mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-20 12:42:24 +00:00
Code Issues Wiki Activity

nixos/cassandra: Add option for password file path

Browse source 
If you're on a multi user system you don't want to have the password in
the nix-store. With the new jmxRolesFile option you can specify your own
protected file instead.
This commit is contained in:
Daniel Schaefer 2019-04-26 00:59:23 +02:00
parent 7d646f2605
commit 9ecd584785
1 changed files with 25 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
nixos/modules/services/databases/cassandra.nix
View file

@ -19,7 +19,7 @@ let
data_file_directories = [ "${cfg.homeDir}/data" ]; data_file_directories = [ "${cfg.homeDir}/data" ];
commitlog_directory = "${cfg.homeDir}/commitlog"; commitlog_directory = "${cfg.homeDir}/commitlog";
saved_caches_directory = "${cfg.homeDir}/saved_caches"; saved_caches_directory = "${cfg.homeDir}/saved_caches";
} // (if builtins.compareVersions cfg.package.version "3" >= 0 } // (if lib.versionAtLeast cfg.package.version "3"
then { hints_directory = "${cfg.homeDir}/hints"; } then { hints_directory = "${cfg.homeDir}/hints"; }
else {}) else {})
); );
@ -52,13 +52,13 @@ let
sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh"
''; '';
}; };
jmxPasswordFile = builtins.foldl' defaultJmxRolesFile = builtins.foldl'
(left: right: left + right) "" (left: right: left + right) ""
(map (role: "${role.username} ${role.password}") cfg.jmxRoles); (map (role: "${role.username} ${role.password}") cfg.jmxRoles);
fullJvmOptions = cfg.jvmOpts fullJvmOptions = cfg.jvmOpts
++ lib.optionals (cfg.jmxRoles != []) [ ++ lib.optionals (cfg.jmxRoles != []) [
"-Dcom.sun.management.jmxremote.authenticate=true" "-Dcom.sun.management.jmxremote.authenticate=true"
"-Dcom.sun.management.jmxremote.password.file=${pkgs.writeText "jmxremote.password" jmxPasswordFile}" "-Dcom.sun.management.jmxremote.password.file=${cfg.jmxRolesFile}"
] ]
++ lib.optionals cfg.remoteJmx [ ++ lib.optionals cfg.remoteJmx [
"-Djava.rmi.server.hostname=${cfg.rpcAddress}" "-Djava.rmi.server.hostname=${cfg.rpcAddress}"
@ -341,6 +341,10 @@ in {
default = []; default = [];
description = '' description = ''
Roles that are allowed to access the JMX (e.g. nodetool) Roles that are allowed to access the JMX (e.g. nodetool)
BEWARE: The passwords will be stored world readable in the nix-store.
Doesn't work in versions older than 3.11 because they don't like that
it's world readable.
''; '';
type = types.listOf (types.submodule { type = types.listOf (types.submodule {
options = { options = {
@ -355,6 +359,19 @@ in {
}; };
}); });
}; };
jmxRolesFile = mkOption {
type = types.nullOr types.path;
default = if (lib.versionAtLeast cfg.package.version "3.11")
then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile
else null;
example = "/var/lib/cassandra/jmx.password";
description = ''
Specify your own jmx roles file.
Make sure the permissions forbid "others" from reading the file if
you're using Cassandra below version 3.11.
'';
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -368,8 +385,11 @@ in {
{ assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null); { assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null);
message = "If you set either of maxHeapSize or heapNewSize you have to set both"; message = "If you set either of maxHeapSize or heapNewSize you have to set both";
} }
{ assertion = cfg.remoteJmx -> (cfg.jmxRoles != {}); { assertion = cfg.remoteJmx -> cfg.jmxRolesFile != null;
message = "If you want JMX available remotely you need to set a password."; message = ''
If you want JMX available remotely you need to set a password using
`jmxRoles` or `jmxRolesFile` if using Cassandra older than v3.11.
'';
} }
]; ];
users = mkIf (cfg.user == defaultUser) { users = mkIf (cfg.user == defaultUser) {