Merge pull request #271771 from NixOS/backport-271441-to-release-23.11

NixOS · Dec 2, 2023 · fb3d047 · fb3d047
2 parents 81083a1 + c3811eb
commit fb3d047
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 25 deletions.
diff --git a/nixos/modules/config/mysql.nix b/nixos/modules/config/mysql.nix
@@ -6,6 +6,8 @@ let
   cfg = config.users.mysql;
 in
 {
+  meta.maintainers = [ maintainers.netali ];
+
   options = {
     users.mysql = {
       enable = mkEnableOption (lib.mdDoc "Authentication against a MySQL/MariaDB database");
@@ -358,7 +360,7 @@ in
       user = "root";
       group = "root";
       mode = "0600";
-      # password will be added from password file in activation script
+      # password will be added from password file in systemd oneshot
       text = ''
         users.host=${cfg.host}
         users.db_user=${cfg.user}
@@ -423,34 +425,45 @@ in
       mode = "0600";
       user = config.services.nscd.user;
       group = config.services.nscd.group;
-      # password will be added from password file in activation script
+      # password will be added from password file in systemd oneshot
       text = ''
         username ${cfg.user}
       '';
     };
 
-    # preStart script to append the password from the password file
-    # to the configuration files. It also fixes the owner of the
-    # libnss-mysql-root.cfg because it is changed to root after the
-    # password is appended.
-    systemd.services.mysql.preStart = ''
-      if [[ -r ${cfg.passwordFile} ]]; then
-        org_umask=$(umask)
-        umask 0077
+    systemd.services.mysql-auth-pw-init = {
+      description = "Adds the mysql password to the mysql auth config files";
+
+      before = [ "nscd.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+      };
 
-        conf_nss="$(mktemp)"
-        cp /etc/libnss-mysql-root.cfg $conf_nss
-        printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss
-        mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg
-        chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg
+      restartTriggers = [
+        config.environment.etc."security/pam_mysql.conf".source
+        config.environment.etc."libnss-mysql.cfg".source
+        config.environment.etc."libnss-mysql-root.cfg".source
+      ];
 
-        conf_pam="$(mktemp)"
-        cp /etc/security/pam_mysql.conf $conf_pam
-        printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam
-        mv -fT "$conf_pam" /etc/security/pam_mysql.conf
+      script = ''
+        if [[ -r ${cfg.passwordFile} ]]; then
+          umask 0077
+          conf_nss="$(mktemp)"
+          cp /etc/libnss-mysql-root.cfg $conf_nss
+          printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss
+          mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg
+          chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg
 
-        umask $org_umask
-      fi
-    '';
+          conf_pam="$(mktemp)"
+          cp /etc/security/pam_mysql.conf $conf_pam
+          printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam
+          mv -fT "$conf_pam" /etc/security/pam_mysql.conf
+        fi
+      '';
+    };
   };
 }
diff --git a/nixos/tests/auth-mysql.nix b/nixos/tests/auth-mysql.nix
@@ -84,7 +84,7 @@ in
           getpwuid = ''
             SELECT name, 'x', uid, gid, name, CONCAT('/home/', name), "/run/current-system/sw/bin/bash" \
             FROM users \
-            WHERE id=%1$u \
+            WHERE uid=%1$u \
             LIMIT 1
           '';
           getspnam = ''
@@ -140,6 +140,7 @@ in
 
     machine.wait_for_unit("multi-user.target")
     machine.wait_for_unit("mysql.service")
+    machine.wait_until_succeeds("cat /etc/security/pam_mysql.conf | grep users.db_passwd")
     machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
 
     with subtest("Local login"):

diff --git a/pkgs/os-specific/linux/libnss-mysql/default.nix b/pkgs/os-specific/linux/libnss-mysql/default.nix
@@ -1,4 +1,11 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, which, libmysqlclient }:
+{ lib
+, nixosTests
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, which
+, libmysqlclient
+}:
 
 stdenv.mkDerivation rec {
   pname = "libnss-mysql";
@@ -20,6 +27,10 @@ stdenv.mkDerivation rec {
     rm -r $out/etc
   '';
 
+  passthru.tests = {
+    inherit (nixosTests) auth-mysql;
+  };
+
   meta = with lib; {
     description = "MySQL module for the Solaris Nameservice Switch (NSS)";
     homepage = "https://github.com/saknopper/libnss-mysql";

diff --git a/pkgs/os-specific/linux/pam_mysql/default.nix b/pkgs/os-specific/linux/pam_mysql/default.nix
@@ -1,4 +1,15 @@
-{ lib, stdenv, fetchFromGitHub, meson, ninja, pam, pkg-config, libmysqlclient, mariadb, libxcrypt }:
+{ lib
+, nixosTests
+, stdenv
+, fetchFromGitHub
+, meson
+, ninja
+, pam
+, pkg-config
+, libmysqlclient
+, mariadb
+, libxcrypt
+}:
 
 stdenv.mkDerivation rec {
   pname = "pam_mysql";
@@ -14,6 +25,10 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ meson pkg-config ninja ];
   buildInputs = [ pam libmysqlclient mariadb libxcrypt ];
 
+  passthru.tests = {
+    inherit (nixosTests) auth-mysql;
+  };
+
   meta = with lib; {
     description = "PAM authentication module against a MySQL database";
     homepage = "https://github.com/NigelCunningham/pam-MySQL";