nixos/postgresql: enable private /tmp & private mounts; fix wal-receiver test

The issue was that the old test-case used `/tmp` to share data. Using `JoinsNamespaceOf=` wasn't a real workaround since the private `/tmp` is recreated when a service gets stopped/started which is the case here, so the wals were still lost. To keep the test building with `PrivateTmp=yes`, create a dedicated directory in `/var/cache` with tmpfiles and allow the hardened `postgresql.service` to access it via `ReadWritePaths`.
2024-09-30 17:23:10 +02:00 · 2024-09-30 17:23:10 +02:00 · f800d8e42b
commit f800d8e42b
parent 2ebffcc4c7
2 changed files with 9 additions and 4 deletions
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -627,14 +627,14 @@ in
            # Hardening
            CapabilityBoundingSet = [ "" ];
            DevicePolicy = "closed";
-            PrivateTmp = false; #breaks wal-receiver test
+            PrivateTmp = true;
            ProtectHome = true;
            ProtectSystem = "strict";
            MemoryDenyWriteExecute = true;
            NoNewPrivileges = true;
            LockPersonality = true;
            PrivateDevices = true;
-            PrivateMounts = false; # breaks wal-receiver test
+            PrivateMounts = true;
            ProcSubset = "pid";
            ProtectClock = true;
            ProtectControlGroups = true;
--- a/nixos/tests/postgresql-wal-receiver.nix
+++ b/nixos/tests/postgresql-wal-receiver.nix
@ -22,8 +22,8 @@ let
      replicationUser = "wal_receiver_user";
      replicationSlot = "wal_receiver_slot";
      replicationConn = "postgresql://${replicationUser}@localhost";
-      baseBackupDir = "/tmp/pg_basebackup";
-      walBackupDir = "/tmp/pg_wal";
+      baseBackupDir = "/var/cache/wals/pg_basebackup";
+      walBackupDir = "/var/cache/wals/pg_wal";

      recoveryFile = pkgs.writeTextDir "recovery.signal" "";

@ -32,6 +32,10 @@ let
      meta.maintainers = with lib.maintainers; [ pacien ];

      nodes.machine = { ... }: {
+        systemd.tmpfiles.rules = [
+          "d /var/cache/wals 0750 postgres postgres - -"
+        ];
+
        services.postgresql = {
          package = pkg;
          enable = true;
@ -60,6 +64,7 @@ let
        # This is only to speedup test, it isn't time racing. Service is set to autorestart always,
        # default 60sec is fine for real system, but is too much for a test
        systemd.services.postgresql-wal-receiver-main.serviceConfig.RestartSec = lib.mkForce 5;
+        systemd.services.postgresql.serviceConfig.ReadWritePaths = [ "/var/cache/wals" ];
      };

      testScript = ''