From patchwork Mon Mar 31 19:25:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tomas Volf <~@wolfsden.cz> X-Patchwork-Id: 41092 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 35D6D27BBE9; Mon, 31 Mar 2025 20:29:09 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_ALL,DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id E115C27BBE2 for ; Mon, 31 Mar 2025 20:29:07 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tzKof-0005OH-3q; Mon, 31 Mar 2025 15:29:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tzKnl-00052J-66 for guix-patches@gnu.org; Mon, 31 Mar 2025 15:28:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tzKni-0008DV-Sl; Mon, 31 Mar 2025 15:28:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=XlYwIckkycqDfxS/EvmqGpEAxObqjjhP3PNR2MDeNw0=; b=PY0aJfD/OECBjHCFMlZ5t9jhu0DMz9KidzoE/eEgWd63W06PpSmDzhCyDbXANYiXrpqrWuWV38ZmZf7Qpz1czAQY3/8UvmPya1Wce6elMt53gWXhl4QRz99R6gZbL5z15qkVQSK+8dOcS/S2n0D6veoTPiAKIlXHgFmwWbkYVyfPagSt73Fbn1/dUPaUc3l6wgg6RQmz/Tq3hWfSjbM5LbI3M+yJQKCGp/Q96C+uM1AvnrVNjfOvDOzrNbOqrxEjaRCv8dPU5Yoy5H59Co8YckpuBb+W2YQV3+RospqXNEdrjVysn37FlpR4HVVQ3WNxhGlsbm6U3jyFAf/N//P0bw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tzKni-0002Os-ND; Mon, 31 Mar 2025 15:28:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77413] [PATCH] services: postgresql-service-type: Allow allowing to log into the user. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Mon, 31 Mar 2025 19:28:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 77413 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77413@debbugs.gnu.org Cc: Tomas Volf <~@wolfsden.cz>, Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by submit@debbugs.gnu.org id=B.17434492388945 (code B ref -1); Mon, 31 Mar 2025 19:28:02 +0000 Received: (at submit) by debbugs.gnu.org; 31 Mar 2025 19:27:18 +0000 Received: from localhost ([127.0.0.1]:42912 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tzKn0-0002KD-1F for submit@debbugs.gnu.org; Mon, 31 Mar 2025 15:27:18 -0400 Received: from lists.gnu.org ([2001:470:142::17]:54458) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1tzKmx-0002JM-4Z for submit@debbugs.gnu.org; Mon, 31 Mar 2025 15:27:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1tzKmh-0004Bb-0y for guix-patches@gnu.org; Mon, 31 Mar 2025 15:27:02 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <~@wolfsden.cz>) id 1tzKmD-0006on-TT for guix-patches@gnu.org; Mon, 31 Mar 2025 15:26:57 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 4587231EC33; Mon, 31 Mar 2025 19:26:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1743449162; bh=BOo3H2wL23to4gN6t95i5RNbgasvt5gM6/l8gD1gSnI=; h=From:To:Cc:Subject:Date; b=RuhiG/TcfH7CfYCXtisytGJiIrXTWzM6Nj/YPWot4Ov+j4sr1CayKfSCgQOF5xd3u +0tOKgCMpcWxRsAmYzYDypJI+KD6tS8anZnU7/NEj+a5TrYXQmdpISUFHbyIjhcwAF pDZjrMLraDqDDxMDOlkERD1anOs/p1A8TpOBGa6tLh+1Eivhbj5fvRD/qjLRCxEjrD tDAZn5PWJH6C/ZhfNsxaXdbsnGVMFliQ0qnfJO8BNYT8FCDCrnnTzbqeePqirRl56z bMzqChBpmN5ZPgEIoOLyCQsR+BhUUgz4oEart6FEMUvZhzfnTMxZAO6N2dOIGma0Nl /qMfsILLCmlVJSnDqiMIIKsI8JG1jbuDPQIKmk2CBi+ZNUWaAQ5C6Am3myPZU+gSia 5qKaMpbXCCa0tmj+9tY3zs2rnS43Bms3Lv+ZgYaGRaT/gNU+bQPf+e26DZIaocK4yR z5y7/m6l0QatPiL13XKlkwnOL1Q5bwXSHUzXKVrrb9yM0SDuZ3IWEtg/YlhgwnmJdK uVfNRU+IuqpcV8z+mjJru8XUQF/KdYrG+VO9VxYGmCp0+SrBjo7wQy0KqL3z6dQPeS Y9M7zxJnooCN39vHkSWr2HCH3nyJooyUHcHyyncMOA63LtxCKxl76hFw4aYAL7O9tJ mvLbFB9pTMVBrZiM6sa5KOzg= Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 6834C3789B8; Mon, 31 Mar 2025 19:26:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1743449161; bh=BOo3H2wL23to4gN6t95i5RNbgasvt5gM6/l8gD1gSnI=; h=From:To:Cc:Subject:Date; b=PCaM0cTEU/SHfRvlYE4KvUGVuSjU4ADSkZ91oVw+dbFFuYaLI7AFElX5PnuUVG29j BO5OYd0FBPeb3T4qK/ZY0WJilRlsoNgzZ9G143KvU8XII2VILZ0v7L46FpUu37YTzx 4woSmhx8LMmly7I+o/OPrqoJYXm4AXUth5M6F13cCo0rLts+g9/1PVulu1xXZHiKbO RJoKYqwtQjiRM6IfJWju0flPFlFipV6L+G0pCh44s2SvRv2s0mz8u1N4QtO4ZVxRkk +YvhUCGn+/OsEKinVoOjEB713y7VASKqOgzxpYVDqBHrFC4W7Wc1Xp8wcil6wzpdSN ZMijrLp1JBW4mzeURJdzk/fEnq19NBm3vM0AiR2dAxw1KqE4S0C6pWxfjwTjBpXl77 w97X0My5DEHx5Ezft72kpgpYzcGcpSL0Si5nVvYGr8cjzS9doe3gpTDkbZoas8mAGL Q47ESOFDwc/YLM7H0BO21CGMr2wa+om0k7RmGgwj/65QGqLGufC43AMiCIf6wnfL5j 0hvVgmltlhdkoxpV22yJ7CmxqaVkI655yhnL+Znvm4/W/mO5zT/96W7AcRal86GYGs etpODQhipjdJp5aVmhfBdtdn6la9iHrVpKtWZ73f2YOnRWCQurRsll3XnHT9Oh2p59 v0pZIvXV24mM1kg5V9JOZYQQ= From: Tomas Volf <~@wolfsden.cz> Date: Mon, 31 Mar 2025 21:25:55 +0200 Message-ID: <9ac891e4fdb07ec4fd0e92f232a923d33d4c20ec.1743449155.git.