+2

nixos/doc/manual/release-notes/rl-2311.section.md

··· 199 199 200 200 - `programs.gnupg.agent.pinentryFlavor` is now set in `/etc/gnupg/gpg-agent.conf`, and will no longer take precedence over a `pinentry-program` set in `~/.gnupg/gpg-agent.conf`. 201 201 202 202 + - `services.influxdb2` now supports doing an automatic initial setup and provisioning of users, organizations, buckets and authentication tokens, see [#249502](https://github.com/NixOS/nixpkgs/pull/249502) for more details. 203 203 + 202 204 - `wrapHelm` now exposes `passthru.pluginsDir` which can be passed to `helmfile`. For convenience, a top-level package `helmfile-wrapped` has been added, which inherits `passthru.pluginsDir` from `kubernetes-helm-wrapped`. See [#217768](https://github.com/NixOS/nixpkgs/issues/217768) for details. 203 205 204 206 - `boot.initrd.network.udhcp.enable` allows control over dhcp during stage 1 regardless of what `networking.useDHCP` is set to.

+386 -66

nixos/modules/services/databases/influxdb2.nix

··· 3 3 let 4 4 inherit 5 5 (lib) 6 6 + any 7 7 + attrNames 8 8 + attrValues 9 9 + count 6 10 escapeShellArg 11 11 + filterAttrs 12 12 + flatten 13 13 + flip 14 14 + getExe 7 15 hasAttr 16 16 + hasInfix 17 17 + listToAttrs 8 18 literalExpression 19 19 + mapAttrsToList 20 20 + mdDoc 9 21 mkEnableOption 10 22 mkIf 11 23 mkOption 24 24 + nameValuePair 25 25 + optional 26 26 + subtractLists 12 27 types 28 28 + unique 13 29 ; 14 30 15 31 format = pkgs.formats.json { }; 16 32 cfg = config.services.influxdb2; 17 33 configFile = format.generate "config.json" cfg.settings; 34 34 + 35 35 + validPermissions = [ 36 36 + "authorizations" 37 37 + "buckets" 38 38 + "dashboards" 39 39 + "orgs" 40 40 + "tasks" 41 41 + "telegrafs" 42 42 + "users" 43 43 + "variables" 44 44 + "secrets" 45 45 + "labels" 46 46 + "views" 47 47 + "documents" 48 48 + "notificationRules" 49 49 + "notificationEndpoints" 50 50 + "checks" 51 51 + "dbrp" 52 52 + "annotations" 53 53 + "sources" 54 54 + "scrapers" 55 55 + "notebooks" 56 56 + "remotes" 57 57 + "replications" 58 58 + ]; 59 59 + 60 60 + # Determines whether at least one active api token is defined 61 61 + anyAuthDefined = 62 62 + flip any (attrValues cfg.provision.organizations) 63 63 + (o: o.present && flip any (attrValues o.auths) 64 64 + (a: a.present && a.tokenFile != null)); 65 65 + 66 66 + provisionState = pkgs.writeText "provision_state.json" (builtins.toJSON { 67 67 + inherit (cfg.provision) organizations users; 68 68 + }); 69 69 + 70 70 + provisioningScript = pkgs.writeShellScript "post-start-provision" '' 71 71 + set -euo pipefail 72 72 + export INFLUX_HOST="http://"${escapeShellArg ( 73 73 + if ! hasAttr "http-bind-address" cfg.settings 74 74 + || hasInfix "0.0.0.0" cfg.settings.http-bind-address 75 75 + then "localhost:8086" 76 76 + else cfg.settings.http-bind-address 77 77 + )} 78 78 + 79 79 + # Wait for the influxdb server to come online 80 80 + count=0 81 81 + while ! influx ping &>/dev/null; do 82 82 + if [ "$count" -eq 300 ]; then 83 83 + echo "Tried for 30 seconds, giving up..." 84 84 + exit 1 85 85 + fi 86 86 + 87 87 + if ! kill -0 "$MAINPID"; then 88 88 + echo "Main server died, giving up..." 89 89 + exit 1 90 90 + fi 91 91 + 92 92 + sleep 0.1 93 93 + count=$((count++)) 94 94 + done 95 95 + 96 96 + # Do the initial database setup. Pass /dev/null as configs-path to 97 97 + # avoid saving the token as the active config. 