diff options
| author | Daniel Schaefer <git@danielschaefer.me> | 2019-04-26 00:59:23 +0200 |
|---|---|---|
| committer | Daniel Schaefer <git@danielschaefer.me> | 2019-06-13 04:36:41 +0200 |
| commit | 9ecd58478595dab0270c20309e0b0399711b3a0f (patch) | |
| tree | 06c9fdb9fb3bfe59e413cc47696f81242787224e /nixos/modules/services | |
| parent | 7d646f260566361606b256b608fdf57e9d8a4564 (diff) | |
nixos/cassandra: Add option for password file path
If you're on a multi user system you don't want to have the password in
the nix-store. With the new jmxRolesFile option you can specify your own
protected file instead.
Diffstat (limited to 'nixos/modules/services')
| -rw-r--r-- | nixos/modules/services/databases/cassandra.nix | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/nixos/modules/services/databases/cassandra.nix b/nixos/modules/services/databases/cassandra.nix index c15ac37be120..d6071b6ee675 100644 --- a/nixos/modules/services/databases/cassandra.nix +++ b/nixos/modules/services/databases/cassandra.nix @@ -19,7 +19,7 @@ let data_file_directories = [ "${cfg.homeDir}/data" ]; commitlog_directory = "${cfg.homeDir}/commitlog"; saved_caches_directory = "${cfg.homeDir}/saved_caches"; - } // (if builtins.compareVersions cfg.package.version "3" >= 0 + } // (if lib.versionAtLeast cfg.package.version "3" then { hints_directory = "${cfg.homeDir}/hints"; } else {}) ); @@ -52,13 +52,13 @@ let sed -i '/-Dcom.sun.management.jmxremote.password.file=\/etc\/cassandra\/jmxremote.password/d' "$out/cassandra-env.sh" ''; }; - jmxPasswordFile = builtins.foldl' + defaultJmxRolesFile = builtins.foldl' (left: right: left + right) "" (map (role: "${role.username} ${role.password}") cfg.jmxRoles); fullJvmOptions = cfg.jvmOpts ++ lib.optionals (cfg.jmxRoles != []) [ "-Dcom.sun.management.jmxremote.authenticate=true" - "-Dcom.sun.management.jmxremote.password.file=${pkgs.writeText "jmxremote.password" jmxPasswordFile}" + "-Dcom.sun.management.jmxremote.password.file=${cfg.jmxRolesFile}" ] ++ lib.optionals cfg.remoteJmx [ "-Djava.rmi.server.hostname=${cfg.rpcAddress}" @@ -341,6 +341,10 @@ in { default = []; description = '' Roles that are allowed to access the JMX (e.g. nodetool) + BEWARE: The passwords will be stored world readable in the nix-store. + + Doesn't work in versions older than 3.11 because they don't like that + it's world readable. ''; type = types.listOf (types.submodule { options = { @@ -355,6 +359,19 @@ in { }; }); }; + jmxRolesFile = mkOption { + type = types.nullOr types.path; + default = if (lib.versionAtLeast cfg.package.version "3.11") + then pkgs.writeText "jmx-roles-file" defaultJmxRolesFile + else null; + example = "/var/lib/cassandra/jmx.password"; + description = '' + Specify your own jmx roles file. + + Make sure the permissions forbid "others" from reading the file if + you're using Cassandra below version 3.11. + ''; + }; }; config = mkIf cfg.enable { @@ -368,8 +385,11 @@ in { { assertion = (cfg.maxHeapSize == null) == (cfg.heapNewSize == null); message = "If you set either of maxHeapSize or heapNewSize you have to set both"; } - { assertion = cfg.remoteJmx -> (cfg.jmxRoles != {}); - message = "If you want JMX available remotely you need to set a password."; + { assertion = cfg.remoteJmx -> cfg.jmxRolesFile != null; + message = '' + If you want JMX available remotely you need to set a password using + `jmxRoles` or `jmxRolesFile` if using Cassandra older than v3.11. + ''; } ]; users = mkIf (cfg.user == defaultUser) { |