatements}' '';
in ''
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"'
${userPermissions}
${userClauses}

${dbOwnershipStmt}
Expand Down
Loading