98 98 + if test -e "$STATE_DIRECTORY/.first_startup"; then 99 99 + influx setup \ 100 100 + --configs-path /dev/null \ 101 101 + --org ${escapeShellArg cfg.provision.initialSetup.organization} \ 102 102 + --bucket ${escapeShellArg cfg.provision.initialSetup.bucket} \ 103 103 + --username ${escapeShellArg cfg.provision.initialSetup.username} \ 104 104 + --password "$(< "$CREDENTIALS_DIRECTORY/admin-password")" \ 105 105 + --token "$(< "$CREDENTIALS_DIRECTORY/admin-token")" \ 106 106 + --retention ${toString cfg.provision.initialSetup.retention}s \ 107 107 + --force >/dev/null 108 108 + 109 109 + rm -f "$STATE_DIRECTORY/.first_startup" 110 110 + fi 111 111 + 112 112 + provision_result=$(${getExe pkgs.influxdb2-provision} ${provisionState} "$INFLUX_HOST" "$(< "$CREDENTIALS_DIRECTORY/admin-token")") 113 113 + if [[ "$(jq '[.auths[] | select(.action == "created")] | length' <<< "$provision_result")" -gt 0 ]]; then 114 114 + echo "Created at least one new token, queueing service restart so we can manipulate secrets" 115 115 + touch "$STATE_DIRECTORY/.needs_restart" 116 116 + fi 117 117 + ''; 118 118 + 119 119 + restarterScript = pkgs.writeShellScript "post-start-restarter" '' 120 120 + set -euo pipefail 121 121 + if test -e "$STATE_DIRECTORY/.needs_restart"; then 122 122 + rm -f "$STATE_DIRECTORY/.needs_restart" 123 123 + /run/current-system/systemd/bin/systemctl restart influxdb2 124 124 + fi 125 125 + ''; 126 126 + 127 127 + organizationSubmodule = types.submodule (organizationSubmod: let 128 128 + org = organizationSubmod.config._module.args.name; 129 129 + in { 130 130 + options = { 131 131 + present = mkOption { 132 132 + description = mdDoc "Whether to ensure that this organization is present or absent."; 133 133 + type = types.bool; 134 134 + default = true; 135 135 + }; 136 136 + 137 137 + description = mkOption { 138 138 + description = mdDoc "Optional description for the organization."; 139 139 + default = null; 140 140 + type = types.nullOr types.str; 141 141 + }; 142 142 + 143 143 + buckets = mkOption { 144 144 + description = mdDoc "Buckets to provision in this organization."; 145 145 + default = {}; 146 146 + type = types.attrsOf (types.submodule (bucketSubmod: let 147 147 + bucket = bucketSubmod.config._module.args.name; 148 148 + in { 149 149 + options = { 150 150 + present = mkOption { 151 151 + description = mdDoc "Whether to ensure that this bucket is present or absent."; 152 152 + type = types.bool; 153 153 + default = true; 154 154 + }; 155 155 + 156 156 + description = mkOption { 157 157 + description = mdDoc "Optional description for the bucket."; 158 158 + default = null; 159 159 + type = types.nullOr types.str; 160 160 + }; 161 161 + 162 162 + retention = mkOption { 163 163 + type = types.ints.unsigned; 164 164 + default = 0; 165 165 + description = mdDoc "The duration in seconds for which the bucket will retain data (0 is infinite)."; 166 166 + }; 167 167 + }; 168 168 + })); 169 169 + }; 170 170 + 171 171 + auths = mkOption { 172 172 + description = mdDoc "API tokens to provision for the user in this organization."; 173 173 + default = {}; 174 174 + type = types.attrsOf (types.submodule (authSubmod: let 175 175 + auth = authSubmod.config._module.args.name; 176 176 + in { 177 177 + options = { 178 178 + id = mkOption { 179 179 + description = mdDoc "A unique identifier for this authentication token. Since influx doesn't store names for tokens, this will be hashed and appended to the description to identify the token."; 180 180 + readOnly = true; 181 181 + default = builtins.substring 0 32 (builtins.hashString "sha256" "${org}:${auth}"); 182 182 + defaultText = "<a hash derived from org and name>"; 183 183 + type = types.str; 184 184 + }; 185 185 + 186 186 + present = mkOption { 187 187 + description = mdDoc "Whether to ensure that this user is present or absent."; 188 188 + type = types.bool; 189 189 + default = true; 190 190 + }; 191 191 + 192 192 + description = mkOption { 193 193 + description = '' 194 194 + Optional description for the API token. 195 195 + Note that the actual token will always be created with a descriptionregardless 196 196 + of whether this is given or not. The name is always added plus a unique suffix 197 197 + to later identify the token to track whether it has already been created. 