Commit 12797a6a authored by Raito Bezarius's avatar Raito Bezarius
Browse files

nixos/postgresql: restore `ensurePermissions` and strong-deprecate it 

As it is technically a breaking change, we should at least make a strong deprecation
of `ensurePermissions` and leave it in the broken state it is, for out of tree users.

We give them a 6 months notice to migrate away by doing so, which is honest.
In the meantime, we forbid usage of `ensurePermissions` inside of nixpkgs.
parent 48459567

nixos/modules/services/databases/postgresql.nix

+45 −1
Original line number Diff line number Diff line
@@ -165,6 +165,33 @@ in 
              '';

            };



            ensurePermissions = mkOption {

              type = types.attrsOf types.str;

              default = {};

              visible = false; # This option has been deprecated.

              description = lib.mdDoc ''

                This option is DEPRECATED and should not be used in nixpkgs anymore,

                use `ensureDBOwnership` instead. It can also break with newer

                versions of PostgreSQL (≥ 15).



                Permissions to ensure for the user, specified as an attribute set.

                The attribute names specify the database and tables to grant the permissions for.

                The attribute values specify the permissions to grant. You may specify one or

                multiple comma-separated SQL privileges here.



                For more information on how to specify the target

                and on which privileges exist, see the

                [GRANT syntax](https://www.postgresql.org/docs/current/sql-grant.html).

                The attributes are used as `GRANT ''${attrValue} ON ''${attrName}`.

              '';

              example = literalExpression ''

                {

                  "DATABASE \"nextcloud\"" = "ALL PRIVILEGES";

                  "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";

                }

              '';

            };



            ensureDBOwnership = mkOption {

              type = types.bool;

              default = false;
@@ -441,6 +468,17 @@ in 
      }

    ];



    # `ensurePermissions` is now deprecated, let's avoid it.

    warnings = lib.optional (any ({ ensurePermissions, ... }: ensurePermissions != {}) cfg.ensureUsers) "

      `services.postgresql.*.ensurePermissions` is used in your expressions,

      this option is known to be broken with newer PostgreSQL versions,

      consider migrating to `services.postgresql.*.ensureDBOwnership` or

      consult the release notes or manual for more migration guidelines.



      This option will be removed in NixOS 24.05 unless it sees significant

      maintenance improvements.

    ";



    services.postgresql.settings =

      {

        hba_file = "${pkgs.writeText "pg_hba.conf" cfg.authentication}";
@@ -553,6 +591,11 @@ in 
              concatMapStrings

              (user:

              let

                  userPermissions = concatStringsSep "\n"

                    (mapAttrsToList

                      (database: permission: ''$PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '')

                      user.ensurePermissions

                    );

                  dbOwnershipStmt = optionalString

                    user.ensureDBOwnership

                    ''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' '';
@@ -564,6 +607,7 @@ in 
                  userClauses = ''$PSQL -tAc 'ALTER ROLE "${user.name}" ${concatStringsSep " " clauseSqlStatements}' '';

                in ''

                  $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"'

                  ${userPermissions}

                  ${userClauses}



                  ${dbOwnershipStmt}