pyrox.dev / nixpkgs
lol
fork atom

nixos/mongodb: replace option initialRootPassword with initialRootPasswordFile

Niklas Korz 2f8af3ea 3f8a2242

options
unified split
Changed files
+18 -7
nixos
doc
manual
release-notes
rl-2505.section.md
modules
services
databases
mongodb.nix
+2
nixos/doc/manual/release-notes/rl-2505.section.md 
···

       
220

       
220

       
 

       



     

       
221

       
221

       
 

       
- `racket_7_9` has been removed, as it is insecure. It is recommended to use Racket 8 instead.


     

       
222

       
222

       
 

       



     

       

       
223

       
+

       
- `services.mongodb.initialRootPassword` has been replaced with the more secure option [`services.mongodb.initialRootPasswordFile`](#opt-services.mongodb.initialRootPasswordFile)


     

       

       
224

       
+

       



     

       
223

       
225

       
 

       
- `rofi` has been updated from 1.7.5 to 1.7.6 which introduces some breaking changes to binary plugins, and also contains a lot of new features and bug fixes. This is highlighted because the patch version bump does not indicate the volume of changes by itself. See the [upstream release notes](https://github.com/davatorium/rofi/releases/tag/1.7.6) for the full list of changes.


     

       
224

       
226

       
 

       



     

       
225

       
227

       
 

       
- `ente-auth` now uses the name `enteauth` for its binary. The previous name was `ente_auth`.
+16 -7
nixos/modules/services/databases/mongodb.nix 
···

       
27

       
27

       
 

       
in


     

       
28

       
28

       
 

       



     

       
29

       
29

       
 

       
{


     

       

       
30

       
+

       
  imports = [


     

       

       
31

       
+

       
    (lib.mkRemovedOptionModule [


     

       

       
32

       
+

       
      "services"


     

       

       
33

       
+

       
      "mongodb"


     

       

       
34

       
+

       
      "initialRootPassword"


     

       

       
35

       
+

       
    ] "Use services.mongodb.initialRootPasswordFile to securely provide the initial root password.")


     

       

       
36

       
+

       
  ];


     

       
30

       
37

       
 

       



     

       
31

       
38

       
 

       
  ###### interface


     

       
32

       
39

       
 

       



     
···

       
64

       
71

       
 

       
        description = "Enable client authentication. Creates a default superuser with username root!";


     

       
65

       
72

       
 

       
      };


     

       
66

       
73

       
 

       



     

       
67

       

       
-

       
      initialRootPassword = lib.mkOption {


     

       
68

       

       
-

       
        type = lib.types.nullOr lib.types.str;


     

       

       
74

       
+

       
      initialRootPasswordFile = lib.mkOption {


     

       

       
75

       
+

       
        type = lib.types.nullOr lib.types.path;


     

       
69

       
76

       
 

       
        default = null;


     

       
70

       

       
-

       
        description = "Password for the root user if auth is enabled.";


     

       

       
77

       
+

       
        description = "Path to the file containing the password for the root user if auth is enabled.";


     

       
71

       
78

       
 

       
      };


     

       
72

       
79

       
 

       



     

       
73

       
80

       
 

       
      dbpath = lib.mkOption {


     
···

       
116

       
123

       
 

       
  config = lib.mkIf config.services.mongodb.enable {


     

       
117

       
124

       
 

       
    assertions = [


     

       
118

       
125

       
 

       
      {


     

       
119

       

       
-

       
        assertion = !cfg.enableAuth || cfg.initialRootPassword != null;


     

       
120

       

       
-

       
        message = "`enableAuth` requires `initialRootPassword` to be set.";


     

       

       
126

       
+

       
        assertion = !cfg.enableAuth || cfg.initialRootPasswordFile != null;


     

       

       
127

       
+

       
        message = "`enableAuth` requires `initialRootPasswordFile` to be set.";


     

       
121

       
128

       
 

       
      }


     

       
122

       
129

       
 

       
    ];


     

       
123

       
130

       
 

       



     
···

       
168

       
175

       
 

       
            # wait for mongodb


     

       
169

       
176

       
 

       
            while ! ${mongoshExe} --eval "db.version()" > /dev/null 2>&1; do sleep 0.1; done


     

       
170

       
177

       
 

       



     

       

       
178

       
+

       
            initialRootPassword=$(<${cfg.initialRootPasswordFile})


     

       
171

       
179

       
 

       
          ${mongoshExe} <<EOF


     

       
172

       
180

       
 

       
            use admin;


     

       
173

       
181

       
 

       
            db.createUser(


     

       
174

       
182

       
 

       
              {


     

       
175

       
183

       
 

       
                user: "root",


     

       
176

       

       
-

       
                pwd: "${cfg.initialRootPassword}",


     

       

       
184

       
+

       
                pwd: "$initialRootPassword",


     

       
177

       
185

       
 

       
                roles: [


     

       
178

       
186

       
 

       
                  { role: "userAdminAnyDatabase", db: "admin" },


     

       
179

       
187

       
 

       
                  { role: "dbAdminAnyDatabase", db: "admin" },


     
···

       
189

       
197

       
 

       
      postStart = ''


     

       
190

       
198

       
 

       
        if test -e "${cfg.dbpath}/.first_startup"; then


     

       
191

       
199

       
 

       
          ${lib.optionalString (cfg.initialScript != null) ''


     

       
192

       

       
-

       
            ${mongoshExe} ${lib.optionalString (cfg.enableAuth) "-u root -p ${cfg.initialRootPassword}"} admin "${cfg.initialScript}"


     

       

       
200

       
+

       
            initialRootPassword=$(<${cfg.initialRootPasswordFile})


     

       

       
201

       
+

       
            ${mongoshExe} ${lib.optionalString (cfg.enableAuth) "-u root -p $initialRootPassword"} admin "${cfg.initialScript}"


     

       
193

       
202

       
 

       
          ''}


     

       
194

       
203

       
 

       
          rm -f "${cfg.dbpath}/.first_startup"


     

       
195

       
204

       
 

       
        fi