Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/mysql-auth: fix passwords in config files #271441

Merged
merged 4 commits into from
Dec 2, 2023
Merged

nixos/mysql-auth: fix passwords in config files #271441

Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b1b67e9
nixos/mysql-auth: fix passwords in config files
NetaliDev Dec 1, 2023
22b5fec
nixos/tests/auth-mysql: fix test
NetaliDev Dec 2, 2023
ac3352a
pam_mysql: add test
NetaliDev Dec 2, 2023
c0b2326
libnss-mysql: add test
NetaliDev Dec 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 35 additions & 22 deletions nixos/modules/config/mysql.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ let
cfg = config.users.mysql;
in
{
meta.maintainers = [ maintainers.netali ];

options = {
users.mysql = {
enable = mkEnableOption (lib.mdDoc "Authentication against a MySQL/MariaDB database");
Expand Down Expand Up @@ -358,7 +360,7 @@ in
user = "root";
group = "root";
mode = "0600";
# password will be added from password file in activation script
# password will be added from password file in systemd oneshot
text = ''
users.host=${cfg.host}
users.db_user=${cfg.user}
Expand Down Expand Up @@ -423,34 +425,45 @@ in
mode = "0600";
user = config.services.nscd.user;
group = config.services.nscd.group;
# password will be added from password file in activation script
# password will be added from password file in systemd oneshot
text = ''
username ${cfg.user}
'';
};

# preStart script to append the password from the password file
# to the configuration files. It also fixes the owner of the
# libnss-mysql-root.cfg because it is changed to root after the
# password is appended.
systemd.services.mysql.preStart = ''
if [[ -r ${cfg.passwordFile} ]]; then
org_umask=$(umask)
umask 0077
systemd.services.mysql-auth-pw-init = {
description = "Adds the mysql password to the mysql auth config files";

before = [ "nscd.service" ];
wantedBy = [ "multi-user.target" ];

serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};

conf_nss="$(mktemp)"
cp /etc/libnss-mysql-root.cfg $conf_nss
printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss
mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg
chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg
restartTriggers = [
config.environment.etc."security/pam_mysql.conf".source
config.environment.etc."libnss-mysql.cfg".source
config.environment.etc."libnss-mysql-root.cfg".source
];

conf_pam="$(mktemp)"
cp /etc/security/pam_mysql.conf $conf_pam
printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam
mv -fT "$conf_pam" /etc/security/pam_mysql.conf
script = ''
if [[ -r ${cfg.passwordFile} ]]; then
umask 0077
conf_nss="$(mktemp)"
cp /etc/libnss-mysql-root.cfg $conf_nss
printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss
mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg
chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg

umask $org_umask
fi
'';
conf_pam="$(mktemp)"
cp /etc/security/pam_mysql.conf $conf_pam
printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam
mv -fT "$conf_pam" /etc/security/pam_mysql.conf
fi
'';
};
};
}