From 24e561fabca19b9cee1fef98e793b712901b8482 Mon Sep 17 00:00:00 2001 From: Sophie Tauchert Date: Sat, 18 Nov 2023 20:15:26 +0100 Subject: [PATCH] nixos/invidious: change default database user to invidious This makes sure we don't need any workarounds for running Invidious with a local PostgreSQL database. Changing the default user should be fine as the new init script for PostgreSQL automatically creates the new user and changes the existing database's owner to the new user. The old user will still linger and must be removed manually. See also: https://github.com/NixOS/nixpkgs/pull/266270 --- .../manual/release-notes/rl-2405.section.md | 2 + nixos/modules/services/web-apps/invidious.nix | 39 +++++++++---------- nixos/tests/invidious.nix | 10 ++--- 3 files changed, 24 insertions(+), 27 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md index d30e0b6624c5..34b1fd1f3685 100644 --- a/nixos/doc/manual/release-notes/rl-2405.section.md +++ b/nixos/doc/manual/release-notes/rl-2405.section.md @@ -37,6 +37,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m - `k9s` was updated to v0.29. There have been breaking changes in the config file format, check out the [changelog](https://github.com/derailed/k9s/releases/tag/v0.29.0) for details. +- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857) + - `mkosi` was updated to v19. Parts of the user interface have changed. Consult the [release notes](https://github.com/systemd/mkosi/releases/tag/v19) for a list of changes. diff --git a/nixos/modules/services/web-apps/invidious.nix b/nixos/modules/services/web-apps/invidious.nix index 7af1d35e4610..471027c35705 100644 --- a/nixos/modules/services/web-apps/invidious.nix +++ b/nixos/modules/services/web-apps/invidious.nix @@ -114,7 +114,11 @@ let check_tables = true; db = { - user = lib.mkDefault "kemal"; + user = lib.mkDefault ( + if (lib.versionAtLeast config.system.stateVersion "24.05") + then "invidious" + else "kemal" + ); dbname = lib.mkDefault "invidious"; port = cfg.database.port; # Blank for unix sockets, see @@ -143,31 +147,26 @@ let # Settings necessary for running with an automatically managed local database localDatabaseConfig = lib.mkIf cfg.database.createLocally { + assertions = [ + { + assertion = cfg.settings.db.user == cfg.settings.db.dbname; + message = '' + For local automatic database provisioning (services.invidious.database.createLocally == true) + to work, the username used to connect to PostgreSQL must match the database name, that is + services.invidious.database.user must match services.invidious.database.dbName. + This is the default since NixOS 24.05. For older systems, it is normally safe to manually set + services.invidious.database.user to "invidious" as the new user will be created with permissions + for the existing database. + ''; + } + ]; # Default to using the local database if we create it services.invidious.database.host = lib.mkDefault null; - - # TODO(raitobezarius to maintainers of invidious): I strongly advise to clean up the kemal specific - # thing for 24.05 and use `ensureDBOwnership`. - # See https://github.com/NixOS/nixpkgs/issues/216989 - systemd.services.postgresql.postStart = lib.mkAfter '' - $PSQL -tAc 'ALTER DATABASE "${cfg.settings.db.dbname}" OWNER TO "${cfg.settings.db.user}";' - ''; services.postgresql = { enable = true; - ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = false; }; + ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = true; }; ensureDatabases = lib.singleton cfg.settings.db.dbname; - # This is only needed because the unix user invidious isn't the same as - # the database user. This tells postgres to map one to the other. - identMap = '' - invidious invidious ${cfg.settings.db.user} - ''; - # And this specifically enables peer authentication for only this - # database, which allows passwordless authentication over the postgres - # unix socket for the user map given above. - authentication = '' - local ${cfg.settings.db.dbname} ${cfg.settings.db.user} peer map=invidious - ''; }; }; diff --git a/nixos/tests/invidious.nix b/nixos/tests/invidious.nix index aab62e26b82b..e31cd87f6a00 100644 --- a/nixos/tests/invidious.nix +++ b/nixos/tests/invidious.nix @@ -10,12 +10,12 @@ import ./make-test-python.nix ({ pkgs, ... }: { services.postgresql = { enable = true; initialScript = pkgs.writeText "init-postgres-with-password" '' - CREATE USER kemal WITH PASSWORD 'correct horse battery staple'; - CREATE DATABASE invidious WITH OWNER kemal; + CREATE USER invidious WITH PASSWORD 'correct horse battery staple'; + CREATE DATABASE invidious WITH OWNER invidious; ''; enableTCPIP = true; authentication = '' - host invidious kemal samenet scram-sha-256 + host invidious invidious samenet scram-sha-256 ''; }; networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ]; @@ -24,10 +24,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { services.invidious = { enable = true; }; - services.postgresql.initialScript = pkgs.writeText "init-postgres-with-password" '' - CREATE USER kemal; - CREATE DATABASE invidious WITH OWNER kemal; - ''; specialisation = { nginx.configuration = {