[bug#64786] [PATCH]: services: databases: add option to specify UID / GID for the postgres user

[bug#64786] [PATCH]: services: databases: add option to specify UID / GID for the postgres user

[Martin Baulig]

[-- Attachment #1.1: Type: text/plain, Size: 478 bytes --]

Hello,

This is my first contribution to GNU Guix, and I hope this patch is in the correct format.

Attached is a small patch to gnu/services/databases.scm that adds an option to explicitly
specify the UID / GID for the postgres user, as well as an option not to create the service
account at all.

I added some documentation as well and provided a detailed reasoning and background
in the commit message.

Hope this is useful and looking forward to hearing back to you,

Martin

[-- Attachment #1.2: Type: text/html, Size: 1739 bytes --]

[-- Attachment #2: 0001-services-databases-Add-option-to-specify-UID-GID-for.patch --]
[-- Type: application/octet-stream, Size: 4536 bytes --]

From ae2534f6cc8611483a11f7a934777a03bd194a27 Mon Sep 17 00:00:00 2001
From: Martin Baulig <martin@baulig.is>
Date: Mon, 17 Jul 2023 18:13:42 -0400
Subject: [PATCH] services: databases: Add option to specify UID / GID for
 postgres user.

Add 'createAccount?', 'uid' and 'gid' to <postgresql-configuation>.

Unlike other system daemons, the PostgreSQL data directory is typically
meant to persist across 'guix system reconfigure' and once created, you
don't want it's UID or GID to change anymore.

Furthermore, if you want to place the data directory on a network share
and use NFSv4 with idmap, then the 'postgres' user must exist when the
'rpc.idmapd' daemon is launched; prior to mounting the share.  And it
needs to be possible to mount the share without configuring PostgreSQL.

With NFSv3, the UID and GID typically needs to match those on the
server.

The added options allow for both of these scenarios:

You can either create the user in (operating-system (users)) completely
independently of the 'postgresql-service-type' (for instance to get your
NFS setup working first prior to configuring your databases) - or "pin"
it's UID / GID values.
---
 doc/guix.texi              | 14 ++++++++++++++
 gnu/services/databases.scm | 37 +++++++++++++++++++++++++------------
 2 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 784114f0bb..1a6731a77b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -24053,6 +24053,20 @@ There is no need to add this field for contrib extensions such as hstore or
 dblink as they are already loadable by postgresql.  This field is only
 required to add extensions provided by other packages.
 
+@item @code{create-account?} (default: @code{#t})
+Whether or not the @code{postgres} user and group should be created.
+
+@item @code{uid} (default: @code{#f})
+Explicitly specify the UID of the @code{postgres} daemon account.
+You normally do not need to specify this, in which case a free UID will
+be automatically assigned.
+
+One situation where this option might be useful is if the @var{data-directory}
+is located on a mounted network share.
+
+@item @code{gid} (default: @code{#f})
+Explicitly specify the GID of the @code{postgres} group.
+
 @end table
 @end deftp
 
diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm
index b7bd1e587e..c9717acc5e 100644
--- a/gnu/services/databases.scm
+++ b/gnu/services/databases.scm
@@ -179,17 +179,30 @@ (define-record-type* <postgresql-configuration>
   (data-directory     postgresql-configuration-data-directory
                       (default "/var/lib/postgresql/data"))
   (extension-packages postgresql-configuration-extension-packages
-                      (default '())))
-
-(define %postgresql-accounts
-  (list (user-group (name "postgres") (system? #t))
-        (user-account
-         (name "postgres")
-         (group "postgres")
-         (system? #t)
-         (comment "PostgreSQL server user")
-         (home-directory "/var/empty")
-         (shell (file-append shadow "/sbin/nologin")))))
+                      (default '()))
+  (create-account?    postgresql-configuration-create-account?
+                      (default #t))
+  (uid                postgresql-configuration-uid
+                      (default #f))
+  (gid                postgresql-configuration-gid
+                      (default #f)))
+
+(define (create-postgresql-account config)
+  (match-record config <postgresql-configuration>
+    (create-account? uid gid)
+    (if (not create-account?) '()
+        (list (user-group
+               (name "postgres")
+               (id gid)
+               (system? #t))
+              (user-account
+               (name "postgres")
+               (group "postgres")
+               (system? #t)
+               (uid uid)
+               (comment "PostgreSQL server user")
+               (home-directory "/var/empty")
+               (shell (file-append shadow "/sbin/nologin")))))))
 
 (define (final-postgresql postgresql extension-packages)
   (if (null? extension-packages)
@@ -325,7 +338,7 @@ (define postgresql-service-type
           (service-extension activation-service-type
                              postgresql-activation)
           (service-extension account-service-type
-                             (const %postgresql-accounts))
+                             create-postgresql-account)
           (service-extension
            profile-service-type
            (compose list postgresql-configuration-postgresql))))
-- 
2.40.0

bug#64786: [PATCH]: services: databases: add option to specify UID / GID for the postgres user

[Ludovic Courtès]

Hi Martin,

Martin Baulig <martin@baulig.is> skribis:

> From ae2534f6cc8611483a11f7a934777a03bd194a27 Mon Sep 17 00:00:00 2001
> From: Martin Baulig <martin@baulig.is>
> Date: Mon, 17 Jul 2023 18:13:42 -0400
> Subject: [PATCH] services: databases: Add option to specify UID / GID for
>  postgres user.
>
> Add 'createAccount?', 'uid' and 'gid' to <postgresql-configuation>.
>
> Unlike other system daemons, the PostgreSQL data directory is typically
> meant to persist across 'guix system reconfigure' and once created, you
> don't want it's UID or GID to change anymore.
>
> Furthermore, if you want to place the data directory on a network share
> and use NFSv4 with idmap, then the 'postgres' user must exist when the
> 'rpc.idmapd' daemon is launched; prior to mounting the share.  And it
> needs to be possible to mount the share without configuring PostgreSQL.
>
> With NFSv3, the UID and GID typically needs to match those on the
> server.
>
> The added options allow for both of these scenarios:
>
> You can either create the user in (operating-system (users)) completely
> independently of the 'postgresql-service-type' (for instance to get your
> NFS setup working first prior to configuring your databases) - or "pin"
> it's UID / GID values.

This look very useful.  I wish this situation could be handled in a more
automatic way somehow, but at least this patch lets admins handle it
“manually” as you write, and that’s a great improvement.

I expanded the commit log to match the conventions as noted in
<https://guix.gnu.org/manual/devel/en/html_node/Submitting-Patches.html>
and applied it.

Thank you, and welcome!

Ludo’.