diff --git a/.gitignore b/.gitignore index 5cb86a4..42c2c90 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # Rust /target config.toml +!assets/debian/config.toml # Nix /.direnv/ diff --git a/Cargo.toml b/Cargo.toml index 2de5619..6c65c43 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -85,9 +85,9 @@ assets = [ "755", ], [ - "example-config.toml", + "assets/debian/config.toml", "etc/muscl/config.toml", - "600", + "644", ], [ "assets/completions/_*", diff --git a/README.md b/README.md index 51d8117..25e1a69 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,28 @@ FLUSH PRIVILEGES; Now you should add the login credentials to the muscl configuration file, typically located at `/etc/muscl/config.toml`. +### Setting the myscl password with `systemd-creds` + +The debian package assumes that you will provide the password for `muscl`'s database user with `systemd-creds`. + +You can add the password like this (run as root): + +```bash +# Unless you already have a working credential store, you need to set it up first +mkdir -p /etc/credstore.encrypted +systemd-creds setup + +# Now set the muscl mysql password +# Be careful not to leave the password in your shell history! +systemd-creds encrypt --name=muscl_mysql_password <(echo "") /etc/credstore.encrypted/muscl_mysql_password +``` + +If you are running systemd older than version 254 (see `systemctl --version`), you might have to override the service to point to the path of the credential manually, because `ImportCredential=` is not supported. Run `systemctl edit muscl.service` and add the following line: + +```ini +LoadEncyptedCredential=muscl_mysql_password:/etc/credstore.encrypted/muscl_mysql_password +``` + ### NixOS For NixOS, there is a module available via the nix flake. You can include it in your configuration like this: diff --git a/assets/debian/config.toml b/assets/debian/config.toml new file mode 100644 index 0000000..38a54f3 --- /dev/null +++ b/assets/debian/config.toml @@ -0,0 +1,23 @@ +[mysql] +# Hostname and port of the database. +host = "localhost" +port = 3306 + +# The path to the unix socket of the database. +# If you uncomment this line, the host and port will be ignored + +# socket_path = "/run/mysql/mysql.sock" + +# The username and password for the database connection. +# The username and password can be omitted if you are connecting +# to the database using socket based authentication. +# However, the vendored systemd service is running as DynamicUser, +# so these need to be specified by default unless you override the +# systemd unit. +username = "muscl" +# This file gets created by systemd automatically, given you have set +# the password with `systemd-creds`. +password_file = "/run/credentials/muscl.service/muscl_mysql_password" + +# Database connection timeout in seconds +timeout = 2 diff --git a/assets/systemd/muscl.service b/assets/systemd/muscl.service index 81b6680..4d69588 100644 --- a/assets/systemd/muscl.service +++ b/assets/systemd/muscl.service @@ -17,6 +17,8 @@ DynamicUser=yes ConfigurationDirectory=muscl +ImportCredential=muscl_mysql_password + # This is required to read unix user/group details. PrivateUsers=false diff --git a/nix/module.nix b/nix/module.nix index 612e810..5117346 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -135,6 +135,7 @@ in cfg.settings.mysql.socket_path ]; + ImportCredential = ""; LoadCredential = lib.mkIf (cfg.settings.mysql.passwordFile != null) [ "mysql-password:${cfg.settings.mysql.passwordFile}" ];