diff options
author | netali <me@netali.de> | 2023-12-01 14:04:45 +0100 |
---|---|---|
committer | netali <me@netali.de> | 2023-12-01 14:04:45 +0100 |
commit | b1b67e980a9a8e6227d5f71f8b036e17c7716f0d (patch) | |
tree | e4dd4f2a6fa426d341d11f488d60e55c52c5e0c5 /nixos/modules/config/mysql.nix | |
parent | 77da99a144cd341408308e0a37622f5edcc6c5ba (diff) | |
download | nixlib-b1b67e980a9a8e6227d5f71f8b036e17c7716f0d.tar nixlib-b1b67e980a9a8e6227d5f71f8b036e17c7716f0d.tar.gz nixlib-b1b67e980a9a8e6227d5f71f8b036e17c7716f0d.tar.bz2 nixlib-b1b67e980a9a8e6227d5f71f8b036e17c7716f0d.tar.lz nixlib-b1b67e980a9a8e6227d5f71f8b036e17c7716f0d.tar.xz nixlib-b1b67e980a9a8e6227d5f71f8b036e17c7716f0d.tar.zst nixlib-b1b67e980a9a8e6227d5f71f8b036e17c7716f0d.zip |
nixos/mysql-auth: fix passwords in config files
Diffstat (limited to 'nixos/modules/config/mysql.nix')
-rw-r--r-- | nixos/modules/config/mysql.nix | 57 |
1 files changed, 35 insertions, 22 deletions
diff --git a/nixos/modules/config/mysql.nix b/nixos/modules/config/mysql.nix index 95c9ba76663e..4f72d22c4f0e 100644 --- a/nixos/modules/config/mysql.nix +++ b/nixos/modules/config/mysql.nix @@ -6,6 +6,8 @@ let cfg = config.users.mysql; in { + meta.maintainers = [ maintainers.netali ]; + options = { users.mysql = { enable = mkEnableOption (lib.mdDoc "Authentication against a MySQL/MariaDB database"); @@ -358,7 +360,7 @@ in user = "root"; group = "root"; mode = "0600"; - # password will be added from password file in activation script + # password will be added from password file in systemd oneshot text = '' users.host=${cfg.host} users.db_user=${cfg.user} @@ -423,34 +425,45 @@ in mode = "0600"; user = config.services.nscd.user; group = config.services.nscd.group; - # password will be added from password file in activation script + # password will be added from password file in systemd oneshot text = '' username ${cfg.user} ''; }; - # preStart script to append the password from the password file - # to the configuration files. It also fixes the owner of the - # libnss-mysql-root.cfg because it is changed to root after the - # password is appended. - systemd.services.mysql.preStart = '' - if [[ -r ${cfg.passwordFile} ]]; then - org_umask=$(umask) - umask 0077 + systemd.services.mysql-auth-pw-init = { + description = "Adds the mysql password to the mysql auth config files"; + + before = [ "nscd.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "oneshot"; + User = "root"; + Group = "root"; + }; - conf_nss="$(mktemp)" - cp /etc/libnss-mysql-root.cfg $conf_nss - printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss - mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg - chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg + restartTriggers = [ + config.environment.etc."security/pam_mysql.conf".source + config.environment.etc."libnss-mysql.cfg".source + config.environment.etc."libnss-mysql-root.cfg".source + ]; - conf_pam="$(mktemp)" - cp /etc/security/pam_mysql.conf $conf_pam - printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam - mv -fT "$conf_pam" /etc/security/pam_mysql.conf + script = '' + if [[ -r ${cfg.passwordFile} ]]; then + umask 0077 + conf_nss="$(mktemp)" + cp /etc/libnss-mysql-root.cfg $conf_nss + printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss + mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg + chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg - umask $org_umask - fi - ''; + conf_pam="$(mktemp)" + cp /etc/security/pam_mysql.conf $conf_pam + printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam + mv -fT "$conf_pam" /etc/security/pam_mysql.conf + fi + ''; + }; }; } |