diff options
author | Aaron Andersen <aaron@fosslib.net> | 2021-12-18 20:50:48 -0500 |
---|---|---|
committer | Aaron Andersen <aaron@fosslib.net> | 2021-12-18 21:01:42 -0500 |
commit | c7cac1bdc0ccf1c7f0d36e87b2ac6deb370a0fae (patch) | |
tree | 32b2f1584686191bc96e1d5f35fcc4756c275052 /nixos/modules/services/databases | |
parent | 382e4ba09adc46598ff781124663bd7668592e58 (diff) | |
download | nixpkgs-c7cac1bdc0ccf1c7f0d36e87b2ac6deb370a0fae.tar nixpkgs-c7cac1bdc0ccf1c7f0d36e87b2ac6deb370a0fae.tar.gz nixpkgs-c7cac1bdc0ccf1c7f0d36e87b2ac6deb370a0fae.tar.bz2 nixpkgs-c7cac1bdc0ccf1c7f0d36e87b2ac6deb370a0fae.tar.lz nixpkgs-c7cac1bdc0ccf1c7f0d36e87b2ac6deb370a0fae.tar.xz nixpkgs-c7cac1bdc0ccf1c7f0d36e87b2ac6deb370a0fae.tar.zst nixpkgs-c7cac1bdc0ccf1c7f0d36e87b2ac6deb370a0fae.zip |
nixos/mysql: use systemd StateDirectory to provision the data directory
Diffstat (limited to 'nixos/modules/services/databases')
-rw-r--r-- | nixos/modules/services/databases/mysql.nix | 90 |
1 files changed, 49 insertions, 41 deletions
diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index a9d9a6d8058..cd1a3115502 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -68,7 +68,14 @@ in dataDir = mkOption { type = types.path; example = "/var/lib/mysql"; - description = "Location where MySQL stores its table files."; + description = '' + The data directory for MySQL. + + <note><para> + If left as the default value of <literal>/var/lib/mysql</literal> this directory will automatically be created before the MySQL + server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions. + </para></note> + ''; }; configFile = mkOption { @@ -341,11 +348,6 @@ in environment.etc."my.cnf".source = cfg.configFile; - systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 '${cfg.user}' '${cfg.group}' - -" - "z '${cfg.dataDir}' 0700 '${cfg.user}' '${cfg.group}' - -" - ]; - systemd.services.mysql = let hasNotify = isMariaDB; in { @@ -489,41 +491,47 @@ in '') cfg.ensureUsers} ''; - serviceConfig = { - Type = if hasNotify then "notify" else "simple"; - Restart = "on-abort"; - RestartSec = "5s"; - - # User and group - User = cfg.user; - Group = cfg.group; - # Runtime directory and mode - RuntimeDirectory = "mysqld"; - RuntimeDirectoryMode = "0755"; - # Access write directories - ReadWritePaths = [ cfg.dataDir ]; - # Capabilities - CapabilityBoundingSet = ""; - # Security - NoNewPrivileges = true; - # Sandboxing - ProtectSystem = "strict"; - ProtectHome = true; - PrivateTmp = true; - PrivateDevices = true; - ProtectHostname = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - PrivateMounts = true; - # System Call Filtering - SystemCallArchitectures = "native"; - }; + serviceConfig = mkMerge [ + { + Type = if hasNotify then "notify" else "simple"; + Restart = "on-abort"; + RestartSec = "5s"; + + # User and group + User = cfg.user; + Group = cfg.group; + # Runtime directory and mode + RuntimeDirectory = "mysqld"; + RuntimeDirectoryMode = "0755"; + # Access write directories + ReadWritePaths = [ cfg.dataDir ]; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + } + (mkIf (cfg.dataDir == "/var/lib/mysql") { + StateDirectory = "mysql"; + StateDirectoryMode = "0700"; + }) + ]; }; }; |