~@wolfsden.cz> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Received-SPF: pass client-ip=37.205.8.62; envelope-from=~@wolfsden.cz; helo=wolfsden.cz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches It is often useful to be able to use the `postgres' user for management tasks, so this commit allows setting that. The default behavior is not changed. I have also added missing exports and sorted them by alphabet. * gnu/services/databases.scm (%default-home-directory): New variable. (): Add home-directory, allow-login? fields. (create-postgresql-account): Use them. * doc/guix.texi (Database Services): Document it. Change-Id: I2212e5082ff4e87c49a5a8a4711bf929dd08626a Reviewed-by: Maxim Cournoyer --- doc/guix.texi | 17 ++++++++++++----- gnu/services/databases.scm | 31 +++++++++++++++++++++++-------- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index cb4c1b2430..a152a9623e 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27523,11 +27523,11 @@ Database Services restart the service. Peer authentication is used by default and the @code{postgres} user -account has no shell, which prevents the direct execution of @code{psql} -commands as this user. To use @code{psql}, you can temporarily log in -as @code{postgres} using a shell, create a PostgreSQL superuser with the -same name as one of the system users and then create the associated -database. +account has no shell (unless @code{allow-login?} is @code{#t}), which +prevents the direct execution of @code{psql} commands as this user. To +use @code{psql}, you can temporarily log in as @code{postgres} using a +shell, create a PostgreSQL superuser with the same name as one of the +system users and then create the associated database. @example sudo -u postgres -s /bin/sh @@ -27606,6 +27606,13 @@ Database Services @item @code{create-account?} (default: @code{#t}) Whether or not the @code{postgres} user and group should be created. +@item @code{allow-login?} (default: @code{#f}) +Whether or not to allow login into the created account. + +@item @code{home-directory} (default: @code{"/var/empty"}) +The home directory of the user. It is strongly advised to change this +if you set @code{allow-login?} to @code{#t}. + @item @code{uid} (default: @code{#f}) Explicitly specify the UID of the @code{postgres} daemon account. You normally do not need to specify this, in which case a free UID will diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm index 6d80376d90..b45aad2c0b 100644 --- a/gnu/services/databases.scm +++ b/gnu/services/databases.scm @@ -51,13 +51,18 @@ (define-module (gnu services databases) postgresql-configuration postgresql-configuration? - postgresql-configuration-postgresql - postgresql-configuration-port - postgresql-configuration-locale - postgresql-configuration-file - postgresql-configuration-log-directory + postgresql-configuration-allow-login? + postgresql-configuration-create-account? postgresql-configuration-data-directory postgresql-configuration-extension-packages + postgresql-configuration-file + postgresql-configuration-gid + postgresql-configuration-home-directory + postgresql-configuration-locale + postgresql-configuration-log-directory + postgresql-configuration-port + postgresql-configuration-postgresql + postgresql-configuration-uid postgresql-service postgresql-service-type @@ -164,6 +169,8 @@ (define-gexp-compiler (postgresql-config-file-compiler port))) #:local-build? #t)))) +(define %default-home-directory "/var/empty") + (define-record-type* postgresql-configuration make-postgresql-configuration postgresql-configuration? @@ -186,6 +193,10 @@ (define-record-type* (default '())) (create-account? postgresql-configuration-create-account? (default #t)) + (home-directory postgresql-configuration-home-directory + (default %default-home-directory)) + (allow-login? postgresql-configuration-allow-login? + (default #f)) (uid postgresql-configuration-uid (default #f)) (gid postgresql-configuration-gid @@ -193,7 +204,7 @@ (define-record-type* (define (create-postgresql-account config) (match-record config - (create-account? uid gid) + (create-account? allow-login? home-directory uid gid) (if (not create-account?) '() (list (user-group (name "postgres") @@ -205,8 +216,12 @@ (define (create-postgresql-account config) (system? #t) (uid uid) (comment "PostgreSQL server user") - (home-directory "/var/empty") - (shell (file-append shadow "/sbin/nologin"))))))) + (create-home-directory? + (not (string=? home-directory %default-home-directory))) + (home-directory home-directory) + (shell (if allow-login? + ((@ (gnu system accounts) default-shell)) + (file-append shadow "/sbin/nologin")))))))) (define (final-postgresql postgresql extension-packages) (if (null? extension-packages)