nixos/doc: mention postgresql hardening

nixos/modules/services/databases/postgresql.md

@@ -364,6 +364,24 @@ postgresql.withJIT.pname
 
 evaluates to `"foobar"`.
 
+## Service hardening {#module-services-postgres-hardening}
+
+The service created by the [`postgresql`-module](#opt-services.postgresql.enable) uses
+several common hardening options from `systemd`, most notably:
+
+* Memory pages must not be both writable and executable (this only applies to non-JIT setups).
+* A system call filter (see {manpage}`systemd.exec(5)` for details on `@system-service`).
+* A stricter default UMask (`0027`).
+* Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed.
+* Restricted filesystem access (private `/tmp`, most of the file-system hierachy is mounted read-only, only process directories in `/proc` that are owned by the same user).
+
+The NixOS module also contains necessary adjustments for extensions from `nixpkgs`
+if these are enabled. If an extension or a postgresql feature from `nixpkgs` breaks
+with hardening, it's considered a bug.
+
+When using extensions that are not packaged in `nixpkgs`, hardening adjustments may
+become necessary.
+
 ## Notable differences to upstream {#module-services-postgres-upstream-deviation}
 
 - To avoid circular dependencies between default and -dev outputs, the output of the `pg_config` system view has been removed.