nixos/postgresql: deprecate ensurePermissions, fix ensureUsers for postgresql15

[Ma27]

The following things need to be done:

• Resolve merge conflict
• Ensure commits don't introduce unexpected default database name change and gate them behind stateVersion
• Write release notes
• Ensure all tests running on master are fine
• Discuss the overall approach: technically it's a breaking change, not only because of ensurePermissions being removed, but also because of the behavioral changes.
• Discuss alternatives
  • rolling back the default postgres - it was apparently merged in without checking the impact properly

---

Closes #216989

First of all, a bit of context: in PostgreSQL, newly created users don't have the CREATE privilege on the public schema of a database even with ALL PRIVILEGES granted via ensurePermissions which is how most of the DB users are currently set up "declaratively"[1]. This means e.g. a freshly deployed Nextcloud service will break early because Nextcloud itself cannot CREATE any tables in the public schema anymore.

The other issue here is that ensurePermissions is a mere hack. It's effectively a mixture of SQL code (e.g. DATABASE foo is relying on how a value is substituted in a query. You'd have to parse a subset of SQL to actually know which object are permissions granted to for a user).

After analyzing the existing modules I realized that in every case with a single exception[2] the UNIX system user is equal to the db user is equal to the db name and I don't see a compelling reason why people would change that in 99% of the cases. In fact, some modules would even break if you'd change that because the declarations of the system user & the db user are mixed up[3].

So I decided to go with something new which restricts the ways to use ensure* options rather than expanding those[4]. Effectively this means that

• The DB user must be equal to the DB name.
• Permissions are granted via ensureDBOwnerhip for an attribute-set in ensureUsers. That way, the user is actually the owner and can perform CREATE.
• For such a postgres user, a database must be declared in ensureDatabases.

For anything else, a custom state management should be implemented. This can either be initialScript, doing it manual, outside of the module or by implementing proper state management for postgresql[5], but the current state of ensure* isn't even declarative, but a convergent tool which is what Nix actually claims to not do.

Regarding existing setups: there are effectively two options:

• Leave everything as-is (assuming that system user == db user == db name): then the DB user will automatically become the DB owner and everything else stays the same.

• Drop the createDatabase = true; declarations: nothing will change because a removal of ensure* statements is ignored, so it doesn't matter at all whether this option is kept after the first deploy (and later on you'd usually restore from backups anyways).

  The DB user isn't the owner of the DB then, but for an existing setup this is irrelevant because CREATE on the public schema isn't revoked from existing users (only not granted for new users).

[1] not really declarative though because removals of these statements
are simply ignored for instance: #206467
[2] services.invidious: I removed the ensure* part temporarily
because it IMHO falls into the category "manage the state on your
own" (see the commit message). See also
#265857
[3] e.g. roundcube had "DATABASE ${cfg.database.username}" = "ALL PRIVILEGES"; [4] As opposed to other changes that are considered a potential fix, but
also add more things like collation for DBs or passwords that are
never touched again when changing those.
[5] As suggested in e.g. #206467

[ambroisie]

What about making ensureDBOwnerhip a list, and asserting that there is no overlap across users?

This would make the migration easier for users that do have a different DB name and DB owner (one example I've seen multiple times, including in my own config, is having gitea use the git user to make the SSH address "prettier").

[Ma27]

You don't need to migrate existing systems, just remove ensureUsers and ensurePermissions. The removal of those options is ignored (part of why they're broken in the first place).

Anyways, I'll be gone for two weeks now, so the call on what to do has to make someone else anyways.

[bendlas]

Thanks for taking this on, it has also been bugging me!

So, if this were to go in as-is, I'd request that we do it after release, to give the ecosystem time to stablilize.

However, I'd prefer to stay backwards-compatible (with out-of-tree users of services.postgres) anyway, and if we turn usage of ensurePermissions into a warning, I'd be more than OK with trying to squeeze this into the release ...

[ambroisie]

You don't need to migrate existing systems, just remove ensureUsers and ensurePermissions. The removal of those options is ignored (part of why they're broken in the first place).

I kind of disagree, if possible we should make it so people are able to actually migrate their current configuration to one that has the same semantics.

Otherwise we could just remove the ensure* options and tell everybody that this is state that has to be managed by hand.

Having it be in the configuration makes it easier to e.g: redeploy from a backup. And it isn't really any harder to make it so the new option can accommodate existing setups for migration.

