nixos/doc: mention postgresql hardening
This commit is contained in:
parent
0f1e2a1cd8
commit
70a6092f1e
@ -602,6 +602,11 @@
|
||||
|
||||
- `iproute2` now has libbpf support.
|
||||
|
||||
- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.
|
||||
|
||||
If you use extensions that are not packaged in nixpkgs, please review whether it still works
|
||||
with the current settings and adjust accordingly if needed.
|
||||
|
||||
- `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`.
|
||||
Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overriden by the `NIX_PATH` configuration variable.
|
||||
|
||||
|
@ -364,6 +364,24 @@ postgresql.withJIT.pname
|
||||
|
||||
evaluates to `"foobar"`.
|
||||
|
||||
## Service hardening {#module-services-postgres-hardening}
|
||||
|
||||
The service created by the [`postgresql`-module](#opt-services.postgresql.enable) uses
|
||||
several common hardening options from `systemd`, most notably:
|
||||
|
||||
* Memory pages must not be both writable and executable (this only applies to non-JIT setups).
|
||||
* A system call filter (see {manpage}`systemd.exec(5)` for details on `@system-service`).
|
||||
* A stricter default UMask (`0027`).
|
||||
* Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed.
|
||||
* Restricted filesystem access (private `/tmp`, most of the file-system hierachy is mounted read-only, only process directories in `/proc` that are owned by the same user).
|
||||
|
||||
The NixOS module also contains necessary adjustments for extensions from `nixpkgs`
|
||||
if these are enabled. If an extension or a postgresql feature from `nixpkgs` breaks
|
||||
with hardening, it's considered a bug.
|
||||
|
||||
When using extensions that are not packaged in `nixpkgs`, hardening adjustments may
|
||||
become necessary.
|
||||
|
||||
## Notable differences to upstream {#module-services-postgres-upstream-deviation}
|
||||
|
||||
- To avoid circular dependencies between default and -dev outputs, the output of the `pg_config` system view has been removed.
|
||||
|
Loading…
Reference in New Issue
Block a user