Add default config for debian, use systemd-creds by default

2025-12-02 15:08:19 +09:00
parent 999d6cbc71
commit fae1c2c1c8
6 changed files with 51 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 # Rust
 /target
 config.toml
+!assets/debian/config.toml

 # Nix
 /.direnv/
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -85,9 +85,9 @@ assets = [
        "755",
    ],
    [
-        "example-config.toml",
+        "assets/debian/config.toml",
        "etc/muscl/config.toml",
-        "600",
+        "644",
    ],
    [
        "assets/completions/_*",
--- a/README.md
+++ b/README.md
@@ -45,6 +45,28 @@ FLUSH PRIVILEGES;

 Now you should add the login credentials to the muscl configuration file, typically located at `/etc/muscl/config.toml`.

+### Setting the myscl password with `systemd-creds`
+
+The debian package assumes that you will provide the password for `muscl`'s database user with `systemd-creds`.
+
+You can add the password like this (run as root):
+
+```bash
+# Unless you already have a working credential store, you need to set it up first
+mkdir -p /etc/credstore.encrypted
+systemd-creds setup
+
+# Now set the muscl mysql password
+# Be careful not to leave the password in your shell history!
+systemd-creds encrypt --name=muscl_mysql_password <(echo "<strong_password_here>") /etc/credstore.encrypted/muscl_mysql_password
+```
+
+If you are running systemd older than version 254 (see `systemctl --version`), you might have to override the service to point to the path of the credential manually, because `ImportCredential=` is not supported. Run `systemctl edit muscl.service` and add the following line:
+
+```ini
+LoadEncyptedCredential=muscl_mysql_password:/etc/credstore.encrypted/muscl_mysql_password
+```
+
 ### NixOS

 For NixOS, there is a module available via the nix flake. You can include it in your configuration like this:
--- a/assets/debian/config.toml
+++ b/assets/debian/config.toml
@@ -0,0 +1,23 @@
+[mysql]
+# Hostname and port of the database.
+host = "localhost"
+port = 3306
+
+# The path to the unix socket of the database.
+# If you uncomment this line, the host and port will be ignored
+
+# socket_path = "/run/mysql/mysql.sock"
+
+# The username and password for the database connection.
+# The username and password can be omitted if you are connecting
+# to the database using socket based authentication.
+# However, the vendored systemd service is running as DynamicUser,
+# so these need to be specified by default unless you override the
+# systemd unit.
+username = "muscl"
+# This file gets created by systemd automatically, given you have set
+# the password with `systemd-creds`.
+password_file = "/run/credentials/muscl.service/muscl_mysql_password"
+
+# Database connection timeout in seconds
+timeout = 2
--- a/assets/systemd/muscl.service
+++ b/assets/systemd/muscl.service
@@ -17,6 +17,8 @@ DynamicUser=yes

 ConfigurationDirectory=muscl

+ImportCredential=muscl_mysql_password
+
 # This is required to read unix user/group details.
 PrivateUsers=false

--- a/nix/module.nix
+++ b/nix/module.nix
@@ -135,6 +135,7 @@ in
          cfg.settings.mysql.socket_path
        ];

+        ImportCredential = "";
        LoadCredential = lib.mkIf (cfg.settings.mysql.passwordFile != null) [
          "mysql-password:${cfg.settings.mysql.passwordFile}"
        ];