Skip to content

Commit

Permalink
switch to mariadb connector, remove password
Browse files Browse the repository at this point in the history
  • Loading branch information
@minijackson
minijackson committed Aug 1, 2023
1 parent ebc5d00 commit 92345aa
Show file tree
Hide file tree
Showing 6 changed files with 58 additions and 148 deletions.
119 changes: 14 additions & 105 deletions nixos/modules/archiver-appliance.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,6 @@
<Resource
name="jdbc/archappl"
type="javax.sql.DataSource"
username="archappl"
removeAbandonedTimeout="60"
removeAbandoned="true"
logAbandoned="true"
Expand All @@ -67,64 +66,6 @@
/>
</Context>
'';
# contextXml = pkgs.writeTextDir "/context.xml" ''
# <?xml version="1.0" encoding="UTF-8"?>
# <!--
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# -->
# <!-- The contents of this file will be loaded for each web application -->
# <Context>
#
# <!-- Default set of monitored resources. If one of these changes, the -->
# <!-- web application will be reloaded. -->
# <WatchedResource>WEB-INF/web.xml</WatchedResource>
# <WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
# <WatchedResource>''${catalina.base}/conf/web.xml</WatchedResource>
#
# <!-- Uncomment this to disable session persistence across Tomcat restarts -->
# <!--
# <Manager pathname="" />
# -->
#
# <Resource
# name="jdbc/archappl"
# type="javax.sql.DataSource"
# factory="org.newsclub.net.mysql.AFUNIXDatabaseSocketFactory"
# username="archappl"
# testWhileIdle="true"
# testOnBorrow="true"
# testOnReturn="false"
# validationQuery="SELECT 1"
# validationInterval="30000"
# timeBetweenEvictionRunsMillis="30000"
# maxActive="10"
# minIdle="2"
# maxWait="10000"
# initialSize="2"
# removeAbandonedTimeout="60"
# removeAbandoned="true"
# logAbandoned="true"
# minEvictableIdleTimeMillis="30000"
# jmxEnabled="true"
# driverClassName="com.mysql.jdbc.Driver"
# junixsocket.file="/run/mysqld/mysqld.sock"
# url="jdbc:mysql://localhost:3306/archappl"
# />
# </Context>
# '';

loggingProperties = pkgs.writeTextDir "/logging.properties" ''
.handlers = java.util.logging.ConsoleHandler
Expand Down Expand Up @@ -171,17 +112,6 @@ in {
default = defaultAppliancesXml;
};

# TODO: to UNIX socket auth
# TODO: or, to file, if possible?
databasePassword = lib.mkOption {
description = ''
Password for the MySQL database.
The password will be automatically set for the given user.
'';
type = lib.types.str;
};

settings = lib.mkOption {
description = ''
Configuration for Archiver Appliance.
Expand Down Expand Up @@ -349,25 +279,16 @@ in {

commonLibs = [
"${log4jProperties}/log4j.properties"

# We use the mariadb connecter, since it supports UNIX socket connection,
# which allows us not not store the password in plaintext in the config.
"${pkgs.epnix.mariadb_jdbc}/share/java/mariadb-java-client.jar"
# "${pkgs.mysql_jdbc}/share/java/mysql-connector-java.jar"
# "${pkgs.epnix.junixsocket}/lib/junixsocket-common.jar"
# "${pkgs.epnix.junixsocket}/lib/junixsocket-mysql.jar"
];

