From 35531f40164fe5876a484a7f213fb029fd2f927d Mon Sep 17 00:00:00 2001
From: Daniel Schaefer <git@danielschaefer.me>
Date: Tue, 23 Apr 2019 04:52:44 +0200
Subject: nixos/cassandra: Allow setting JMX credentials

If we have the ability to enable remote JMX we should also support
setting credentials for that because they become required if you turn it
on.
---
 nixos/modules/services/databases/cassandra.nix | 38 +++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

(limited to 'nixos/modules')

diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix
index 3c5a47682686..c15ac37be120 100644
--- a/nixos/modules/services/databases/cassandra.nix
+++ b/nixos/modules/services/databases/cassandra.nix
@@ -44,10 +44,25 @@ let
         ln -s "$cassandraLogbackConfig" "$out/logback.xml"
 
         cp "$cassandraEnvPkg" "$out/cassandra-env.sh"
+
         # Delete default JMX Port, otherwise we can't set it using env variable
         sed -i '/JMX_PORT="7199"/d' "$out/cassandra-env.sh"
+
+        # Delete default password file
+        sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh"
       '';
     };
+  jmxPasswordFile = builtins.foldl'
+     (left: right: left + right) ""
+     (map (role: "${role.username} ${role.password}") cfg.jmxRoles);
+  fullJvmOptions = cfg.jvmOpts
+    ++ lib.optionals (cfg.jmxRoles != []) [
+      "-Dcom.sun.management.jmxremote.authenticate=true"
+      "-Dcom.sun.management.jmxremote.password.file=${pkgs.writeText "jmxremote.password" jmxPasswordFile}"
+    ]
+    ++ lib.optionals cfg.remoteJmx [
+      "-Djava.rmi.server.hostname=${cfg.rpcAddress}"
+    ];
 in {
   options.services.cassandra = {
     enable = mkEnableOption ''
@@ -322,6 +337,24 @@ in {
         Firewall it if needed.
       '';
     };
+    jmxRoles = mkOption {
+      default = [];
+      description = ''
+        Roles that are allowed to access the JMX (e.g. nodetool)
+      '';
+      type = types.listOf (types.submodule {
+        options = {
+          username = mkOption {
+            type = types.string;
+            description = "Username for JMX";
+          };
+          password = mkOption {
+            type = types.string;
+            description = "Password for JMX";
+          };
+        };
+      });
+    };
   };
 
   config = mkIf cfg.enable {
@@ -335,6 +368,9 @@ in {
         { assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null);
           message = "If you set either of maxHeapSize or heapNewSize you have to set both";
         }
+        { assertion = cfg.remoteJmx -> (cfg.jmxRoles != {});
+          message = "If you want JMX available remotely you need to set a password.";
+        }
       ];
     users = mkIf (cfg.user == defaultUser) {
       extraUsers."${defaultUser}" =
@@ -352,7 +388,7 @@ in {
         after = [ "network.target" ];
         environment =
           { CASSANDRA_CONF = "${cassandraEtc}";
-            JVM_OPTS = builtins.concatStringsSep " " cfg.jvmOpts;
+            JVM_OPTS = builtins.concatStringsSep " " fullJvmOptions;
             MAX_HEAP_SIZE = toString cfg.maxHeapSize;
             HEAP_NEWSIZE = toString cfg.heapNewSize;
             MALLOC_ARENA_MAX = toString cfg.mallocArenaMax;
-- 
cgit 1.4.1