public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/mysql: declarative users & databases

Browse Source 
using Unix socket authentication, ensured on every rebuild.
This commit is contained in:
Florian Jacob 2017-09-10 17:58:52 +02:00 committed by Franz Pletz
parent 971eb19dbc
commit 839e3c7666
1 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
nixos/modules/services/databases/mysql.nix
View File

@ -30,6 +30,10 @@ let
master-password = ${cfg.replication.masterPassword} master-password = ${cfg.replication.masterPassword}
master-port = ${toString cfg.replication.masterPort} master-port = ${toString cfg.replication.masterPort}
''} ''}
${optionalString (cfg.ensureUsers != [])
''
plugin-load-add = auth_socket.so
''}
${cfg.extraOptions} ${cfg.extraOptions}
''; '';
@ -123,6 +127,46 @@ in
description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database"; description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database";
}; };
ensureDatabases = mkOption {
default = [];
description = ''
Ensures that the specified databases exist.
This option will never delete existing databases, especially not when the value of this
option is changed. This means that databases created once through this option or
otherwise have to be removed manually.
'';
example = [
"nextcloud"
"piwik"
];
};
ensureUsers = mkOption {
default = [];
description = ''
Ensures that the specified users exist and have at least the ensured permissions.
The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the
same name only, and that without the need for a password.
This option will never delete existing users or remove permissions, especially not when the value of this
option is changed. This means that users created and permissions assigned once through this option or
otherwise have to be removed manually.
'';
example = [
{
name = "nextcloud";
ensurePermissions = {
"nextcloud.*" = "ALL PRIVILEGES";
};
}
{
name = "backup";
ensurePermissions = {
"*.*" = "SELECT, LOCK TABLES";
};
}
];
};
# FIXME: remove this option; it's a really bad idea. # FIXME: remove this option; it's a really bad idea.
rootPassword = mkOption { rootPassword = mkOption {
default = null; default = null;
@ -305,6 +349,24 @@ in
rm /tmp/mysql_init rm /tmp/mysql_init
fi fi
${optionalString (cfg.ensureDatabases != []) ''
(
${concatMapStrings (database: ''
echo "CREATE DATABASE IF NOT EXISTS ${database};"
'') cfg.ensureDatabases}
) | ${mysql}/bin/mysql -u root -N
''}
${concatMapStrings (user:
''
( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if mysql == pkgs.mariadb then "unix_socket" else "auth_socket"};"
${concatStringsSep "\n" (mapAttrsToList (database: permission: ''
echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';"
'') user.ensurePermissions)}
) | ${mysql}/bin/mysql -u root -N
'') cfg.ensureUsers}
''; # */ ''; # */
}; };