PostgreSQL JIT Compilation, Service Hardening, and Upstream Differences

- `pltcl` by exposing `tclPackages` ## JIT (Just-In-Time compilation) {#module-services-postgres-jit} [JIT](https://www.postgresql.org/docs/current/jit-reason.html)-support in the PostgreSQL package is disabled by default because of the ~600MiB closure-size increase from the LLVM dependency. It can be optionally enabled in PostgreSQL with the following config option: ```nix { services.postgresql.enableJIT = true; } ``` This makes sure that the [`jit`](https://www.postgresql.org/docs/current/runtime-config-query.html#GUC-JIT)-setting is set to `on` and a PostgreSQL package with JIT enabled is used. Further tweaking of the JIT compiler, e.g. setting a different query cost threshold via [`jit_above_cost`](https://www.postgresql.org/docs/current/runtime-config-query.html#GUC-JIT-ABOVE-COST) can be done manually via [`services.postgresql.settings`](#opt-services.postgresql.settings). The attribute-names of JIT-enabled PostgreSQL packages are suffixed with `_jit`, i.e. for each `pkgs.postgresql` (and `pkgs.postgresql_<major>`) in `nixpkgs` there's also a `pkgs.postgresql_jit` (and `pkgs.postgresql_<major>_jit`). Alternatively, a JIT-enabled variant can be derived from a given `postgresql` package via `postgresql.withJIT`. This is also useful if it's not clear which attribute from `nixpkgs` was originally used (e.g. when working with [`config.services.postgresql.package`](#opt-services.postgresql.package) or if the package was modified via an overlay) since all modifications are propagated to `withJIT`. I.e. ```nix with import <nixpkgs> { overlays = [ (self: super: { postgresql = super.postgresql.overrideAttrs (_: { pname = "foobar"; }); }) ]; }; postgresql.withJIT.pname ``` evaluates to `"foobar"`. ## Service hardening {#module-services-postgres-hardening} The service created by the [`postgresql`-module](#opt-services.postgresql.enable) uses several common hardening options from `systemd`, most notably: * Memory pages must not be both writable and executable (this only applies to non-JIT setups). * A system call filter (see {manpage}`systemd.exec(5)` for details on `@system-service`). * A stricter default UMask (`0027`). * Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed. * Restricted filesystem access (private `/tmp`, most of the file-system hierarchy is mounted read-only, only process directories in `/proc` that are owned by the same user). * When using [`TABLESPACE`](https://www.postgresql.org/docs/current/manage-ag-tablespaces.html)s, make sure to add the filesystem paths to `ReadWritePaths` like this: ```nix { systemd.services.postgresql.serviceConfig.ReadWritePaths = [ "/path/to/tablespace/location" ]; } ``` The NixOS module also contains necessary adjustments for extensions from `nixpkgs`, if these are enabled. If an extension or a postgresql feature from `nixpkgs` breaks with hardening, it's considered a bug. When using extensions that are not packaged in `nixpkgs`, hardening adjustments may become necessary. ## Notable differences to upstream {#module-services-postgres-upstream-deviation} - To avoid circular dependencies between default and -dev outputs, the output of the `pg_config` system view has been removed.

This section describes how to enable JIT (Just-In-Time) compilation in PostgreSQL, which is disabled by default due to its large closure size (LLVM dependency). Enabling JIT can be done via the `services.postgresql.enableJIT` option, and a JIT-enabled variant can be derived using `postgresql.withJIT`. It also explains the service hardening measures applied to the PostgreSQL service created by the NixOS module, including memory protection, system call filters, a stricter UMask, restricted socket types, and filesystem access restrictions. Finally, it notes a notable difference from upstream PostgreSQL, where the output of the `pg_config` system view has been removed to avoid circular dependencies.