From 978dabaa231a06cc7924e1dcfdc238be7b5ab2da Mon Sep 17 00:00:00 2001 From: Sophie Tauchert Date: Sat, 18 Nov 2023 20:15:26 +0100 Subject: [PATCH] nixos/invidious: change default database user to invidious This makes sure we don't need any workarounds for running Invidious with a local PostgreSQL database. Changing the default user should be fine as the new init script for PostgreSQL automatically creates the new user and changes the existing database's owner to the new user. The old user will still linger and must be removed manually. See also: https://github.com/NixOS/nixpkgs/pull/266270 --- .../manual/release-notes/rl-2405.section.md | 2 +- nixos/modules/services/web-apps/invidious.nix | 39 +++++++++---------- nixos/tests/invidious.nix | 10 ++--- 3 files changed, 23 insertions(+), 28 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index e2f99c20cfc8b91..f1e02a6a75db3af 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -20,7 +20,7 @@ In addition to numerous new and upgraded packages, this release has the followin -- Create the first release note entry in this section! +- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically. ## Other Notable Changes {#sec-release-24.05-notable-changes} diff --git a/nixos/modules/services/web-apps/invidious.nix b/nixos/modules/services/web-apps/invidious.nix index 2e3aa0f4dd9e086..07d4c129a42f5bc 100644 --- a/nixos/modules/services/web-apps/invidious.nix +++ b/nixos/modules/services/web-apps/invidious.nix @@ -114,7 +114,11 @@ let check_tables = true; db = { - user = lib.mkDefault "kemal"; + user = lib.mkDefault ( + if (lib.versionAtLeast config.system.stateVersion "24.05") + then "invidious" + else "kemal" + ); dbname = lib.mkDefault "invidious"; port = cfg.database.port; # Blank for unix sockets, see @@ -143,31 +147,26 @@ let # Settings necessary for running with an automatically managed local database localDatabaseConfig = lib.mkIf cfg.database.createLocally { + assertions = [ + { + assertion = cfg.settings.db.user == cfg.settings.db.dbname; + message = '' + For local automatic database provisioning (services.invidious.database.createLocally == true) + to work, the username used to connect to PostgreSQL must match the database name, that is + services.invidious.database.user must match services.invidious.database.dbName. + This is the default since NixOS 24.05. For older systems, it is normally safe to manually set + services.invidious.database.user to "invidious" as the new user will be created with permissions + for the existing database. + ''; + } + ]; # Default to using the local database if we create it services.invidious.database.host = lib.mkDefault null; - - # TODO(raitobezarius to maintainers of invidious): I strongly advise to clean up the kemal specific - # thing for 24.05 and use `ensureDBOwnership`. - # See https://github.com/NixOS/nixpkgs/issues/216989 - systemd.services.postgresql.postStart = lib.mkAfter '' - $PSQL -tAc 'ALTER DATABASE "${cfg.settings.db.dbname}" OWNER TO "${cfg.settings.db.user}";' - ''; services.postgresql = { enable = true; - ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = false; }; + ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = true; }; ensureDatabases = lib.singleton cfg.settings.db.dbname; - # This is only needed because the unix user invidious isn't the same as - # the database user. This tells postgres to map one to the other. - identMap = '' - invidious invidious ${cfg.settings.db.user} - ''; - # And this specifically enables peer authentication for only this - # database, which allows passwordless authentication over the postgres - # unix socket for the user map given above. - authentication = '' - local ${cfg.settings.db.dbname} ${cfg.settings.db.user} peer map=invidious - ''; }; }; diff --git a/nixos/tests/invidious.nix b/nixos/tests/invidious.nix index aab62e26b82b744..e31cd87f6a00474 100644 --- a/nixos/tests/invidious.nix +++ b/nixos/tests/invidious.nix @@ -10,12 +10,12 @@ import ./make-test-python.nix ({ pkgs, ... }: { services.postgresql = { enable = true; initialScript = pkgs.writeText "init-postgres-with-password" '' - CREATE USER kemal WITH PASSWORD 'correct horse battery staple'; - CREATE DATABASE invidious WITH OWNER kemal; + CREATE USER invidious WITH PASSWORD 'correct horse battery staple'; + CREATE DATABASE invidious WITH OWNER invidious; ''; enableTCPIP = true; authentication = '' - host invidious kemal samenet scram-sha-256 + host invidious invidious samenet scram-sha-256 ''; }; networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ]; @@ -24,10 +24,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { services.invidious = { enable = true; }; - services.postgresql.initialScript = pkgs.writeText "init-postgres-with-password" '' - CREATE USER kemal; - CREATE DATABASE invidious WITH OWNER kemal; - ''; specialisation = { nginx.configuration = {