summary refs log tree commit diff
path: root/nixos/modules/services/databases
diff options
context:
space:
mode:
authorNikolay Amiantov <ab@fmap.me>2021-12-21 21:24:00 +0300
committerNikolay Amiantov <ab@fmap.me>2021-12-27 20:31:27 +0300
commit9027a59f7a8b776377c2020bd1444fc9c6ac3627 (patch)
treefa0fa16c0d0dfa5cc080ee0abcef78977c8f9657 /nixos/modules/services/databases
parent4d6b67b9685bc2232e08ecd65a1633cbdedef4f5 (diff)
downloadnixpkgs-9027a59f7a8b776377c2020bd1444fc9c6ac3627.tar
nixpkgs-9027a59f7a8b776377c2020bd1444fc9c6ac3627.tar.gz
nixpkgs-9027a59f7a8b776377c2020bd1444fc9c6ac3627.tar.bz2
nixpkgs-9027a59f7a8b776377c2020bd1444fc9c6ac3627.tar.lz
nixpkgs-9027a59f7a8b776377c2020bd1444fc9c6ac3627.tar.xz
nixpkgs-9027a59f7a8b776377c2020bd1444fc9c6ac3627.tar.zst
nixpkgs-9027a59f7a8b776377c2020bd1444fc9c6ac3627.zip
influxdb2 service: don't use dynamic user
It breaks something inside of influxdb2, which results in flurry of errors like these:

> ts=2021-12-21T18:19:35.513910Z lvl=info msg="Write failed" log_id=0YZYwvV0000 service=storage-engine service=write shard=50 error="[shard 50] unlinkat ./L1-00000055.tsi: read-only file system"

I believe this is somehow caused by a mount namespace that systemd creates for
the service, but I didn't investigate this deeper.
Diffstat (limited to 'nixos/modules/services/databases')
-rw-r--r--nixos/modules/services/databases/influxdb2.nix17
1 files changed, 15 insertions, 2 deletions
diff --git a/nixos/modules/services/databases/influxdb2.nix b/nixos/modules/services/databases/influxdb2.nix
index a7aa5245d76..340c515bbb4 100644
--- a/nixos/modules/services/databases/influxdb2.nix
+++ b/nixos/modules/services/databases/influxdb2.nix
@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:
+
 with lib;
+
 let
   format = pkgs.formats.json { };
   cfg = config.services.influxdb2;
@@ -9,12 +11,14 @@ in
   options = {
     services.influxdb2 = {
       enable = mkEnableOption "the influxdb2 server";
+
       package = mkOption {
         default = pkgs.influxdb2-server;
         defaultText = literalExpression "pkgs.influxdb2";
         description = "influxdb2 derivation to use.";
         type = types.package;
       };
+
       settings = mkOption {
         default = { };
         description = ''configuration options for influxdb2, see <link xlink:href="https://docs.influxdata.com/influxdb/v2.0/reference/config-options"/> for details.'';
@@ -28,18 +32,20 @@ in
       assertion = !(builtins.hasAttr "bolt-path" cfg.settings) && !(builtins.hasAttr "engine-path" cfg.settings);
       message = "services.influxdb2.config: bolt-path and engine-path should not be set as they are managed by systemd";
     }];
+
     systemd.services.influxdb2 = {
       description = "InfluxDB is an open-source, distributed, time series database";
       documentation = [ "https://docs.influxdata.com/influxdb/" ];
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
       environment = {
-        INFLUXD_CONFIG_PATH = "${configFile}";
+        INFLUXD_CONFIG_PATH = configFile;
       };
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/influxd --bolt-path \${STATE_DIRECTORY}/influxd.bolt --engine-path \${STATE_DIRECTORY}/engine";
         StateDirectory = "influxdb2";
-        DynamicUser = true;
+        User = "influxdb2";
+        Group = "influxdb2";
         CapabilityBoundingSet = "";
         SystemCallFilter = "@system-service";
         LimitNOFILE = 65536;
@@ -47,6 +53,13 @@ in
         Restart = "on-failure";
       };
     };
+
+    users.extraUsers.influxdb2 = {
+      isSystemUser = true;
+      group = "influxdb2";
+    };
+
+    users.extraGroups.influxdb2 = {};
   };
 
   meta.maintainers = with lib.maintainers; [ nickcao ];
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-06 21:31:10 +0000