nixos/lasuite-docs: add systemd service to create postgresql unaccent

function It is unsafe for a non-superadmin user to create a C functin in postgresql, so we need to create the function via the superadmin postgres user. This function (immutable unaccent) is needed by lasuite-docs since 4.2.0 and is used to search for keys without accents. https://github.com/suitenumerique/docs/releases/tag/v4.2.0 https://github.com/suitenumerique/docs/compare/v4.1.0...v4.2.0 (cherry picked from commit cdfc90c4e5b56c615d40dc502f3cd9ef81e70d27)
author: soyouzpanda <soyouzpanda@soyouzpanda.fr> 2025-12-23 19:50:04 +0100
committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com> 2026-01-17 13:35:13 +0000
commit: 39ed292cad529d5e640451f6d0c8606980b17870 (patch)
tree: de3bc372ec4c936aceed765ea89c2e6141ecb06a
parent: 886e6276837a9e2120e59100276adc66c6166734 (diff)
1 files changed, 50 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/lasuite-docs.nix b/nixos/modules/services/web-apps/lasuite-docs.nix
index c6a1b0c2ae40..c5f1a4ed6a3b 100644
--- a/nixos/modules/services/web-apps/lasuite-docs.nix
+++ b/nixos/modules/services/web-apps/lasuite-docs.nix
@@ -346,6 +346,56 @@ in
   };
 
   config = mkIf cfg.enable {
+    systemd.services.lasuite-docs-postgresql-setup = mkIf cfg.postgresql.createLocally {
+      wantedBy = [ "lasuite-docs.target" ];
+      requiredBy = [ "lasuite-docs.service" ];
+      before = [ "lasuite-docs.service" ];
+      after = [ "postgresql-setup.service" ];
+
+      serviceConfig = {
+        Slice = "system-lasuite-docs.slice";
+        Type = "oneshot";
+        User = "postgres";
+
+        # lasuite-docs user cannot create a C function as it is unsafe.
+        ExecStart = ''
+          ${lib.getExe' config.services.postgresql.package "psql"} --port=${toString config.services.postgresql.settings.port} -d lasuite-docs -c "CREATE OR REPLACE FUNCTION public.immutable_unaccent(regdictionary, text) RETURNS text LANGUAGE c IMMUTABLE PARALLEL SAFE STRICT AS '$libdir/unaccent', 'unaccent_dict';"
+        '';
+
+        # hardening
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = [ "" ];
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+      };
+
+    };
+
     systemd.services.lasuite-docs = {
       description = "Docs from SuiteNumérique";
       after = [
author	soyouzpanda <soyouzpanda@soyouzpanda.fr>	2025-12-23 19:50:04 +0100
committer	github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-01-17 13:35:13 +0000
commit	39ed292cad529d5e640451f6d0c8606980b17870 (patch)
tree	de3bc372ec4c936aceed765ea89c2e6141ecb06a
parent	886e6276837a9e2120e59100276adc66c6166734 (diff)