nixos/firefox-syncserver: add PostgreSQL backend support

Author: Titaniumtown

nixos/doc/manual/redirects.json

@@ -229,6 +229,9 @@
   "module-services-crab-hole-upstream-options": [
     "index.html#module-services-crab-hole-upstream-options"
   ],
+  "module-services-firefox-syncserver-database": [
+    "index.html#module-services-firefox-syncserver-database"
+  ],
   "module-services-firefox-syncserver-clients": [
     "index.html#module-services-firefox-syncserver-clients"
   ],

nixos/doc/manual/release-notes/rl-2605.section.md

@@ -245,6 +245,8 @@ See <https://github.com/NixOS/nixpkgs/issues/481673>.
 
 - IPVLAN interfaces can now be configured through the `networking.ipvlans` option in the networking module.
 
+- [](#opt-services.firefox-syncserver.database.type) has been added to allow choosing between MySQL/MariaDB (default) and PostgreSQL as the database backend for the Firefox Sync server.
+
 - `services.caddy` now supports setting `httpPort` and `httpsPort` and opening them in the firewall via `openFirewall`.
 
 - `boot.initrd.secrets` is now deprecated in favour of `boot.initrd.secretPaths` and `boot.initrd.extraSecretsHook`.

nixos/modules/services/networking/firefox-syncserver.md

@@ -32,6 +32,29 @@ This configuration should never be used in production. It is not encrypted and
 stores its secrets in a world-readable location.
 :::
 
+## Database backends {#module-services-firefox-syncserver-database}
+
+The sync server supports MySQL/MariaDB (the default) and PostgreSQL as database
+backends. Set `database.type` to choose the backend:
+
+```nix
+{
+  services.firefox-syncserver = {
+    enable = true;
+    database.type = "postgresql";
+    secrets = "/run/secrets/firefox-syncserver";
+    singleNode = {
+      enable = true;
+      hostname = "localhost";
+      url = "http://localhost:5000";
+    };
+  };
+}
+```
+
+When `database.createLocally` is `true` (the default), the module will
+automatically enable and configure the corresponding database service.
+
 ## More detailed setup {#module-services-firefox-syncserver-configuration}
 
 The `firefox-syncserver` service provides a number of options to make setting up

nixos/modules/services/networking/firefox-syncserver.nix

@@ -13,7 +13,21 @@ let
   defaultUser = "firefox-syncserver";
 
   dbIsLocal = cfg.database.host == "localhost";
-  dbURL = "mysql://${cfg.database.user}@${cfg.database.host}/${cfg.database.name}${lib.optionalString dbIsLocal "?socket=/run/mysqld/mysqld.sock"}";
+  dbIsMySQL = cfg.database.type == "mysql";
+  dbIsPostgreSQL = cfg.database.type == "postgresql";
+
+  dbURL =
+    if dbIsMySQL then
+      "mysql://${cfg.database.user}@${cfg.database.host}/${cfg.database.name}${lib.optionalString dbIsLocal "?socket=/run/mysqld/mysqld.sock"}"
+    else
+      "postgres://${cfg.database.user}@${cfg.database.host}/${cfg.database.name}${lib.optionalString dbIsLocal "?host=/run/postgresql"}";
+
+  # postgresql.target waits for postgresql-setup.service (which runs
+  # ensureDatabases / ensureUsers) to complete, avoiding race conditions
+  # where the syncserver starts before its database and role exist.
+  dbService = if dbIsMySQL then "mysql.service" else "postgresql.target";
+
+  syncserver = cfg.package.override { dbBackend = cfg.database.type; };
 
   format = pkgs.formats.toml { };
   settings = {
@@ -22,7 +36,7 @@ let
       database_url = dbURL;
     };
     tokenserver = {
-      node_type = "mysql";
+      node_type = if dbIsMySQL then "mysql" else "postgres";
       database_url = dbURL;
       fxa_email_domain = "api.accounts.firefox.com";
       fxa_oauth_server_url = "https://oauth.accounts.firefox.com/v1";
@@ -41,44 +55,75 @@ let
     };
   };
   configFile = format.generate "syncstorage.toml" (lib.recursiveUpdate settings cfg.settings);
-  setupScript = pkgs.writeShellScript "firefox-syncserver-setup" ''
-    set -euo pipefail
-    shopt -s inherit_errexit
-
-    schema_configured() {
-      mysql ${cfg.database.name} -Ne 'SHOW TABLES' | grep -q services
-    }
-
-    update_config() {
-      mysql ${cfg.database.name} <<"EOF"
-        BEGIN;
-
-        INSERT INTO `services` (`id`, `service`, `pattern`)
-          VALUES (1, 'sync-1.5', '{node}/1.5/{uid}')
-          ON DUPLICATE KEY UPDATE service='sync-1.5', pattern='{node}/1.5/{uid}';
-        INSERT INTO `nodes` (`id`, `service`, `node`, `available`, `current_load`,
-                             `capacity`, `downed`, `backoff`)
-          VALUES (1, 1, '${cfg.singleNode.url}', ${toString cfg.singleNode.capacity},
-          0, ${toString cfg.singleNode.capacity}, 0, 0)
-          ON DUPLICATE KEY UPDATE node = '${cfg.singleNode.url}', capacity=${toString cfg.singleNode.capacity};
-
-        COMMIT;
-    EOF
-    }
 
