Merge pull request #271441 from NetaliDev/mysql-auth-fix

2024-11-22 23:13:19 +00:00 · 2023-12-02 23:34:51 +01:00 · 2023-12-02 23:34:51 +01:00 · c3ac6b916c
commit c3ac6b916c
parent 1e6914815f c0b2326892
4 changed files with 65 additions and 25 deletions
--- a/nixos/modules/config/mysql.nix
+++ b/nixos/modules/config/mysql.nix
@ -6,6 +6,8 @@ let
  cfg = config.users.mysql;
 in
 {
+  meta.maintainers = [ maintainers.netali ];
+
  options = {
    users.mysql = {
      enable = mkEnableOption (lib.mdDoc "Authentication against a MySQL/MariaDB database");
@ -358,7 +360,7 @@ in
      user = "root";
      group = "root";
      mode = "0600";
-      # password will be added from password file in activation script
+      # password will be added from password file in systemd oneshot
      text = ''
        users.host=${cfg.host}
        users.db_user=${cfg.user}
@ -423,34 +425,45 @@ in
      mode = "0600";
      user = config.services.nscd.user;
      group = config.services.nscd.group;
-      # password will be added from password file in activation script
+      # password will be added from password file in systemd oneshot
      text = ''
        username ${cfg.user}
      '';
    };

-    # preStart script to append the password from the password file
-    # to the configuration files. It also fixes the owner of the
-    # libnss-mysql-root.cfg because it is changed to root after the
-    # password is appended.
-    systemd.services.mysql.preStart = ''
-      if [[ -r ${cfg.passwordFile} ]]; then
-        org_umask=$(umask)
-        umask 0077
+    systemd.services.mysql-auth-pw-init = {
+      description = "Adds the mysql password to the mysql auth config files";

-        conf_nss="$(mktemp)"
-        cp /etc/libnss-mysql-root.cfg $conf_nss
-        printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss
-        mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg
-        chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg
+      before = [ "nscd.service" ];
+      wantedBy = [ "multi-user.target" ];

-        conf_pam="$(mktemp)"
-        cp /etc/security/pam_mysql.conf $conf_pam
-        printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam
-        mv -fT "$conf_pam" /etc/security/pam_mysql.conf
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        Group = "root";
+      };

-        umask $org_umask
-      fi
-    '';
+      restartTriggers = [
+        config.environment.etc."security/pam_mysql.conf".source
+        config.environment.etc."libnss-mysql.cfg".source
+        config.environment.etc."libnss-mysql-root.cfg".source
+      ];
+
+      script = ''
+        if [[ -r ${cfg.passwordFile} ]]; then
+          umask 0077
+          conf_nss="$(mktemp)"
+          cp /etc/libnss-mysql-root.cfg $conf_nss
+          printf 'password %s\n' "$(cat ${cfg.passwordFile})" >> $conf_nss
+          mv -fT "$conf_nss" /etc/libnss-mysql-root.cfg
+          chown ${config.services.nscd.user}:${config.services.nscd.group} /etc/libnss-mysql-root.cfg
+
+          conf_pam="$(mktemp)"
+          cp /etc/security/pam_mysql.conf $conf_pam
+          printf 'users.db_passwd=%s\n' "$(cat ${cfg.passwordFile})" >> $conf_pam
+          mv -fT "$conf_pam" /etc/security/pam_mysql.conf
+        fi
+      '';
+    };
  };
 }
--- a/nixos/tests/auth-mysql.nix
+++ b/nixos/tests/auth-mysql.nix
@ -84,7 +84,7 @@ in
          getpwuid = ''
            SELECT name, 'x', uid, gid, name, CONCAT('/home/', name), "/run/current-system/sw/bin/bash" \
            FROM users \
-            WHERE id=%1$u \
+            WHERE uid=%1$u \
            LIMIT 1
          '';
          getspnam = ''
@ -140,6 +140,7 @@ in

    machine.wait_for_unit("multi-user.target")
    machine.wait_for_unit("mysql.service")
+    machine.wait_until_succeeds("cat /etc/security/pam_mysql.conf | grep users.db_passwd")
    machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'")

    with subtest("Local login"):
--- a/pkgs/os-specific/linux/libnss-mysql/default.nix
+++ b/pkgs/os-specific/linux/libnss-mysql/default.nix
@ -1,4 +1,11 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, which, libmysqlclient }:
+{ lib
+, nixosTests
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, which
+, libmysqlclient
+}:

 stdenv.mkDerivation rec {
  pname = "libnss-mysql";
@ -20,6 +27,10 @@ stdenv.mkDerivation rec {
    rm -r $out/etc
  '';

+  passthru.tests = {
+    inherit (nixosTests) auth-mysql;
+  };
+
  meta = with lib; {
    description = "MySQL module for the Solaris Nameservice Switch (NSS)";
    homepage = "https://github.com/saknopper/libnss-mysql";
--- a/pkgs/os-specific/linux/pam_mysql/default.nix
+++ b/pkgs/os-specific/linux/pam_mysql/default.nix
@ -1,4 +1,15 @@
-{ lib, stdenv, fetchFromGitHub, meson, ninja, pam, pkg-config, libmysqlclient, mariadb, libxcrypt }:
+{ lib
+, nixosTests
+, stdenv
+, fetchFromGitHub
+, meson
+, ninja
+, pam
+, pkg-config
+, libmysqlclient
+, mariadb
+, libxcrypt
+}:

 stdenv.mkDerivation rec {
  pname = "pam_mysql";
@ -14,6 +25,10 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [ meson pkg-config ninja ];
  buildInputs = [ pam libmysqlclient mariadb libxcrypt ];

+  passthru.tests = {
+    inherit (nixosTests) auth-mysql;
+  };
+
  meta = with lib; {
    description = "PAM authentication module against a MySQL database";
    homepage = "https://github.com/NigelCunningham/pam-MySQL";