# commonLibs = [
# (let
# file = pkgs.writeTextDir "/log4j.properties" ''
# log4j.rootLogger=ERROR, stdout
# log4j.logger.config.org.epics.archiverappliance=INFO
# log4j.logger.org.apache.http=ERROR
#
# log4j.appender.stdout=org.apache.log4j.ConsoleAppender
# log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
# log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n
# '';
# in "${file}/log4j.properties")
# ];
# Dependencies of the mariadb connector, for UNIX sockets:
# TODO: use the nixpkgs version when we switch to NixOS 23.05
"${pkgs.epnix.jna}/share/java/jna.jar"
"${pkgs.epnix.jna}/share/java/jna-platform.jar"
];

user = "archappl";
group = "archappl";
Expand All @@ -378,12 +299,6 @@ in {
wants = ["mysql.service"];

environment = cfg.settings;
# preStart = ''
# echo '${e}' | ${config.services.mysql.package}/bin/mysql \
# -u archappl \
# "-p${cfg.databasePassword}" \
# archappl
# '';
};

users.groups."archappl" = {};
Expand All @@ -402,18 +317,12 @@ in {
schema = "${cfg.package}/share/archappl/sql/archappl_mysql.sql";
}
];
# ensureUsers = [
# {
# name = "archappl";
# ensurePermissions."archappl.*" = "ALL PRIVILEGES";
# }
# ];

# TODO escape password
initialScript = pkgs.writeText "mysql-init.sql" ''
CREATE USER IF NOT EXISTS 'archappl'@'localhost' IDENTIFIED BY '${cfg.databasePassword}';
GRANT ALL PRIVILEGES ON archappl.* TO 'archappl'@'localhost';
'';
ensureUsers = [
{
name = "archappl";
ensurePermissions."archappl.*" = "ALL PRIVILEGES";
}
];
};

systemd.mounts = let
Expand Down
1 change: 0 additions & 1 deletion nixos/tests/archiver-appliance/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
server = {
services.archiver-appliance = {
enable = true;
databasePassword = "12345verysecure";

# Weird, but the broadcast address is not properly set
settings = {
Expand Down
2 changes: 1 addition & 1 deletion pkgs/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,8 @@ with prev;

# Other utilities

jna = callPackage ./epnix/tools/jna {};
mariadb_jdbc = callPackage ./epnix/tools/mariadb_jdbc {};
junixsocket = callPackage ./epnix/tools/junixsocket {};

# EPNix specific packages
book = callPackage ./book {};
Expand Down
42 changes: 42 additions & 0 deletions pkgs/epnix/tools/jna/default.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
{
stdenv,
lib,
fetchFromGitHub,
ant,
jdk8,
}:
stdenv.mkDerivation rec {
pname = "jna";
version = "5.13.0";

src = fetchFromGitHub {
owner = "java-native-access";
repo = pname;
rev = version;
hash = "sha256-EIOVmzQcnbL1NmxAaUVCMDvs9wpKqhP5iHAPoBVs3ho=";
};

nativeBuildInputs = [ant jdk8];

buildPhase = ''
runHook preBuild
rm -r dist # remove prebuilt files
ant dist
runHook postBuild
'';

installPhase = ''
runHook preInstall
install -Dm444 -t $out/share/java dist/jna{,-platform}.jar
runHook postInstall
'';

meta = with lib; {
inherit (src.meta) homepage;
description = "Java Native Access";
license = with licenses; [lgpl21 asl20];
maintainers = with maintainers; [nagy];
platforms = platforms.linux;
changelog = "https://github.com/java-native-access/jna/blob/${version}/CHANGES.md";
};
}
39 changes: 0 additions & 39 deletions pkgs/epnix/tools/junixsocket/default.nix
View file

This file was deleted.

3 changes: 1 addition & 2 deletions pkgs/epnix/tools/mariadb_jdbc/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# TODO: upstream
{
lib,
stdenv,
fetchzip,
fetchurl,
jdk,
}:
Expand All @@ -10,7 +10,6 @@ stdenv.mkDerivation (self: {
version = "3.1.4";

src = fetchurl {
# url = "https://dlm.mariadb.com/2912788/Connectors/java/connector-java-${self.version}/mariadb-connector-j-${self.version}.tar.gz";
url = "https://dlm.mariadb.com/2912798/Connectors/java/connector-java-${self.version}/mariadb-java-client-${self.version}.jar";
hash = "sha256-64i11yfYLiURfitvq87B2vc0YzsKV2RWxzIViEwYmtQ=";
};
Expand Down

0 comments on commit 92345aa

Please sign in to comment.