diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index 19537b8ea3c9..63a981fded03 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -627,14 +627,14 @@ in # Hardening CapabilityBoundingSet = [ "" ]; DevicePolicy = "closed"; - PrivateTmp = false; #breaks wal-receiver test + PrivateTmp = true; ProtectHome = true; ProtectSystem = "strict"; MemoryDenyWriteExecute = true; NoNewPrivileges = true; LockPersonality = true; PrivateDevices = true; - PrivateMounts = false; # breaks wal-receiver test + PrivateMounts = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; diff --git a/nixos/tests/postgresql-wal-receiver.nix b/nixos/tests/postgresql-wal-receiver.nix index ab2ab4ad0d4f..a984f73c2be5 100644 --- a/nixos/tests/postgresql-wal-receiver.nix +++ b/nixos/tests/postgresql-wal-receiver.nix @@ -22,8 +22,8 @@ let replicationUser = "wal_receiver_user"; replicationSlot = "wal_receiver_slot"; replicationConn = "postgresql://${replicationUser}@localhost"; - baseBackupDir = "/tmp/pg_basebackup"; - walBackupDir = "/tmp/pg_wal"; + baseBackupDir = "/var/cache/wals/pg_basebackup"; + walBackupDir = "/var/cache/wals/pg_wal"; recoveryFile = pkgs.writeTextDir "recovery.signal" ""; @@ -32,6 +32,10 @@ let meta.maintainers = with lib.maintainers; [ pacien ]; nodes.machine = { ... }: { + systemd.tmpfiles.rules = [ + "d /var/cache/wals 0750 postgres postgres - -" + ]; + services.postgresql = { package = pkg; enable = true; @@ -60,6 +64,7 @@ let # This is only to speedup test, it isn't time racing. Service is set to autorestart always, # default 60sec is fine for real system, but is too much for a test systemd.services.postgresql-wal-receiver-main.serviceConfig.RestartSec = lib.mkForce 5; + systemd.services.postgresql.serviceConfig.ReadWritePaths = [ "/var/cache/wals" ]; }; testScript = ''