[bendlas]

What about making ensureDBOwnerhip a list, and asserting that there is no overlap across users?

Since a postgres DB can have only one owner, this would also be an opportunity to instead have ensureDatabases.ensureOwner = "user";. (Except ensureDatabases is a list of strings.)

Which leads to the next point: Is it worth (re-)thinking how it should look like to ensure preconditions for postgres in nixos? Ensure preconditions for databases in nixos? Ensure preconditions in nixos?

This would make the migration easier for users that do have a different DB name and DB owner (one example I've seen multiple times, including in my own config, is having gitea use the git user to make the SSH address "prettier").

IMO having a system user be the owner of the database with same name is standardized enough, that I'd consider it default. Even to the point that having a different configuration could be considered a security yellow-flag, because that's what GRANT is for. Thinking about it, that actually validates ensureDBOwnership being a boolean.

But to address the elephant (haha, postgres, get it?), I think we should:

• put most of the existing ensure* infrastructure on the legacy track
• start with the "escape hatch" (except it's the DSL foundation)
  • IMO that means:
    • define an extension point at the base of systemd.services.postgresql.postStart
    • make it powerful enough for even monstrosities like https://gist.github.com/bendlas/9e61b10a25576a7bdbdf3bba7d878932
• continue with exploring a good DSL design (potentially even out-of-tree until stabilized)
  • potentially also look at the broader use case for ensure - semantics at NixOS level:
    • systemd.tmpfiles.rules, StateDirectory, ...
    • services.mysql and other schema-bearing DBs
    • Is this a case for extensibility through a lens type (read current state -> decide necessary updates -> write current state)?
• ask users to inform the new DSL design, whenever they need to use the low-level extension point

[RaitoBezarius]

Still reading here and thinking.

So, if this were to go in as-is, I'd request that we do it after release, to give the ecosystem time to stablilize.

Just FWIW, if we don't merge something, we will merge a broken set of NixOS modules w.r.t. to the new Postgres release, so doing nothing is not an option, so if we block this, someone has to propose a proper solution (so far, only Ma27 worked on the matter as one of the maintainers around…)

[RaitoBezarius]

You don't need to migrate existing systems, just remove ensureUsers and ensurePermissions. The removal of those options is ignored (part of why they're broken in the first place).

I kind of disagree, if possible we should make it so people are able to actually migrate their current configuration to one that has the same semantics.

Otherwise we could just remove the ensure* options and tell everybody that this is state that has to be managed by hand.

Having it be in the configuration makes it easier to e.g: redeploy from a backup. And it isn't really any harder to make it so the new option can accommodate existing setups for migration.

Well, in practice, anyone saying this should probably look into fixing properly ensure options but I didn't find a lot of folks wanting to work on that yet and most people tend to do very partial proposals, see #206467, NixOS/rfcs#155.

I would be willing to hand hold someone who is willing to make a dent to this complicated class of problems but there is a long term and a short term. Short term is that people didn't maintain ensure options enough and we are in the situation where they are too broken for us to offer sane guarantees and reinvent them on a short notice. Long term is that we should reintroduce them while thinking at the big picture and by bringing proper engineering to those problems.

It is unfortunate, I like them too, but we cannot play around with data safety of databases, our users are the type of not doing backups and pushing the risk on "well you were supposed to have backups" doesn't seem an acceptable tradeoff IMHO.

The goal here is to drop sufficient options to have a workable ecosystem, if you believe you can re-introduce ensurePermissions with enough testing and proper stuff, please send such a PR, but be mindful of the engineering we need to test it properly.

[RaitoBezarius]

You don't need to migrate existing systems, just remove ensureUsers and ensurePermissions. The removal of those options is ignored (part of why they're broken in the first place).

I kind of disagree, if possible we should make it so people are able to actually migrate their current configuration to one that has the same semantics.

Also, the right way to do this in such situation is to provide the equivalent snippet of code to do it, people who are expert enough with PostgreSQL very much knows how to use initialScript to perform the equivalent of an ensurePermissions, leaving users who doesn't know how to use PostgreSQL vulnerable.

We don't have silver bullets for those users, normally, the community would have worked towards solution in time to avoid this scenario.

