I would suggest that if a change like this was accepted it has to have the equivalent of users.mutableUsers.

@aanderse Yeah, I was thinking something similar, since commenting out a piece of code or disabling a service could have potentially devastating effects. I also think we should do cleanup for services in general if we go through with this: with this, disabling a module using ensureDatabases will clean up the database, but not other state tied to the service. Also, disabling the postgresql module won't clean up any state.

Wouldn't switching from one generation to a previous one which doesn't have some module enabled cause unintended data loss? If so, this seems dangerous to me.

It would indeed and it would be intended behaviour. We would probably want a switch to toggle this, as discussed above, and also prompt people to back up their data if this is turned on.

In general, it's not really ensureDatabases anymore if it's fully declarative, at least not with my original intention of the prefix, and it doesn't fit to e.g. the config.users.users option then. Hadn't have the case yet, as I did not come up with a declarative implementation that would make sense to me yet. With the databases, I intentionally refrained from deleting user data without manual intervention under any circumstance, but as an option you have to explicitly opt in to the possibility, I guess it would be fine. Personally, I don't drop databases often enough for that I can't afford the manual intervention. Being fully declarative at the owner and extensions module is much less destructive, and definitely a good addition, as people probably seldomly modify those manually.

@florianjacob Sorry for the late reply. Anyway, I agree. To begin with, I wanted to show this as a possible way forward if we want stuff like this to be fully declarative. It's by no means complete - I decided to ignore naming, documentation, users and extensions for now; before I put in all the work it would take to get this complete I wanted to know if there was any interest.

Maybe @grahamc and @adisbladis could chime in?

There has been some discussion between several community members on this topic and the hope is that after some more discussion an agreement can be had with a solution that is amicable to all. More to come.

I have an idea 💡 on how to solve this "ensure*" in a fine way. Why not create a __nix table in database, given we already have root access there? Maybe even in separate nix schema, to not clutter public.

We can store there all the stuff managed by Nix - state version, list of databases to maintain, list of users to maintain, list of extensions to maintain (cc @kampka).

Then add a new option:

nixObjectRemoval = mkOption {
  type = types.enum [ "allow" "disallow" "ignore" ];
  default = "disallow";
  description = ''
    Remove objects in database (users, databases, extensions) if their corresponding NixOS options are removed.</para><para>
    When <literal>allow</literal> this is done automatically.</para><para>
    When <literal>disallow</literal>, halt rebuild and show objects which should be removed together with their deleting SQL.</para><para>
    When <literal>ignore</literal>, it will only create objects, never remove.
  '';
};

And then just implement all the state management by trying to match existing schemas to this internal database.

The only tricky part is migrating this database from time to time. At least for extensions we can remove the need for migration -- extensions installed directly in nix schema must be present/absent in all other schemas.

I had the same idea and I think it's valid for users and extensions, but I would never delete databases containing user data. You can only go wrong there imo.
We also don't delete directories containing service data when the service is removed but leave this to the user, for good reason I would think.

Hm, I'm not sure about putting this data in the database - what's the benefit and what's wrong with the current approach? I like the nixObjectRemoval option idea, though.

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/postgresql-user-permission-setup-for-database-tables-access/5897/2

Hello, I'm a bot and I thank you in the name of the community for your contributions.

Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do:

If you received an approval by an unprivileged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using Git blame on the relevant files, or via GitHub's web interface. You can see if someone's a member of the nixpkgs-committers team, by hovering with the mouse over their username on the web interface, or by searching them directly on the list.

If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use Git blame on the relevant files, or GitHub's web interface to find someone who touched the relevant files in the past.

If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always officially request them for a review, or just @ mention them and say you've addressed their comments.

Lastly, you can always ask for help at our Discourse Forum, or more specifically, at this thread or at #nixos' IRC channel.

Closing, since the interest in this seems very limited and any potential implementation of this likely would have to be rewritten from scratch.