services.postgresql.systemCallFilter
Configures the syscall filter for postgresql.service. The keys are
declarations for SystemCallFilter as described in systemd.exec(5).
The value is a boolean: true adds the attribute name to the syscall filter-set,
false doesn't. This is done to allow downstream configurations to turn off
restrictions made here. E.g. with
{
services.postgresql.systemCallFilter."~@resources" = false;
}
it's possible to remove the restriction on @resources (keep in mind that
@system-service implies @resources).
As described in the section for services.postgresql.systemCallFilter._name_.priority, the ordering matters. Hence, it's also possible to specify customizations with
{
services.postgresql.systemCallFilter = {
"foobar" = { enable = true; priority = 23; };
};
}
services.postgresql.systemCallFilter._name_.enable is the flag whether
or not it will be added to the SystemCallFilter of postgresql.service.
Settings with a higher priority are added after filter settings with a lower priority. Hence, syscall groups with a higher priority can discard declarations with a lower priority.
By default, syscall groups (i.e. attribute names starting with @) are added
before negated groups (i.e. ~@ as prefix) before syscall names
and negations.
- Type
attribute set of ((submodule) or boolean convertible to it)- Default
{ "@system-service" = true; "~@privileged" = true; "~@resources" = true; }- Declared
- <nixpkgs/nixos/modules/services/databases/postgresql.nix>