nixos/invidious: change default database user to invidious
This makes sure we don't need any workarounds for running Invidious with a local PostgreSQL database. Changing the default user should be fine as the new init script for PostgreSQL automatically creates the new user and changes the existing database's owner to the new user. The old user will still linger and must be removed manually. See also: https://github.com/NixOS/nixpkgs/pull/266270
This commit is contained in:
parent
ac5c1886fd
commit
24e561fabc
3 changed files with 24 additions and 27 deletions
|
@ -37,6 +37,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
|
||||||
|
|
||||||
- `k9s` was updated to v0.29. There have been breaking changes in the config file format, check out the [changelog](https://github.com/derailed/k9s/releases/tag/v0.29.0) for details.
|
- `k9s` was updated to v0.29. There have been breaking changes in the config file format, check out the [changelog](https://github.com/derailed/k9s/releases/tag/v0.29.0) for details.
|
||||||
|
|
||||||
|
- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)
|
||||||
|
|
||||||
- `mkosi` was updated to v19. Parts of the user interface have changed. Consult the
|
- `mkosi` was updated to v19. Parts of the user interface have changed. Consult the
|
||||||
[release notes](https://github.com/systemd/mkosi/releases/tag/v19) for a list of changes.
|
[release notes](https://github.com/systemd/mkosi/releases/tag/v19) for a list of changes.
|
||||||
|
|
||||||
|
|
|
@ -114,7 +114,11 @@ let
|
||||||
check_tables = true;
|
check_tables = true;
|
||||||
|
|
||||||
db = {
|
db = {
|
||||||
user = lib.mkDefault "kemal";
|
user = lib.mkDefault (
|
||||||
|
if (lib.versionAtLeast config.system.stateVersion "24.05")
|
||||||
|
then "invidious"
|
||||||
|
else "kemal"
|
||||||
|
);
|
||||||
dbname = lib.mkDefault "invidious";
|
dbname = lib.mkDefault "invidious";
|
||||||
port = cfg.database.port;
|
port = cfg.database.port;
|
||||||
# Blank for unix sockets, see
|
# Blank for unix sockets, see
|
||||||
|
@ -143,31 +147,26 @@ let
|
||||||
|
|
||||||
# Settings necessary for running with an automatically managed local database
|
# Settings necessary for running with an automatically managed local database
|
||||||
localDatabaseConfig = lib.mkIf cfg.database.createLocally {
|
localDatabaseConfig = lib.mkIf cfg.database.createLocally {
|
||||||
|
assertions = [
|
||||||
|
{
|
||||||
|
assertion = cfg.settings.db.user == cfg.settings.db.dbname;
|
||||||
|
message = ''
|
||||||
|
For local automatic database provisioning (services.invidious.database.createLocally == true)
|
||||||
|
to work, the username used to connect to PostgreSQL must match the database name, that is
|
||||||
|
services.invidious.database.user must match services.invidious.database.dbName.
|
||||||
|
This is the default since NixOS 24.05. For older systems, it is normally safe to manually set
|
||||||
|
services.invidious.database.user to "invidious" as the new user will be created with permissions
|
||||||
|
for the existing database.
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
];
|
||||||
# Default to using the local database if we create it
|
# Default to using the local database if we create it
|
||||||
services.invidious.database.host = lib.mkDefault null;
|
services.invidious.database.host = lib.mkDefault null;
|
||||||
|
|
||||||
|
|
||||||
# TODO(raitobezarius to maintainers of invidious): I strongly advise to clean up the kemal specific
|
|
||||||
# thing for 24.05 and use `ensureDBOwnership`.
|
|
||||||
# See https://github.com/NixOS/nixpkgs/issues/216989
|
|
||||||
systemd.services.postgresql.postStart = lib.mkAfter ''
|
|
||||||
$PSQL -tAc 'ALTER DATABASE "${cfg.settings.db.dbname}" OWNER TO "${cfg.settings.db.user}";'
|
|
||||||
'';
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = false; };
|
ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = true; };
|
||||||
ensureDatabases = lib.singleton cfg.settings.db.dbname;
|
ensureDatabases = lib.singleton cfg.settings.db.dbname;
|
||||||
# This is only needed because the unix user invidious isn't the same as
|
|
||||||
# the database user. This tells postgres to map one to the other.
|
|
||||||
identMap = ''
|
|
||||||
invidious invidious ${cfg.settings.db.user}
|
|
||||||
'';
|
|
||||||
# And this specifically enables peer authentication for only this
|
|
||||||
# database, which allows passwordless authentication over the postgres
|
|
||||||
# unix socket for the user map given above.
|
|
||||||
authentication = ''
|
|
||||||
local ${cfg.settings.db.dbname} ${cfg.settings.db.user} peer map=invidious
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -10,12 +10,12 @@ import ./make-test-python.nix ({ pkgs, ... }: {
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
initialScript = pkgs.writeText "init-postgres-with-password" ''
|
initialScript = pkgs.writeText "init-postgres-with-password" ''
|
||||||
CREATE USER kemal WITH PASSWORD 'correct horse battery staple';
|
CREATE USER invidious WITH PASSWORD 'correct horse battery staple';
|
||||||
CREATE DATABASE invidious WITH OWNER kemal;
|
CREATE DATABASE invidious WITH OWNER invidious;
|
||||||
'';
|
'';
|
||||||
enableTCPIP = true;
|
enableTCPIP = true;
|
||||||
authentication = ''
|
authentication = ''
|
||||||
host invidious kemal samenet scram-sha-256
|
host invidious invidious samenet scram-sha-256
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ];
|
networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ];
|
||||||
|
@ -24,10 +24,6 @@ import ./make-test-python.nix ({ pkgs, ... }: {
|
||||||
services.invidious = {
|
services.invidious = {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
services.postgresql.initialScript = pkgs.writeText "init-postgres-with-password" ''
|
|
||||||
CREATE USER kemal;
|
|
||||||
CREATE DATABASE invidious WITH OWNER kemal;
|
|
||||||
'';
|
|
||||||
|
|
||||||
specialisation = {
|
specialisation = {
|
||||||
nginx.configuration = {
|
nginx.configuration = {
|
||||||
|
|
Loading…
Reference in a new issue