diff options
author | Daniel Schaefer <git@danielschaefer.me> | 2019-04-23 04:52:44 +0200 |
---|---|---|
committer | Daniel Schaefer <git@danielschaefer.me> | 2019-06-13 04:36:41 +0200 |
commit | 35531f40164fe5876a484a7f213fb029fd2f927d (patch) | |
tree | 0cc82c69948a05445b8ba498da2bd7a2884104ee /nixos | |
parent | 2bcca9271acfbfb556ad47c4a11ad7bb5cd0f486 (diff) | |
download | nixlib-35531f40164fe5876a484a7f213fb029fd2f927d.tar nixlib-35531f40164fe5876a484a7f213fb029fd2f927d.tar.gz nixlib-35531f40164fe5876a484a7f213fb029fd2f927d.tar.bz2 nixlib-35531f40164fe5876a484a7f213fb029fd2f927d.tar.lz nixlib-35531f40164fe5876a484a7f213fb029fd2f927d.tar.xz nixlib-35531f40164fe5876a484a7f213fb029fd2f927d.tar.zst nixlib-35531f40164fe5876a484a7f213fb029fd2f927d.zip |
nixos/cassandra: Allow setting JMX credentials
If we have the ability to enable remote JMX we should also support setting credentials for that because they become required if you turn it on.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/databases/cassandra.nix | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix index 3c5a47682686..c15ac37be120 100644 --- a/nixos/modules/services/databases/cassandra.nix +++ b/nixos/modules/services/databases/cassandra.nix @@ -44,10 +44,25 @@ let ln -s "$cassandraLogbackConfig" "$out/logback.xml" cp "$cassandraEnvPkg" "$out/cassandra-env.sh" + # Delete default JMX Port, otherwise we can't set it using env variable sed -i '/JMX_PORT="7199"/d' "$out/cassandra-env.sh" + + # Delete default password file + sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" ''; }; + jmxPasswordFile = builtins.foldl' + (left: right: left + right) "" + (map (role: "${role.username} ${role.password}") cfg.jmxRoles); + fullJvmOptions = cfg.jvmOpts + ++ lib.optionals (cfg.jmxRoles != []) [ + "-Dcom.sun.management.jmxremote.authenticate=true" + "-Dcom.sun.management.jmxremote.password.file=${pkgs.writeText "jmxremote.password" jmxPasswordFile}" + ] + ++ lib.optionals cfg.remoteJmx [ + "-Djava.rmi.server.hostname=${cfg.rpcAddress}" + ]; in { options.services.cassandra = { enable = mkEnableOption '' @@ -322,6 +337,24 @@ in { Firewall it if needed. ''; }; + jmxRoles = mkOption { + default = []; + description = '' + Roles that are allowed to access the JMX (e.g. nodetool) + ''; + type = types.listOf (types.submodule { + options = { + username = mkOption { + type = types.string; + description = "Username for JMX"; + }; + password = mkOption { + type = types.string; + description = "Password for JMX"; + }; + }; + }); + }; }; config = mkIf cfg.enable { @@ -335,6 +368,9 @@ in { { assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null); message = "If you set either of maxHeapSize or heapNewSize you have to set both"; } + { assertion = cfg.remoteJmx -> (cfg.jmxRoles != {}); + message = "If you want JMX available remotely you need to set a password."; + } ]; users = mkIf (cfg.user == defaultUser) { extraUsers."${defaultUser}" = @@ -352,7 +388,7 @@ in { after = [ "network.target" ]; environment = { CASSANDRA_CONF = "${cassandraEtc}"; - JVM_OPTS = builtins.concatStringsSep " " cfg.jvmOpts; + JVM_OPTS = builtins.concatStringsSep " " fullJvmOptions; MAX_HEAP_SIZE = toString cfg.maxHeapSize; HEAP_NEWSIZE = toString cfg.heapNewSize; MALLOC_ARENA_MAX = toString cfg.mallocArenaMax; |