diff options
author | phile314-fh <phile314-fh@users.noreply.github.com> | 2019-05-25 11:09:30 +0200 |
---|---|---|
committer | Lassulus <github@lassul.us> | 2019-05-25 18:09:30 +0900 |
commit | 62d4c2b34a10afea0365a70e6901a3fc888d9288 (patch) | |
tree | 08a23eb834419c11d45ddc69d704ba8680bfbde8 /nixos/modules/services/databases/mongodb.nix | |
parent | e06dc0b5a970cb54499878c6f20df49aac0fd589 (diff) | |
download | nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar.gz nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar.bz2 nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar.lz nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar.xz nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar.zst nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.zip |
mongodb: Add authentication support
* nixos/mongodb: Add authentication support * nixos/mongodb: Add initial script option * nixos/mongodb: Make initial root password configurable * nixos/mongodb: Start only on loopback interface for setup procedure * nixos/mongodb: Test auth/initial script * nixos/mongodb: Code formatting Co-Authored-By: Lassulus <github@lassul.us>
Diffstat (limited to 'nixos/modules/services/databases/mongodb.nix')
-rw-r--r-- | nixos/modules/services/databases/mongodb.nix | 67 |
1 files changed, 64 insertions, 3 deletions
diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix index 3fe4af2f261..c458a1d648a 100644 --- a/nixos/modules/services/databases/mongodb.nix +++ b/nixos/modules/services/databases/mongodb.nix @@ -8,12 +8,13 @@ let mongodb = cfg.package; - mongoCnf = pkgs.writeText "mongodb.conf" + mongoCnf = cfg: pkgs.writeText "mongodb.conf" '' net.bindIp: ${cfg.bind_ip} ${optionalString cfg.quiet "systemLog.quiet: true"} systemLog.destination: syslog storage.dbPath: ${cfg.dbpath} + ${optionalString cfg.enableAuth "security.authorization: enabled"} ${optionalString (cfg.replSetName != "") "replication.replSetName: ${cfg.replSetName}"} ${cfg.extraConfig} ''; @@ -59,6 +60,18 @@ in description = "quieter output"; }; + enableAuth = mkOption { + type = types.bool; + default = false; + description = "Enable client authentication. Creates a default superuser with username root!"; + }; + + initialRootPassword = mkOption { + type = types.nullOr types.string; + default = null; + description = "Password for the root user if auth is enabled."; + }; + dbpath = mkOption { default = "/var/db/mongodb"; description = "Location where MongoDB stores its files"; @@ -84,6 +97,14 @@ in ''; description = "MongoDB extra configuration in YAML format"; }; + + initialScript = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + A file containing MongoDB statements to execute on first startup. + ''; + }; }; }; @@ -92,6 +113,11 @@ in ###### implementation config = mkIf config.services.mongodb.enable { + assertions = [ + { assertion = !cfg.enableAuth || cfg.initialRootPassword != null; + message = "`enableAuth` requires `initialRootPassword` to be set."; + } + ]; users.users.mongodb = mkIf (cfg.user == "mongodb") { name = "mongodb"; @@ -108,7 +134,7 @@ in after = [ "network.target" ]; serviceConfig = { - ExecStart = "${mongodb}/bin/mongod --config ${mongoCnf} --fork --pidfilepath ${cfg.pidFile}"; + ExecStart = "${mongodb}/bin/mongod --config ${mongoCnf cfg} --fork --pidfilepath ${cfg.pidFile}"; User = cfg.user; PIDFile = cfg.pidFile; Type = "forking"; @@ -116,15 +142,50 @@ in PermissionsStartOnly = true; }; - preStart = '' + preStart = let + cfg_ = cfg // { enableAuth = false; bind_ip = "127.0.0.1"; }; + in '' rm ${cfg.dbpath}/mongod.lock || true if ! test -e ${cfg.dbpath}; then install -d -m0700 -o ${cfg.user} ${cfg.dbpath} + # See postStart! + touch ${cfg.dbpath}/.first_startup fi if ! test -e ${cfg.pidFile}; then install -D -o ${cfg.user} /dev/null ${cfg.pidFile} + fi '' + lib.optionalString cfg.enableAuth '' + + if ! test -e "${cfg.dbpath}/.auth_setup_complete"; then + systemd-run --unit=mongodb-for-setup --uid=${cfg.user} ${mongodb}/bin/mongod --config ${mongoCnf cfg_} + # wait for mongodb + while ! ${mongodb}/bin/mongo --eval "db.version()" > /dev/null 2>&1; do sleep 0.1; done + + ${mongodb}/bin/mongo <<EOF + use admin + db.createUser( + { + user: "root", + pwd: "${cfg.initialRootPassword}", + roles: [ + { role: "userAdminAnyDatabase", db: "admin" }, + { role: "dbAdminAnyDatabase", db: "admin" }, + { role: "readWriteAnyDatabase", db: "admin" } + ] + } + ) + EOF + touch "${cfg.dbpath}/.auth_setup_complete" + systemctl stop mongodb-for-setup fi ''; + postStart = '' + if test -e "${cfg.dbpath}/.first_startup"; then + ${optionalString (cfg.initialScript != null) '' + ${mongodb}/bin/mongo -u root -p ${cfg.initialRootPassword} admin "${cfg.initialScript}" + ''} + rm -f "${cfg.dbpath}/.first_startup" + fi + ''; }; }; |