pyrox.dev / nixpkgs
lol
fork atom

nixos/mysql: declarative users & databases using Unix socket authentication, ensured on every rebuild.

Florian Jacob 839e3c76 971eb19d

options
unified split
Changed files
+62
nixos
modules
services
databases
mysql.nix
+62
nixos/modules/services/databases/mysql.nix 
···

       
30

       
30

       
 

       
      master-password = ${cfg.replication.masterPassword}


     

       
31

       
31

       
 

       
      master-port = ${toString cfg.replication.masterPort}


     

       
32

       
32

       
 

       
    ''}


     

       

       
33

       
+

       
    ${optionalString (cfg.ensureUsers != [])


     

       

       
34

       
+

       
    ''


     

       

       
35

       
+

       
      plugin-load-add = auth_socket.so


     

       

       
36

       
+

       
    ''}


     

       
33

       
37

       
 

       
    ${cfg.extraOptions}


     

       
34

       
38

       
 

       
  '';


     

       
35

       
39

       
 

       



     
···

       
121

       
125

       
 

       
      initialScript = mkOption {


     

       
122

       
126

       
 

       
        default = null;


     

       
123

       
127

       
 

       
        description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database";


     

       

       
128

       
+

       
      };


     

       

       
129

       
+

       



     

       

       
130

       
+

       
      ensureDatabases = mkOption {


     

       

       
131

       
+

       
        default = [];


     

       

       
132

       
+

       
        description = ''


     

       

       
133

       
+

       
          Ensures that the specified databases exist.


     

       

       
134

       
+

       
          This option will never delete existing databases, especially not when the value of this


     

       

       
135

       
+

       
          option is changed. This means that databases created once through this option or


     

       

       
136

       
+

       
          otherwise have to be removed manually.


     

       

       
137

       
+

       
        '';


     

       

       
138

       
+

       
        example = [


     

       

       
139

       
+

       
          "nextcloud"


     

       

       
140

       
+

       
          "piwik"


     

       

       
141

       
+

       
        ];


     

       

       
142

       
+

       
      };


     

       

       
143

       
+

       



     

       

       
144

       
+

       
      ensureUsers = mkOption {


     

       

       
145

       
+

       
        default = [];


     

       

       
146

       
+

       
        description = ''


     

       

       
147

       
+

       
          Ensures that the specified users exist and have at least the ensured permissions.


     

       

       
148

       
+

       
          The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the


     

       

       
149

       
+

       
          same name only, and that without the need for a password.


     

       

       
150

       
+

       
          This option will never delete existing users or remove permissions, especially not when the value of this


     

       

       
151

       
+

       
          option is changed. This means that users created and permissions assigned once through this option or


     

       

       
152

       
+

       
          otherwise have to be removed manually.


     

       

       
153

       
+

       
        '';


     

       

       
154

       
+

       
        example = [


     

       

       
155

       
+

       
          {


     

       

       
156

       
+

       
            name = "nextcloud";


     

       

       
157

       
+

       
            ensurePermissions = {


     

       

       
158

       
+

       
              "nextcloud.*" = "ALL PRIVILEGES";


     

       

       
159

       
+

       
            };


     

       

       
160

       
+

       
          }


     

       

       
161

       
+

       
          {


     

       

       
162

       
+

       
            name = "backup";


     

       

       
163

       
+

       
            ensurePermissions = {


     

       

       
164

       
+

       
              "*.*" = "SELECT, LOCK TABLES";


     

       

       
165

       
+

       
            };


     

       

       
166

       
+

       
          }


     

       

       
167

       
+

       
        ];


     

       
124

       
168

       
 

       
      };


     

       
125

       
169

       
 

       



     

       
126

       
170

       
 

       
      # FIXME: remove this option; it's a really bad idea.


     
···

       
305

       
349

       
 

       



     

       
306

       
350

       
 

       
              rm /tmp/mysql_init


     

       
307

       
351

       
 

       
            fi


     

       

       
352

       
+

       



     

       

       
353

       
+

       
            ${optionalString (cfg.ensureDatabases != []) ''


     

       

       
354

       
+

       
              (


     

       

       
355

       
+

       
              ${concatMapStrings (database: ''


     

       

       
356

       
+

       
                echo "CREATE DATABASE IF NOT EXISTS ${database};"


     

       

       
357

       
+

       
              '') cfg.ensureDatabases}


     

       

       
358

       
+

       
              ) | ${mysql}/bin/mysql -u root -N


     

       

       
359

       
+

       
            ''}


     

       

       
360

       
+

       



     

       

       
361

       
+

       
            ${concatMapStrings (user:


     

       

       
362

       
+

       
              ''


     

       

       
363

       
+

       
                ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if mysql == pkgs.mariadb then "unix_socket" else "auth_socket"};"


     

       

       
364

       
+

       
                  ${concatStringsSep "\n" (mapAttrsToList (database: permission: ''


     

       

       
365

       
+

       
                  echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';"


     

       

       
366

       
+

       
                  '') user.ensurePermissions)}


     

       

       
367

       
+

       
                ) | ${mysql}/bin/mysql -u root -N


     

       

       
368

       
+

       
              '') cfg.ensureUsers}


     

       

       
369

       
+

       



     

       
308

       
370

       
 

       
          ''; # */


     

       
309

       
371

       
 

       
      };


     

       
310

       
372