nixos/doc: mention postgresql hardening

This commit is contained in:
Maximilian Bosch 2024-11-01 15:44:27 +01:00
parent 0f1e2a1cd8
commit 70a6092f1e
No known key found for this signature in database
2 changed files with 23 additions and 0 deletions

View File

@ -602,6 +602,11 @@
- `iproute2` now has libbpf support.
- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.
If you use extensions that are not packaged in nixpkgs, please review whether it still works
with the current settings and adjust accordingly if needed.
- `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`.
Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overriden by the `NIX_PATH` configuration variable.

View File

@ -364,6 +364,24 @@ postgresql.withJIT.pname
evaluates to `"foobar"`.
## Service hardening {#module-services-postgres-hardening}
The service created by the [`postgresql`-module](#opt-services.postgresql.enable) uses
several common hardening options from `systemd`, most notably:
* Memory pages must not be both writable and executable (this only applies to non-JIT setups).
* A system call filter (see {manpage}`systemd.exec(5)` for details on `@system-service`).
* A stricter default UMask (`0027`).
* Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed.
* Restricted filesystem access (private `/tmp`, most of the file-system hierachy is mounted read-only, only process directories in `/proc` that are owned by the same user).
The NixOS module also contains necessary adjustments for extensions from `nixpkgs`
if these are enabled. If an extension or a postgresql feature from `nixpkgs` breaks
with hardening, it's considered a bug.
When using extensions that are not packaged in `nixpkgs`, hardening adjustments may
become necessary.
## Notable differences to upstream {#module-services-postgres-upstream-deviation}
- To avoid circular dependencies between default and -dev outputs, the output of the `pg_config` system view has been removed.