diff options
-rw-r--r-- | nixos/modules/config/mysql.nix | 57 | ||||
-rw-r--r-- | nixos/tests/auth-mysql.nix | 3 | ||||
-rw-r--r-- | pkgs/os-specific/linux/libnss-mysql/default.nix | 13 | ||||
-rw-r--r-- | pkgs/os-specific/linux/pam_mysql/default.nix | 17 |
4 files changed, 65 insertions, 25 deletions
diff --git a/nixos/modules/config/mysql.nix b/nixos/modules/config/mysql.nix index 95c9ba76663e..4f72d22c4f0e 100644 --- a/nixos/modules/config/mysql.nix +++ b/nixos/modules/config/mysql.nix @@ -6,6 +6,8 @@ let cfg = config.users.mysql; in { + meta.maintainers = [ maintainers.netali ]; + options = { users.mysql = { enable = mkEnableOption (lib.mdDoc "Authentication against a MySQL/MariaDB database"); @@ -358,7 +360,7 @@ in user = "root"; group = "root"; mode = "0600"; - # password will be added from password file in activation script + # password will be added from password file in systemd oneshot text = '' users.host=${cfg.host} users.db_user=${cfg.user} @@ -423,34 +425,45 @@ in mode = "0600"; user = config.services.nscd.user; group = config.services.nscd.group; - # password will be added from password file in activation script + # password will be added from password file in systemd oneshot text = '' username ${cfg.user} ''; }; - # preStart script to append the password from the password file - # to the configuration files. It also fixes the owner of the - # libnss-mysql-root.cfg because it is changed to root after the - # password is appended. - systemd.services.mysql.preStart = '' - if [[ -r ${cfg.passwordFile} ]]; then - org_umask=$(umask) - umask 0077 + systemd.services.mysql-auth-pw-init = { + description = "Adds the mysql password to the mysql auth config files"; + + before = [ "nscd.service" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "oneshot"; + User = "root"; + Group = "root"; + }; - conf_nss="$(mktemp)" - cp /etc/libnss-mysql-root.cfg $conf_nss - printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss - mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg - chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg + restartTriggers = [ + config.environment.etc."security/pam_mysql.conf".source + config.environment.etc."libnss-mysql.cfg".source + config.environment.etc."libnss-mysql-root.cfg".source + ]; - conf_pam="$(mktemp)" - cp /etc/security/pam_mysql.conf $conf_pam - printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam - mv -fT "$conf_pam" /etc/security/pam_mysql.conf + script = '' + if [[ -r ${cfg.passwordFile} ]]; then + umask 0077 + conf_nss="$(mktemp)" + cp /etc/libnss-mysql-root.cfg $conf_nss + printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss + mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg + chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg - umask $org_umask - fi - ''; + conf_pam="$(mktemp)" + cp /etc/security/pam_mysql.conf $conf_pam + printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam + mv -fT "$conf_pam" /etc/security/pam_mysql.conf + fi + ''; + }; }; } diff --git a/nixos/tests/auth-mysql.nix b/nixos/tests/auth-mysql.nix index 0ed4b050a69a..77a69eb1cd58 100644 --- a/nixos/tests/auth-mysql.nix +++ b/nixos/tests/auth-mysql.nix @@ -84,7 +84,7 @@ in getpwuid = '' SELECT name, 'x', uid, gid, name, CONCAT('/home/', name), "/run/current-system/sw/bin/bash" \ FROM users \ - WHERE id=%1$u \ + WHERE uid=%1$u \ LIMIT 1 ''; getspnam = '' @@ -140,6 +140,7 @@ in machine.wait_for_unit("multi-user.target") machine.wait_for_unit("mysql.service") + machine.wait_until_succeeds("cat /etc/security/pam_mysql.conf | grep users.db_passwd") machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'") with subtest("Local login"): diff --git a/pkgs/os-specific/linux/libnss-mysql/default.nix b/pkgs/os-specific/linux/libnss-mysql/default.nix index 77e629b03074..133312801119 100644 --- a/pkgs/os-specific/linux/libnss-mysql/default.nix +++ b/pkgs/os-specific/linux/libnss-mysql/default.nix @@ -1,4 +1,11 @@ -{ lib, stdenv, fetchFromGitHub, autoreconfHook, which, libmysqlclient }: +{ lib +, nixosTests +, stdenv +, fetchFromGitHub +, autoreconfHook +, which +, libmysqlclient +}: stdenv.mkDerivation rec { pname = "libnss-mysql"; @@ -20,6 +27,10 @@ stdenv.mkDerivation rec { rm -r $out/etc ''; + passthru.tests = { + inherit (nixosTests) auth-mysql; + }; + meta = with lib; { description = "MySQL module for the Solaris Nameservice Switch (NSS)"; homepage = "https://github.com/saknopper/libnss-mysql"; diff --git a/pkgs/os-specific/linux/pam_mysql/default.nix b/pkgs/os-specific/linux/pam_mysql/default.nix index 036d4b20cb4c..1088d8abe7a6 100644 --- a/pkgs/os-specific/linux/pam_mysql/default.nix +++ b/pkgs/os-specific/linux/pam_mysql/default.nix @@ -1,4 +1,15 @@ -{ lib, stdenv, fetchFromGitHub, meson, ninja, pam, pkg-config, libmysqlclient, mariadb, libxcrypt }: +{ lib +, nixosTests +, stdenv +, fetchFromGitHub +, meson +, ninja +, pam +, pkg-config +, libmysqlclient +, mariadb +, libxcrypt +}: stdenv.mkDerivation rec { pname = "pam_mysql"; @@ -14,6 +25,10 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ meson pkg-config ninja ]; buildInputs = [ pam libmysqlclient mariadb libxcrypt ]; + passthru.tests = { + inherit (nixosTests) auth-mysql; + }; + meta = with lib; { description = "PAM authentication module against a MySQL database"; homepage = "https://github.com/NigelCunningham/pam-MySQL"; |