mongodb: Add authentication support

* nixos/mongodb: Add authentication support * nixos/mongodb: Add initial script option * nixos/mongodb: Make initial root password configurable * nixos/mongodb: Start only on loopback interface for setup procedure * nixos/mongodb: Test auth/initial script * nixos/mongodb: Code formatting Co-Authored-By: Lassulus <github@lassul.us>
2025-02-21 11:34:13 +00:00 · 2019-05-25 11:09:30 +02:00 · 2019-05-25 11:09:30 +02:00 · 62d4c2b34a
commit 62d4c2b34a
parent e06dc0b5a9
2 changed files with 72 additions and 5 deletions
--- a/nixos/modules/services/databases/mongodb.nix
+++ b/nixos/modules/services/databases/mongodb.nix
@ -8,12 +8,13 @@ let
  mongodb = cfg.package;
-  mongoCnf = pkgs.writeText "mongodb.conf"
+  mongoCnf = cfg: pkgs.writeText "mongodb.conf"
  ''
    net.bindIp: ${cfg.bind_ip}
    ${optionalString cfg.quiet "systemLog.quiet: true"}
    systemLog.destination: syslog
    storage.dbPath: ${cfg.dbpath}
    ${optionalString cfg.enableAuth "security.authorization: enabled"}
    ${optionalString (cfg.replSetName != "") "replication.replSetName: ${cfg.replSetName}"}
    ${cfg.extraConfig}
  '';
@ -59,6 +60,18 @@ in
        description = "quieter output";
      };
      enableAuth = mkOption {
        type = types.bool;
        default = false;
        description = "Enable client authentication. Creates a default superuser with username root!";
      };
      initialRootPassword = mkOption {
        type = types.nullOr types.string;
        default = null;
        description = "Password for the root user if auth is enabled.";
      };
      dbpath = mkOption {
        default = "/var/db/mongodb";
        description = "Location where MongoDB stores its files";
@ -84,6 +97,14 @@ in
        '';
        description = "MongoDB extra configuration in YAML format";
      };
      initialScript = mkOption {
        type = types.nullOr types.path;
        default = null;
        description = ''
          A file containing MongoDB statements to execute on first startup.
        '';
      };
    };
  };
@ -92,6 +113,11 @@ in
  ###### implementation
  config = mkIf config.services.mongodb.enable {
    assertions = [
      { assertion = !cfg.enableAuth || cfg.initialRootPassword != null;
        message = "`enableAuth` requires `initialRootPassword` to be set.";
      }
    ];
    users.users.mongodb = mkIf (cfg.user == "mongodb")
      { name = "mongodb";
@ -108,7 +134,7 @@ in
        after = [ "network.target" ];
        serviceConfig = {
-          ExecStart = "${mongodb}/bin/mongod --config ${mongoCnf} --fork --pidfilepath ${cfg.pidFile}";
+          ExecStart = "${mongodb}/bin/mongod --config ${mongoCnf cfg} --fork --pidfilepath ${cfg.pidFile}";
          User = cfg.user;
          PIDFile = cfg.pidFile;
          Type = "forking";
@ -116,15 +142,50 @@ in
          PermissionsStartOnly = true;
        };
-        preStart = ''
+        preStart = let
          cfg_ = cfg // { enableAuth = false; bind_ip = "127.0.0.1"; };
        in ''
          rm ${cfg.dbpath}/mongod.lock || true
          if ! test -e ${cfg.dbpath}; then
              install -d -m0700 -o ${cfg.user} ${cfg.dbpath}
              # See postStart!
              touch ${cfg.dbpath}/.first_startup
          fi
          if ! test -e ${cfg.pidFile}; then
              install -D -o ${cfg.user} /dev/null ${cfg.pidFile}
          fi '' + lib.optionalString cfg.enableAuth ''
          if ! test -e "${cfg.dbpath}/.auth_setup_complete"; then
            systemd-run --unit=mongodb-for-setup --uid=${cfg.user} ${mongodb}/bin/mongod --config ${mongoCnf cfg_}
            # wait for mongodb
            while ! ${mongodb}/bin/mongo --eval "db.version()" > /dev/null 2>&1; do sleep 0.1; done
          ${mongodb}/bin/mongo <<EOF
            use admin
            db.createUser(
              {
                user: "root",
                pwd: "${cfg.initialRootPassword}",
                roles: [
                  { role: "userAdminAnyDatabase", db: "admin" },
                  { role: "dbAdminAnyDatabase", db: "admin" },
                  { role: "readWriteAnyDatabase", db: "admin" }
                ]
              }
            )
          EOF
            touch "${cfg.dbpath}/.auth_setup_complete"
            systemctl stop mongodb-for-setup
          fi
        '';
        postStart = ''
            if test -e "${cfg.dbpath}/.first_startup"; then
              ${optionalString (cfg.initialScript != null) ''
                ${mongodb}/bin/mongo -u root -p ${cfg.initialRootPassword} admin "${cfg.initialScript}"
              ''}
              rm -f "${cfg.dbpath}/.first_startup"
            fi
        '';
      };
  };
--- a/nixos/tests/mongodb.nix
+++ b/nixos/tests/mongodb.nix
@ -8,7 +8,7 @@ import ./make-test.nix ({ pkgs, ...} : let
 in {
  name = "mongodb";
  meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ bluescreen303 offline cstrahan rvl ];
+    maintainers = [ bluescreen303 offline cstrahan rvl phile314 ];
  };
  nodes = {
@ -17,6 +17,12 @@ in {
        {
          services = {
           mongodb.enable = true;
           mongodb.enableAuth = true;
           mongodb.initialRootPassword = "root";
           mongodb.initialScript = pkgs.writeText "mongodb_initial.js" ''
             db = db.getSiblingDB("nixtest");
             db.createUser({user:"nixtest",pwd:"nixtest",roles:[{role:"readWrite",db:"nixtest"}]});
           '';
           mongodb.extraConfig = ''
             # Allow starting engine with only a small virtual disk
             storage.journal.enabled: false
@ -29,6 +35,6 @@ in {
  testScript = ''
    startAll;
    $one->waitForUnit("mongodb.service");
-    $one->succeed("mongo nixtest ${testQuery}") =~ /hello/ or die;
+    $one->succeed("mongo -u nixtest -p nixtest nixtest ${testQuery}") =~ /hello/ or die;
  '';
 })