diff options
author | Florian Jacob <projects+git@florianjacob.de> | 2017-09-10 17:58:52 +0200 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-09-18 13:10:26 +0200 |
commit | 839e3c76662fafb0f16c77d1efcdb67197e57a03 (patch) | |
tree | 7d146ebbeed9bb8b11be5fa7013668c8b3f95a96 /nixos/modules/services/databases | |
parent | 971eb19dbcb0313a592bd349692f937ec6b04d45 (diff) | |
download | nixlib-839e3c76662fafb0f16c77d1efcdb67197e57a03.tar nixlib-839e3c76662fafb0f16c77d1efcdb67197e57a03.tar.gz nixlib-839e3c76662fafb0f16c77d1efcdb67197e57a03.tar.bz2 nixlib-839e3c76662fafb0f16c77d1efcdb67197e57a03.tar.lz nixlib-839e3c76662fafb0f16c77d1efcdb67197e57a03.tar.xz nixlib-839e3c76662fafb0f16c77d1efcdb67197e57a03.tar.zst nixlib-839e3c76662fafb0f16c77d1efcdb67197e57a03.zip |
nixos/mysql: declarative users & databases
using Unix socket authentication, ensured on every rebuild.
Diffstat (limited to 'nixos/modules/services/databases')
-rw-r--r-- | nixos/modules/services/databases/mysql.nix | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 50766093307d..845e6d4c22ef 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -30,6 +30,10 @@ let master-password = ${cfg.replication.masterPassword} master-port = ${toString cfg.replication.masterPort} ''} + ${optionalString (cfg.ensureUsers != []) + '' + plugin-load-add = auth_socket.so + ''} ${cfg.extraOptions} ''; @@ -123,6 +127,46 @@ in description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database"; }; + ensureDatabases = mkOption { + default = []; + description = '' + Ensures that the specified databases exist. + This option will never delete existing databases, especially not when the value of this + option is changed. This means that databases created once through this option or + otherwise have to be removed manually. + ''; + example = [ + "nextcloud" + "piwik" + ]; + }; + + ensureUsers = mkOption { + default = []; + description = '' + Ensures that the specified users exist and have at least the ensured permissions. + The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the + same name only, and that without the need for a password. + This option will never delete existing users or remove permissions, especially not when the value of this + option is changed. This means that users created and permissions assigned once through this option or + otherwise have to be removed manually. + ''; + example = [ + { + name = "nextcloud"; + ensurePermissions = { + "nextcloud.*" = "ALL PRIVILEGES"; + }; + } + { + name = "backup"; + ensurePermissions = { + "*.*" = "SELECT, LOCK TABLES"; + }; + } + ]; + }; + # FIXME: remove this option; it's a really bad idea. rootPassword = mkOption { default = null; @@ -305,6 +349,24 @@ in rm /tmp/mysql_init fi + + ${optionalString (cfg.ensureDatabases != []) '' + ( + ${concatMapStrings (database: '' + echo "CREATE DATABASE IF NOT EXISTS ${database};" + '') cfg.ensureDatabases} + ) | ${mysql}/bin/mysql -u root -N + ''} + + ${concatMapStrings (user: + '' + ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if mysql == pkgs.mariadb then "unix_socket" else "auth_socket"};" + ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' + echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';" + '') user.ensurePermissions)} + ) | ${mysql}/bin/mysql -u root -N + '') cfg.ensureUsers} + ''; # */ }; |