diff options
| author | Florian Jacob <fjacob@lavabit.com> | 2019-04-01 21:08:47 +0200 |
|---|---|---|
| committer | Florian Jacob <fjacob@lavabit.com> | 2019-04-01 21:08:47 +0200 |
| commit | 14571f5ed02fea504d131b130327f845715a7714 (patch) | |
| tree | 0f828ec21c9bcee54e575dfb238167358a4eca07 /nixos | |
| parent | 77978c1518f3f2808947696f1b80e0eb8bd8ff9c (diff) | |
| download | nixpkgs-14571f5ed02fea504d131b130327f845715a7714.tar nixpkgs-14571f5ed02fea504d131b130327f845715a7714.tar.gz nixpkgs-14571f5ed02fea504d131b130327f845715a7714.tar.bz2 nixpkgs-14571f5ed02fea504d131b130327f845715a7714.tar.lz nixpkgs-14571f5ed02fea504d131b130327f845715a7714.tar.xz nixpkgs-14571f5ed02fea504d131b130327f845715a7714.tar.zst nixpkgs-14571f5ed02fea504d131b130327f845715a7714.zip | |
nixos/mysql: fix initialScript option
which was wrongly specified as types.lines Prevent it from getting copied to nix store as people might use it for credentials, and make the tests cover it.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/databases/mysql.nix | 8 | ||||
| -rw-r--r-- | nixos/tests/mysql.nix | 7 |
2 files changed, 13 insertions, 2 deletions
diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index 12dbc07dcf0..7e3c230fff7 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -133,7 +133,7 @@ in }; initialScript = mkOption { - type = types.nullOr types.lines; + type = types.nullOr types.path; default = null; description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database"; }; @@ -363,6 +363,8 @@ in ${optionalString (database.schema != null) '' echo 'use `${database.name}`;' + # TODO: this silently falls through if database.schema does not exist, + # we should catch this somehow and exit, but can't do it here because we're in a subshell. if [ -f "${database.schema}" ] then cat ${database.schema} @@ -399,7 +401,9 @@ in ${optionalString (cfg.initialScript != null) '' # Execute initial script - cat ${cfg.initialScript} | ${mysql}/bin/mysql -u root -N + # using toString to avoid copying the file to nix store if given as path instead of string, + # as it might contain credentials + cat ${toString cfg.initialScript} | ${mysql}/bin/mysql -u root -N ''} ${optionalString (cfg.rootPassword != null) diff --git a/nixos/tests/mysql.nix b/nixos/tests/mysql.nix index 97a4dee7f99..cfe10bc41b0 100644 --- a/nixos/tests/mysql.nix +++ b/nixos/tests/mysql.nix @@ -14,6 +14,11 @@ import ./make-test.nix ({ pkgs, ...} : { { name = "testdb"; schema = ./testdb.sql; } { name = "empty_testdb"; } ]; + # note that using pkgs.writeText here is generally not a good idea, + # as it will store the password in world-readable /nix/store ;) + services.mysql.initialScript = pkgs.writeText "mysql-init.sql" '' + CREATE USER 'passworduser'@'localhost' IDENTIFIED BY 'password123'; + ''; services.mysql.package = pkgs.mysql; }; @@ -41,6 +46,8 @@ import ./make-test.nix ({ pkgs, ...} : { $mysql->waitForUnit("mysql"); $mysql->succeed("echo 'use empty_testdb;' | mysql -u root"); $mysql->succeed("echo 'use testdb; select * from tests;' | mysql -u root -N | grep 4"); + # ';' acts as no-op, just check whether login succeeds with the user created from the initialScript + $mysql->succeed("echo ';' | mysql -u passworduser --password=password123"); $mariadb->waitForUnit("mysql"); $mariadb->succeed("echo 'use testdb; create table tests (test_id INT, PRIMARY KEY (test_id));' | sudo -u testuser mysql -u testuser"); |