nixos/postgresql: enable sandbox mode

[Izorkin]

Motivation for this change

Running postgresql service in sandbox mode.
Minimal testing.

cc @aanderse @flokli

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[aszlig]

Minimal testing.

I think we should especially test this with a few extensions (eg. postgis) and involve a few more folks using PostgreSQL before merging this, because reverting this on a per-config basis will be a bit more involved with all the options set.

[aszlig]

Did you try the systemd.services.*.confinement options instead? I'm asking because one of the main targets of that module was PostgreSQL and it's also more strict that ProtectSystem because it only contains runtime closure necessary for running PostgreSQL.

[Izorkin]

Have not tried. Don't know how to use systemd.services.*.confinement.

[aszlig]

If that's the case, we should fix the test and not the other way around. One of the reasons why we've switched to /run/postgresql is because it makes sandboxing more difficult as outlined in #57677.

[Izorkin]

Now there is no idea how to fix the test.

[stale]

I marked this as stale due to inactivity. → More info

[wolfgangwalther]

Closing, because #344925 has been merged.