nixos/postgresql: create infrastructure for relaxing systemd hardening

By matching on the package names of the plugins passed into the package
we can relax the systemd unit hardening as needed.

nixos/modules/services/databases/postgresql.nix

@@ -2,6 +2,7 @@
 
 let
   inherit (lib)
+    any
     attrValues
     concatMapStrings
     concatStringsSep
@@ -9,6 +10,7 @@ let
     elem
     escapeShellArgs
     filterAttrs
+    getName
     isString
     literalExpression
     mapAttrs
@@ -30,19 +32,19 @@ let
 
   cfg = config.services.postgresql;
 
-  postgresql =
+  # ensure that
-    let
+  #   services.postgresql = {
-      # ensure that
+  #     enableJIT = true;
-      #   services.postgresql = {
+  #     package = pkgs.postgresql_<major>;
-      #     enableJIT = true;
+  #   };
-      #     package = pkgs.postgresql_<major>;
+  # works.
-      #   };
+  basePackage = if cfg.enableJIT
-      # works.
+    then cfg.package.withJIT
-      base = if cfg.enableJIT then cfg.package.withJIT else cfg.package.withoutJIT;
+    else cfg.package.withoutJIT;
-    in
+
-    if cfg.extensions == []
+  postgresql = if cfg.extensions == []
-      then base
+    then basePackage
-      else base.withPackages cfg.extensions;
+    else basePackage.withPackages cfg.extensions;
 
   toStr = value:
     if true == value then "yes"
@@ -59,6 +61,9 @@ let
   '';
 
   groupAccessAvailable = versionAtLeast postgresql.version "11.0";
+
+  extensionNames = map getName postgresql.installedExtensions;
+  extensionInstalled = extension: elem extension extensionNames;
 in
 
 {
@@ -630,7 +635,7 @@ in
             PrivateTmp = true;
             ProtectHome = true;
             ProtectSystem = "strict";
-            MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off");
+            MemoryDenyWriteExecute = lib.mkDefault (cfg.settings.jit == "off" && (!any extensionInstalled [ "plv8" ]));
             NoNewPrivileges = true;
             LockPersonality = true;
             PrivateDevices = true;
@@ -654,10 +659,12 @@ in
             RestrictRealtime = true;
             RestrictSUIDSGID = true;
             SystemCallArchitectures = "native";
-            SystemCallFilter = [
+            SystemCallFilter =
-              "@system-service"
+              [
-              "~@privileged @resources"
+                "@system-service"
-            ];
+                "~@privileged @resources"
+              ]
+              ++ lib.optionals (any extensionInstalled [ "plv8" ]) [ "@pkey" ];
             UMask = if groupAccessAvailable then "0027" else "0077";
           }
           (mkIf (cfg.dataDir != "/var/lib/postgresql") {

pkgs/servers/sql/postgresql/generic.nix

@@ -323,25 +323,33 @@ let
     };
   });
 
-  postgresqlWithPackages = { postgresql, buildEnv }: f: buildEnv {
+  postgresqlWithPackages = { postgresql, buildEnv }: f: let
+    installedExtensions = f postgresql.pkgs;
+  in buildEnv {
     name = "${postgresql.pname}-and-plugins-${postgresql.version}";
-    paths = f postgresql.pkgs ++ [
+    paths = installedExtensions ++ [
         postgresql
         postgresql.man   # in case user installs this into environment
     ];
 
     pathsToLink = ["/"];
 
-    passthru.version = postgresql.version;
+    passthru = {
-    passthru.psqlSchema = postgresql.psqlSchema;
+      inherit installedExtensions;
-    passthru.withJIT = postgresqlWithPackages {
+      inherit (postgresql)
-      inherit buildEnv;
+        psqlSchema
-      postgresql = postgresql.withJIT;
+        version
-    } f;
+      ;
-    passthru.withoutJIT = postgresqlWithPackages {
+
-      inherit buildEnv;
+      withJIT = postgresqlWithPackages {
-      postgresql = postgresql.withoutJIT;
+        inherit buildEnv;
-    } f;
+        postgresql = postgresql.withJIT;
+      } f;
+      withoutJIT = postgresqlWithPackages {
+        inherit buildEnv;
+        postgresql = postgresql.withoutJIT;
+      } f;
+    };
   };
 
 in