Last active
February 2, 2020 21:02
-
-
Save diamondburned/0cc32e3f122479abf4fbb5fc9fed440c to your computer and use it in GitHub Desktop.
InfluxDB users and databases automation in Nix
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { config, lib, pkgs, ... }: | |
| with lib; | |
| let | |
| cfg = config.services.influxdb; | |
| configOptions = recursiveUpdate { | |
| http = { | |
| enabled = true; | |
| auth-enabled = false; | |
| bind-address = ":8086"; | |
| https-enabled = false; | |
| log-enabled = true; | |
| pprof-enabled = false; | |
| write-tracing = false; | |
| }; | |
| } cfg.extraConfig; | |
| admins = flip filter cfg.users (x: x.permissions == {}); | |
| admin = head admins; | |
| nonads = flip filter cfg.users (x: x.permissions != {}); | |
| databases = cfg.databases; | |
| makeUser = u: '' | |
| # Try and make the same user: | |
| influx -execute "CREATE USER ${u.name} WITH PASSWORD '${u.password}' ${ | |
| optionalString (u.permissions == {}) "WITH ALL PRIVILEGES" | |
| }" || { | |
| # User already exists, change password: | |
| influx -execute "SET PASSWORD FOR ${u.name} = '${u.password}'" | |
| } | |
| ${optionalString (u.permissions != {}) (concatStringsSep "\n" ( | |
| flip mapAttrsToList u.permissions (db: perm: '' | |
| # Normal user: | |
| influx -execute "GRANT ${perm} ON ${db} TO ${u.name}" | |
| '') | |
| ))} | |
| ''; | |
| makeUsers = users: concatMapStrings makeUser users; | |
| makeDatabase = db: '' | |
| influx -execute "CREATE DATABASE \"${db}\"" || exit 1 | |
| ''; | |
| makeDatabases = dbs: concatMapStrings makeDatabase dbs; | |
| in { | |
| ###### interface | |
| options.services.influxdb.users = mkOption { | |
| type = types.listOf (types.submodule { | |
| options = { | |
| name = mkOption { | |
| type = types.str; | |
| description = "Username"; | |
| }; | |
| password = mkOption { | |
| type = types.str; | |
| description = "Password"; | |
| }; | |
| permissions = mkOption { | |
| type = types.attrsOf types.str; | |
| default = { }; | |
| description = '' | |
| If provided, will try and create users with | |
| these permissions. The syntax is simple: it's a | |
| basic map of (database name) = (permission). | |
| Permission is (READ|WRITE|ALL). | |
| ''; | |
| example = literalExample '' | |
| { | |
| "gitea" = "WRITE"; | |
| "nodejs" = "ALL"; | |
| } | |
| ''; | |
| }; | |
| }; | |
| }); | |
| default = [ ]; | |
| example = literalExample '' | |
| [ | |
| { | |
| name = "admin"; | |
| password = "securepassword"; | |
| } | |
| { | |
| name = "user"; | |
| password = "badpassword"; | |
| permissions = { | |
| "gitea" = "ALL"; | |
| }; | |
| } | |
| ] | |
| ''; | |
| }; | |
| options.services.influxdb.databases = mkOption { | |
| type = types.listOf types.str; | |
| default = [ ]; | |
| example = [ "gitea" "nodejs" ]; | |
| }; | |
| ###### implementation | |
| config = mkIf config.services.influxdb.enable { | |
| systemd.services.influxdb.postStart = let | |
| addr = configOptions.http.bind-address; | |
| bindAddr = (optionalString (hasPrefix ":" addr) "127.0.0.1") + addr; | |
| in mkBefore '' | |
| # Read the host and port | |
| IFS=: read host port <<< '${bindAddr}' | |
| inf="$inf -host $host -port $port" | |
| # Optionally add SSL | |
| ${optionalString (configOptions.http.https-enabled) ''inf="$inf -ssl"''} | |
| influx() { | |
| ${cfg.package}/bin/influx \ | |
| -username ${admin.name} \ | |
| -password ${admin.password} \ | |
| -format csv $inf "$@" | |
| } | |
| ${optionalString (admins != []) (makeUsers admins)} | |
| ${optionalString (databases != []) (makeDatabases databases) + | |
| (optionalString (nonads != []) (makeUsers nonads))} | |
| ''; | |
| }; | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment