Home Explore Blog Models CI



nixpkgs
7th chunk of `nixos/modules/services/databases/postgresql.md`
28c3252654a186f7a5de2ee80738f1844866ee1175c1cc400000000100000db2
    pgps: with pgps; [ (plpython3.withPackages (pyps: with pyps; [ base58 ])) ];
}
```

This currently works for:
- `plperl` by re-using `perl.withPackages`
- `plpython3` by re-using `python3.withPackages`
- `plr` by exposing `rPackages`
- `pltcl` by exposing `tclPackages`

## JIT (Just-In-Time compilation) {#module-services-postgres-jit}

[JIT](https://www.postgresql.org/docs/current/jit-reason.html)-support in the PostgreSQL package
is disabled by default because of the ~600MiB closure-size increase from the LLVM dependency. It
can be optionally enabled in PostgreSQL with the following config option:

```nix
{ services.postgresql.enableJIT = true; }
```

This makes sure that the [`jit`](https://www.postgresql.org/docs/current/runtime-config-query.html#GUC-JIT)-setting
is set to `on` and a PostgreSQL package with JIT enabled is used. Further tweaking of the JIT compiler, e.g. setting a different
query cost threshold via [`jit_above_cost`](https://www.postgresql.org/docs/current/runtime-config-query.html#GUC-JIT-ABOVE-COST)
can be done manually via [`services.postgresql.settings`](#opt-services.postgresql.settings).

The attribute-names of JIT-enabled PostgreSQL packages are suffixed with `_jit`, i.e. for each `pkgs.postgresql`
(and `pkgs.postgresql_<major>`) in `nixpkgs` there's also a `pkgs.postgresql_jit` (and `pkgs.postgresql_<major>_jit`).
Alternatively, a JIT-enabled variant can be derived from a given `postgresql` package via `postgresql.withJIT`.
This is also useful if it's not clear which attribute from `nixpkgs` was originally used (e.g. when working with
[`config.services.postgresql.package`](#opt-services.postgresql.package) or if the package was modified via an
overlay) since all modifications are propagated to `withJIT`. I.e.

```nix
with import <nixpkgs> {
  overlays = [
    (self: super: {
      postgresql = super.postgresql.overrideAttrs (_: {
        pname = "foobar";
      });
    })
  ];
};
postgresql.withJIT.pname
```

evaluates to `"foobar"`.

## Service hardening {#module-services-postgres-hardening}

The service created by the [`postgresql`-module](#opt-services.postgresql.enable) uses
several common hardening options from `systemd`, most notably:

* Memory pages must not be both writable and executable (this only applies to non-JIT setups).
* A system call filter (see {manpage}`systemd.exec(5)` for details on `@system-service`).
* A stricter default UMask (`0027`).
* Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed.
* Restricted filesystem access (private `/tmp`, most of the file-system hierarchy is mounted read-only, only process directories in `/proc` that are owned by the same user).
  * When using [`TABLESPACE`](https://www.postgresql.org/docs/current/manage-ag-tablespaces.html)s, make sure to add the filesystem paths to `ReadWritePaths` like this:
    ```nix
    {
      systemd.services.postgresql.serviceConfig.ReadWritePaths = [ "/path/to/tablespace/location" ];
    }
    ```

The NixOS module also contains necessary adjustments for extensions from `nixpkgs`,
if these are enabled. If an extension or a postgresql feature from `nixpkgs` breaks
with hardening, it's considered a bug.

When using extensions that are not packaged in `nixpkgs`, hardening adjustments may
become necessary.

## Notable differences to upstream {#module-services-postgres-upstream-deviation}

- To avoid circular dependencies between default and -dev outputs, the output of the `pg_config` system view has been removed.
Title: NixOS PostgreSQL: Procedural Language Packages, JIT Configuration, Service Hardening, and Upstream Deviations
Summary
This chunk continues by listing the procedural languages that support including language-specific packages via `withPackages` (plperl, plpython3, plr, pltcl). It then details Just-In-Time (JIT) compilation for PostgreSQL, explaining that it's disabled by default due to LLVM's size but can be enabled with `services.postgresql.enableJIT = true;`, with options for further tuning. JIT-enabled packages are suffixed with `_jit` or can be derived using `postgresql.withJIT`, which preserves modifications. The text also covers service hardening, highlighting `systemd` options applied to the PostgreSQL service for security, such as restricted memory pages, syscall filters, and filesystem access. It notes that `TABLESPACE` paths must be added to `ReadWritePaths` for hardening. Finally, it mentions a notable deviation from upstream PostgreSQL: the removal of `pg_config` system view output to prevent circular dependencies.