From a release management perspective, what I see is the following:

• Users who knows PostgreSQL are fine albeit maybe a bit annoyed they have to do manual things now
• Users who doesn't know PostgreSQL either:
  • are installing a new machine and pick up a tutorial mentioning those directives → they don't exist anymore, they are confused and ragequit/are not happy about NixOS
  • are upgrading to this new version of NixOS → they don't exist anymore but we tell them to just remove the directives and it will work because they already installed the database and we warn them of migrating if they rely on those expressions.

Can we make this better in time for the branch-off?

From my POV, documentation, release notes and snippets to migrate away simple cases can be provided, but I don't believe we should offer an automatic solution because we cannot apply engineering practices to stabilize it in time for the branch-off, it is too late.

So I am in favor of:

• using mkRemovedOption on it, pointing at some documentation explaining how to migrate
• write a blurb in unstable
• write a blurb in release notes for 23.11
• write documentation in the manual on how to perform permission bestowing using initialScript
• offer to anyone who is unhappy about that to do better for 24.05 and re-introduce it

Keeping it as a deprecated option does not seem useful to me because it is broken at the moment and no one offered a fix for it. Keeping a broken deprecated option seems weird to me, you can just remove it and fix it this way. Also, it forces people to take ownership of their convergence logic for their databases via initialScript.

In an ideal world, someone would have written tool I asked for multiple years that is to offer automatic ways to migrate deprecation / removals by new snippets, but it doesn't exist so users will have to do it manually, that's unfortunate but I hope I won't do it by myself someday :P.

[bendlas]

Just FWIW, if we don't merge something, we will merge a broken set of NixOS modules w.r.t. to the new Postgres release

Oh, right, there was that (been a long week, sorry) .... for the record, I'm still in favor of just downgrading to 14 for this release, as per #262741 (review), to buy us more time to figure it out

• merge this (to not block anyone wishing to update to postgres 15), but leave the existing options alone for now, for anyone stuck on 14. To me that sounds like it could minimize the collateral damage ..

do you find this agreeable if we revert #254268? cc @nbdd0121 @thoughtpolice @yu-re-ka

[nbdd0121]

do you find this agreeable if we revert #254268?

A full revert (including downgrade all packages depending on libpq), or just revert the nixos module part? Would

-base = if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
+base = if versionAtLeast config.system.stateVersion "24.05" then pkgs.postgresql_15

be sufficient?

(In an ideal world where we have #61580 then we can just revert the postgresql version without mass rebuild)

[ambroisie]

Well, in practice, anyone saying this should probably look into fixing properly ensure options but I didn't find a lot of folks wanting to work on that yet and most people tend to do very partial proposals, see #206467, NixOS/rfcs#155.

Sorry, I didn't mean to imply that the proper fix is easy. I agree with you that there is a lot of work to be done in this area if we want a full-featured system.

Short term is that people didn't maintain ensure options enough and we are in the situation where they are too broken for us to offer sane guarantees and reinvent them on a short notice.

I don't think we need to re-invent them, approaches like this MR are good enough IMO to tide us over with the v15 update.

pushing the risk on "well you were supposed to have backups" doesn't seem an acceptable tradeoff IMHO.

👍

The goal here is to drop sufficient options to have a workable ecosystem

👍

if you believe you can re-introduce ensurePermissions with enough testing and proper stuff, please send such a PR, but be mindful of the engineering we need to test it properly.

That's not what I meant to imply, sorry if that's how I came across. I totally respect the fact that this is a hard problem and needs more engineering for a proper solution.

I simply wanted to high-light a part of the analysis in this MR which led to a design that was more restrictive than seemed necessary IMO, when making it more open does not add much complexity to the module.

If this were to be merged in as-is, I think it would indeed be good enough for 99% of cases.

I also agree with your analysis for the upcoming release, I think this is probably the best we can do in that timeframe.

Once again, I apologize if I appeared dismissive, that was not my intention in commenting on this MR. Thank you everybody for trying to solve the issue.

[bendlas]

do you find this agreeable if we revert #254268?

A full revert (including downgrade all packages depending on libpq), or just revert the nixos module part? Would

-base = if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
+base = if versionAtLeast config.system.stateVersion "24.05" then pkgs.postgresql_15

be sufficient?

I believe that the issue only affects postgresql server, so a revert of the module default should be sufficient, since libpq is backwards compatible, right?

[icewind1991]

#287788 extends ensureDBOwnership to allow it to cover some more of the cases that could previously be handled with ensurePermissions.