From 765effb242fe3020156fbe546928c56332f29466 Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Fri, 1 Nov 2024 15:44:27 +0100
Subject: [PATCH] nixos/doc: mention postgresql hardening

---
 .../doc/manual/release-notes/rl-2411.section.md |  5 +++++
 nixos/modules/services/databases/postgresql.md  | 17 +++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 38274583d540e7..73faa31ce10724 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -602,6 +602,11 @@
 
 - `iproute2` now has libbpf support.
 
+- `postgresql` is now [hardened by default](#module-services-postgres-hardening) using the common `systemd` settings for that.
+
+  If you use extensions that are not packaged in nixpkgs, please review whether it still works
+  with the current settings and adjust accordingly if needed.
+
 - `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`.
   Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overriden by the `NIX_PATH` configuration variable.
 
diff --git a/nixos/modules/services/databases/postgresql.md b/nixos/modules/services/databases/postgresql.md
index 5108f040e96846..439a4a6dd6c606 100644
--- a/nixos/modules/services/databases/postgresql.md
+++ b/nixos/modules/services/databases/postgresql.md
@@ -364,6 +364,23 @@ postgresql.withJIT.pname
 
 evaluates to `"foobar"`.
 
+## Service hardening {#module-services-postgres-hardening}
+
+The service created by the [`postgresql`-module](#opt-services.postgresql.enable) uses
+several common hardening options from `systemd`, most notably:
+
+* Memory pages must not be both writable and executable (this only applies to non-JIT setups).
+* A system call filter (see {manpage}`systemd.exec(5)` for details on `@system-service`).
+* A stricter default UMask (`0027`).
+* Only sockets of type `AF_INET`/`AF_INET6`/`AF_NETLINK`/`AF_UNIX` allowed.
+* Restricted filesystem access (private `/tmp`, most of the file-system hierachy is mounted read-only, only process directories in `/proc` that are owned by the same user).
+
+Extensions from `nixpkgs` automatically adjust these settings if needed. If an extension
+or a postgresql feature from `nixpkgs` breaks with hardening, it's considered a bug.
+
+When using extensions that are not packaged in `nixpkgs`, hardening adjustments may
+become necessary.
+
 ## Notable differences to upstream {#module-services-postgres-upstream-deviation}
 
 - To avoid circular dependencies between default and -dev outputs, the output of the `pg_config` system view has been removed.