-
-    for (( try = 0; try < 60; try++ )); do
-      if ! schema_configured; then
-        sleep 2
-      else
-        update_config
-        exit 0
-      fi
-    done
-
-    echo "Single-node setup failed"
-    exit 1
-  '';
+  setupScript =
+    let
+      dbSpecific =
+        if dbIsMySQL then
+          {
+            listTables = "mysql ${cfg.database.name} -Ne 'SHOW TABLES'";
+            execSql = "mysql ${cfg.database.name}";
+            upsertSql = ''
+              BEGIN;
+
+              INSERT INTO `services` (`id`, `service`, `pattern`)
+                VALUES (1, 'sync-1.5', '{node}/1.5/{uid}')
+                ON DUPLICATE KEY UPDATE service='sync-1.5', pattern='{node}/1.5/{uid}';
+              INSERT INTO `nodes` (`id`, `service`, `node`, `available`, `current_load`,
+                                   `capacity`, `downed`, `backoff`)
+                VALUES (1, 1, '${cfg.singleNode.url}', ${toString cfg.singleNode.capacity},
+                0, ${toString cfg.singleNode.capacity}, 0, 0)
+                ON DUPLICATE KEY UPDATE node = '${cfg.singleNode.url}', capacity=${toString cfg.singleNode.capacity};
+
+              COMMIT;
+            '';
+          }
+        else
+          {
+            listTables = "psql -d ${cfg.database.name} -tAc \"SELECT EXISTS (SELECT FROM information_schema.tables WHERE table_name = 'services')\"";
+            execSql = "psql -d ${cfg.database.name}";
+            upsertSql = ''
+              BEGIN;
+
+              INSERT INTO services (id, service, pattern)
+                VALUES (1, 'sync-1.5', '{node}/1.5/{uid}')
+                ON CONFLICT (id) DO UPDATE SET service = 'sync-1.5', pattern = '{node}/1.5/{uid}';
+              INSERT INTO nodes (id, service, node, available, current_load,
+                                 capacity, downed, backoff)
+                VALUES (1, 1, '${cfg.singleNode.url}', ${toString cfg.singleNode.capacity},
+                0, ${toString cfg.singleNode.capacity}, 0, 0)
+                ON CONFLICT (id) DO UPDATE SET node = '${cfg.singleNode.url}', capacity = ${toString cfg.singleNode.capacity};
+
+              COMMIT;
+            '';
+          };
+    in
+    pkgs.writeShellScript "firefox-syncserver-setup" ''
+      set -euo pipefail
+      shopt -s inherit_errexit
+
+      schema_configured() {
+        ${dbSpecific.listTables} | grep -q services
+      }
+
+      update_config() {
+        ${dbSpecific.execSql} <<'EOF'
+      ${dbSpecific.upsertSql}
+      EOF
+      }
+
+      for (( try = 0; try < 60; try++ )); do
+        if ! schema_configured; then
+          sleep 2
+        else
+          update_config
+          exit 0
+        fi
+      done
+
+      echo "Single-node setup failed"
+      exit 1
+    '';
 in
 
 {
@@ -88,25 +133,26 @@ in
         the Firefox Sync storage service.
 
         Out of the box this will not be very useful unless you also configure at least
-        one service and one nodes by inserting them into the mysql database manually, e.g.
-        by running
-
-        ```
-          INSERT INTO `services` (`id`, `service`, `pattern`) VALUES ('1', 'sync-1.5', '{node}/1.5/{uid}');
-          INSERT INTO `nodes` (`id`, `service`, `node`, `available`, `current_load`,
-              `capacity`, `downed`, `backoff`)
-            VALUES ('1', '1', 'https://mydomain.tld', '1', '0', '10', '0', '0');
-        ```
+        one service and one nodes by inserting them into the database manually, e.g.
+        by running the equivalent SQL for your database backend.
 
