From 1ce13f5743f12b5e691e3cb80d792af7fc5d63f5 Mon Sep 17 00:00:00 2001 From: Scriptkiddi Date: Mon, 9 Sep 2019 14:12:38 +0200 Subject: [PATCH] nixos/mysql: add authentication option Add an authentication option to be able to create mysql users that do not authenticate using the unix_socket plugin, since this requires the username to exist on the host system. (https://mariadb.com/kb/en/library/authentication-plugin-unix-socket/) --- nixos/modules/services/databases/mysql.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix index df74cfc9a26bf..f5c275da25f83 100644 --- a/nixos/modules/services/databases/mysql.nix +++ b/nixos/modules/services/databases/mysql.nix @@ -153,6 +153,20 @@ in Name of the user to ensure. ''; }; + authentication_option = mkOption { + type = types.str; + default = "socket"; + description = '' + Authentication option to use either socket or password. If password is used password_hash has to be set. + ''; + }; + password_hash = mkOption { + type = types.str; + default = ""; + description = '' + Password hash to set for user, default is empty, which means no password. + ''; + }; ensurePermissions = mkOption { type = types.attrsOf types.str; default = {}; @@ -406,7 +420,7 @@ in ${concatMapStrings (user: '' - ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if isMariaDB then "unix_socket" else "auth_socket"};" + ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' ${optionalString (user.authentication_option == "password") ''IDENTIFIED BY PASSWORD '${user.password_hash}' ''} ${optionalString (user.authentication_option == "socket") ''IDENTIFIED WITH ${if isMariaDB then "unix_socket" else "auth_socket"} ''};" ${concatStringsSep "\n" (mapAttrsToList (database: permission: '' echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';" '') user.ensurePermissions)} @@ -423,3 +437,4 @@ in }; } +