From 91aaa13a07b447c756321b159bf4f1001b16427e Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Sat, 2 Nov 2024 16:52:02 +0100
Subject: [PATCH] postgresql_12: mark as insecure

It will be EOL in about a week[1] and should've never reached 24.11.
However, I messed up and missed the freeze deadline, so we can't do
breaking stuff like this, hence we'll mark it as insecure and right
after branchoff it will be removed from unstable.

During that discussion I also got the feedback that it's easy for people
who just do `services.postgresql.enable = true;` to miss their version
getting EOL since there's no warning by the selection logic based on the
state version. Also added that. It's kinda noisy, but I expect it to be
pretty effective for people who are prone to miss the EOL otherwise.

For 25.11 I'd like to make sure we remove postgresql_13 before. To make
it harder for us to miss the deadline, the postgres team will receive a
ping before feature freeze[2].

[1] https://endoflife.date/postgresql
[2] Implemented in https://github.com/NixOS/nixpkgs/pull/352905
---
 nixos/modules/services/databases/postgresql.nix | 11 ++++++++++-
 pkgs/servers/sql/postgresql/generic.nix         |  5 +++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index 876969ef9bb57..d9cdce006f731 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -26,6 +26,7 @@ let
     optionalString
     types
     versionAtLeast
+    warn
     ;
 
   cfg = config.services.postgresql;
@@ -484,10 +485,18 @@ in
 
     services.postgresql.package = let
         mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";
+        mkWarn = ver: warn ''
+          The postgresql package is not pinned and selected automatically by
+          `systemd.stateVersion`. Right now this is `pkgs.postgresql_${ver}`, the
+          oldest postgresql version available and thus the next that will be
+          removed when EOL.
+
+          See also https://endoflife.date/postgresql
+        '';
         base = if versionAtLeast config.system.stateVersion "24.11" then pkgs.postgresql_16
             else if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
             else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14
-            else if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13
+            else if versionAtLeast config.system.stateVersion "21.11" then mkWarn "13" pkgs.postgresql_13
             else if versionAtLeast config.system.stateVersion "20.03" then mkThrow "11"
             else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6"
             else mkThrow "9_5";
diff --git a/pkgs/servers/sql/postgresql/generic.nix b/pkgs/servers/sql/postgresql/generic.nix
index decaedc5f85f1..264ef08a89561 100644
--- a/pkgs/servers/sql/postgresql/generic.nix
+++ b/pkgs/servers/sql/postgresql/generic.nix
@@ -335,6 +335,11 @@ let
       # In fact, I tried to test the result in a VM-test, but as soon as JIT was used to optimize
       # a query, postgres would coredump with `Illegal instruction`.
       broken = jitSupport && !stdenv.hostPlatform.canExecute stdenv.buildPlatform;
+
+      # Should've never been in 24.11, but we missed the freeze.
+      knownVulnerabilties = lib.optionals (olderThan "13") [
+        "PostgreSQL 12 is EOL and receives no more security fixes"
+      ];
     };
   });