         {option}`${opt.singleNode.enable}` does this automatically when enabled
       '';
 
       package = lib.mkPackageOption pkgs "syncstorage-rs" { };
 
+      database.type = lib.mkOption {
+        type = lib.types.enum [
+          "mysql"
+          "postgresql"
+        ];
+        default = "mysql";
+        description = ''
+          Which database backend to use for storage.
+        '';
+      };
+
       database.name = lib.mkOption {
-        # the mysql module does not allow `-quoting without resorting to shell
-        # escaping, so we restrict db names for forward compaitiblity should this
-        # behavior ever change.
         type = lib.types.strMatching "[a-z_][a-z0-9_]*";
         default = defaultDatabase;
         description = ''
@@ -117,9 +163,15 @@ in
 
       database.user = lib.mkOption {
         type = lib.types.str;
-        default = defaultUser;
+        default = if dbIsPostgreSQL then defaultDatabase else defaultUser;
+        defaultText = lib.literalExpression ''
+          if database.type == "postgresql" then "${defaultDatabase}" else "${defaultUser}"
+        '';
         description = ''
-          Username for database connections.
+          Username for database connections.  When using PostgreSQL with
+          `createLocally`, this defaults to the database name so that
+          `ensureDBOwnership` works (it requires user and database names
+          to match).
         '';
       };
 
@@ -137,7 +189,8 @@ in
         default = true;
         description = ''
           Whether to create database and user on the local machine if they do not exist.
-          This includes enabling unix domain socket authentication for the configured user.
+          This includes enabling the configured database service and setting up
+          authentication for the configured user.
         '';
       };
 
@@ -237,7 +290,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    services.mysql = lib.mkIf cfg.database.createLocally {
+    services.mysql = lib.mkIf (cfg.database.createLocally && dbIsMySQL) {
       enable = true;
       ensureDatabases = [ cfg.database.name ];
       ensureUsers = [
@@ -250,16 +303,27 @@ in
       ];
     };
 
+    services.postgresql = lib.mkIf (cfg.database.createLocally && dbIsPostgreSQL) {
+      enable = true;
+      ensureDatabases = [ cfg.database.name ];
+      ensureUsers = [
+        {
+          name = cfg.database.user;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
     systemd.services.firefox-syncserver = {
       wantedBy = [ "multi-user.target" ];
-      requires = lib.mkIf dbIsLocal [ "mysql.service" ];
-      after = lib.mkIf dbIsLocal [ "mysql.service" ];
+      requires = lib.mkIf dbIsLocal [ dbService ];
+      after = lib.mkIf dbIsLocal [ dbService ];
       restartTriggers = lib.optional cfg.singleNode.enable setupScript;
       environment.RUST_LOG = cfg.logLevel;
       serviceConfig = {
-        User = defaultUser;
-        Group = defaultUser;
-        ExecStart = "${cfg.package}/bin/syncserver --config ${configFile}";
+        User = cfg.database.user;
+        Group = cfg.database.user;
+        ExecStart = "${syncserver}/bin/syncserver --config ${configFile}";
         EnvironmentFile = lib.mkIf (cfg.secrets != null) "${cfg.secrets}";
 
         # hardening
@@ -303,10 +367,19 @@ in
 
     systemd.services.firefox-syncserver-setup = lib.mkIf cfg.singleNode.enable {
       wantedBy = [ "firefox-syncserver.service" ];
-      requires = [ "firefox-syncserver.service" ] ++ lib.optional dbIsLocal "mysql.service";
-      after = [ "firefox-syncserver.service" ] ++ lib.optional dbIsLocal "mysql.service";
-      path = [ config.services.mysql.package ];
-      serviceConfig.ExecStart = [ "${setupScript}" ];
+      requires = [ "firefox-syncserver.service" ] ++ lib.optional dbIsLocal dbService;
+      after = [ "firefox-syncserver.service" ] ++ lib.optional dbIsLocal dbService;
+      path =
+        if dbIsMySQL then [ config.services.mysql.package ] else [ config.services.postgresql.package ];
+      serviceConfig = {
+        ExecStart = [ "${setupScript}" ];
+      }
+      // lib.optionalAttrs dbIsPostgreSQL {
+        # PostgreSQL peer authentication requires the system user to match the
+        # database user. Run as the superuser so we can access all databases.
+        User = "postgres";
+        Group = "postgres";
+      };
     };
 
     services.nginx.virtualHosts = lib.mkIf cfg.singleNode.enableNginx {

nixos/tests/all-tests.nix

@@ -584,7 +584,7 @@ in
     imports = [ ./firefox.nix ];
     _module.args.firefoxPackage = pkgs.firefox-esr-140;
   };
-  firefox-syncserver = runTest ./firefox-syncserver.nix;
+  firefox-syncserver = discoverTests (import ./firefox-syncserver.nix);
   firefox_decrypt = runTest ./firefox_decrypt.nix;
   firefoxpwa = runTest ./firefoxpwa.nix;
   firejail = runTest ./firejail.nix;