summary refs log tree commit diff
path: root/nixos/modules/services/databases/mongodb.nix
diff options
context:
space:
mode:
authorphile314-fh <phile314-fh@users.noreply.github.com>2019-05-25 11:09:30 +0200
committerLassulus <github@lassul.us>2019-05-25 18:09:30 +0900
commit62d4c2b34a10afea0365a70e6901a3fc888d9288 (patch)
tree08a23eb834419c11d45ddc69d704ba8680bfbde8 /nixos/modules/services/databases/mongodb.nix
parente06dc0b5a970cb54499878c6f20df49aac0fd589 (diff)
downloadnixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar
nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar.gz
nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar.bz2
nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar.lz
nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar.xz
nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.tar.zst
nixpkgs-62d4c2b34a10afea0365a70e6901a3fc888d9288.zip
mongodb: Add authentication support
* nixos/mongodb: Add authentication support

* nixos/mongodb: Add initial script option

* nixos/mongodb: Make initial root password configurable

* nixos/mongodb: Start only on loopback interface for setup procedure

* nixos/mongodb: Test auth/initial script

* nixos/mongodb: Code formatting

Co-Authored-By: Lassulus <github@lassul.us>
Diffstat (limited to 'nixos/modules/services/databases/mongodb.nix')
-rw-r--r--nixos/modules/services/databases/mongodb.nix67
1 files changed, 64 insertions, 3 deletions
diff --git a/nixos/modules/services/databases/mongodb.nix b/nixos/modules/services/databases/mongodb.nix
index 3fe4af2f261..c458a1d648a 100644
--- a/nixos/modules/services/databases/mongodb.nix
+++ b/nixos/modules/services/databases/mongodb.nix
@@ -8,12 +8,13 @@ let
 
   mongodb = cfg.package;
 
-  mongoCnf = pkgs.writeText "mongodb.conf"
+  mongoCnf = cfg: pkgs.writeText "mongodb.conf"
   ''
     net.bindIp: ${cfg.bind_ip}
     ${optionalString cfg.quiet "systemLog.quiet: true"}
     systemLog.destination: syslog
     storage.dbPath: ${cfg.dbpath}
+    ${optionalString cfg.enableAuth "security.authorization: enabled"}
     ${optionalString (cfg.replSetName != "") "replication.replSetName: ${cfg.replSetName}"}
     ${cfg.extraConfig}
   '';
@@ -59,6 +60,18 @@ in
         description = "quieter output";
       };
 
+      enableAuth = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable client authentication. Creates a default superuser with username root!";
+      };
+      
+      initialRootPassword = mkOption {
+        type = types.nullOr types.string;
+        default = null;
+        description = "Password for the root user if auth is enabled.";
+      };
+
       dbpath = mkOption {
         default = "/var/db/mongodb";
         description = "Location where MongoDB stores its files";
@@ -84,6 +97,14 @@ in
         '';
         description = "MongoDB extra configuration in YAML format";
       };
+
+      initialScript = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = ''
+          A file containing MongoDB statements to execute on first startup.
+        '';
+      };
     };
 
   };
@@ -92,6 +113,11 @@ in
   ###### implementation
 
   config = mkIf config.services.mongodb.enable {
+    assertions = [
+      { assertion = !cfg.enableAuth || cfg.initialRootPassword != null;
+        message = "`enableAuth` requires `initialRootPassword` to be set.";
+      }
+    ];
 
     users.users.mongodb = mkIf (cfg.user == "mongodb")
       { name = "mongodb";
@@ -108,7 +134,7 @@ in
         after = [ "network.target" ];
 
         serviceConfig = {
-          ExecStart = "${mongodb}/bin/mongod --config ${mongoCnf} --fork --pidfilepath ${cfg.pidFile}";
+          ExecStart = "${mongodb}/bin/mongod --config ${mongoCnf cfg} --fork --pidfilepath ${cfg.pidFile}";
           User = cfg.user;
           PIDFile = cfg.pidFile;
           Type = "forking";
@@ -116,15 +142,50 @@ in
           PermissionsStartOnly = true;
         };
 
-        preStart = ''
+        preStart = let
+          cfg_ = cfg // { enableAuth = false; bind_ip = "127.0.0.1"; };
+        in ''
           rm ${cfg.dbpath}/mongod.lock || true
           if ! test -e ${cfg.dbpath}; then
               install -d -m0700 -o ${cfg.user} ${cfg.dbpath}
+              # See postStart!
+              touch ${cfg.dbpath}/.first_startup
           fi
           if ! test -e ${cfg.pidFile}; then
               install -D -o ${cfg.user} /dev/null ${cfg.pidFile}
+          fi '' + lib.optionalString cfg.enableAuth ''
+
+          if ! test -e "${cfg.dbpath}/.auth_setup_complete"; then
+            systemd-run --unit=mongodb-for-setup --uid=${cfg.user} ${mongodb}/bin/mongod --config ${mongoCnf cfg_}
+            # wait for mongodb
+            while ! ${mongodb}/bin/mongo --eval "db.version()" > /dev/null 2>&1; do sleep 0.1; done
+
+          ${mongodb}/bin/mongo <<EOF
+            use admin
+            db.createUser(
+              {
+                user: "root",
+                pwd: "${cfg.initialRootPassword}",
+                roles: [
+                  { role: "userAdminAnyDatabase", db: "admin" },
+                  { role: "dbAdminAnyDatabase", db: "admin" },
+                  { role: "readWriteAnyDatabase", db: "admin" }
+                ]
+              }
+            )
+          EOF
+            touch "${cfg.dbpath}/.auth_setup_complete"
+            systemctl stop mongodb-for-setup
           fi
         '';
+        postStart = ''
+            if test -e "${cfg.dbpath}/.first_startup"; then
+              ${optionalString (cfg.initialScript != null) ''
+                ${mongodb}/bin/mongo -u root -p ${cfg.initialRootPassword} admin "${cfg.initialScript}"
+              ''}
+              rm -f "${cfg.dbpath}/.first_startup"
+            fi
+        '';
       };
 
   };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-13 04:49:26 +0000