198 198 + ''; 199 199 + default = null; 200 200 + type = types.nullOr types.str; 201 201 + }; 202 202 + 203 203 + tokenFile = mkOption { 204 204 + type = types.nullOr types.path; 205 205 + default = null; 206 206 + description = mdDoc "The token value. If not given, influx will automatically generate one."; 207 207 + }; 208 208 + 209 209 + operator = mkOption { 210 210 + description = mdDoc "Grants all permissions in all organizations."; 211 211 + default = false; 212 212 + type = types.bool; 213 213 + }; 214 214 + 215 215 + allAccess = mkOption { 216 216 + description = mdDoc "Grants all permissions in the associated organization."; 217 217 + default = false; 218 218 + type = types.bool; 219 219 + }; 220 220 + 221 221 + readPermissions = mkOption { 222 222 + description = mdDoc '' 223 223 + The read permissions to include for this token. Access is usually granted only 224 224 + for resources in the associated organization. 225 225 + 226 226 + Available permissions are `authorizations`, `buckets`, `dashboards`, 227 227 + `orgs`, `tasks`, `telegrafs`, `users`, `variables`, `secrets`, `labels`, `views`, 228 228 + `documents`, `notificationRules`, `notificationEndpoints`, `checks`, `dbrp`, 229 229 + `annotations`, `sources`, `scrapers`, `notebooks`, `remotes`, `replications`. 230 230 + 231 231 + Refer to `influx auth create --help` for a full list with descriptions. 232 232 + 233 233 + `buckets` grants read access to all associated buckets. Use `readBuckets` to define 234 234 + more granular access permissions. 235 235 + ''; 236 236 + default = []; 237 237 + type = types.listOf (types.enum validPermissions); 238 238 + }; 239 239 + 240 240 + writePermissions = mkOption { 241 241 + description = mdDoc '' 242 242 + The read permissions to include for this token. Access is usually granted only 243 243 + for resources in the associated organization. 244 244 + 245 245 + Available permissions are `authorizations`, `buckets`, `dashboards`, 246 246 + `orgs`, `tasks`, `telegrafs`, `users`, `variables`, `secrets`, `labels`, `views`, 247 247 + `documents`, `notificationRules`, `notificationEndpoints`, `checks`, `dbrp`, 248 248 + `annotations`, `sources`, `scrapers`, `notebooks`, `remotes`, `replications`. 249 249 + 250 250 + Refer to `influx auth create --help` for a full list with descriptions. 251 251 + 252 252 + `buckets` grants write access to all associated buckets. Use `writeBuckets` to define 253 253 + more granular access permissions. 254 254 + ''; 255 255 + default = []; 256 256 + type = types.listOf (types.enum validPermissions); 257 257 + }; 258 258 + 259 259 + readBuckets = mkOption { 260 260 + description = mdDoc "The organization's buckets which should be allowed to be read"; 261 261 + default = []; 262 262 + type = types.listOf types.str; 263 263 + }; 264 264 + 265 265 + writeBuckets = mkOption { 266 266 + description = mdDoc "The organization's buckets which should be allowed to be written"; 267 267 + default = []; 268 268 + type = types.listOf types.str; 269 269 + }; 270 270 + }; 271 271 + })); 272 272 + }; 273 273 + }; 274 274 + }); 18 275 in 19 276 { 20 277 options = { 21 278 services.influxdb2 = { 22 22 - enable = mkEnableOption (lib.mdDoc "the influxdb2 server"); 279 279 + enable = mkEnableOption (mdDoc "the influxdb2 server"); 23 280 24 281 package = mkOption { 25 282 default = pkgs.influxdb2-server; 26 283 defaultText = literalExpression "pkgs.influxdb2"; 27 27 - description = lib.mdDoc "influxdb2 derivation to use."; 284 284 + description = mdDoc "influxdb2 derivation to use."; 28 285 type = types.package; 29 286 }; 30 287 31 288 settings = mkOption { 32 289 default = { }; 33 33 - description = lib.mdDoc ''configuration options for influxdb2, see <https://docs.influxdata.com/influxdb/v2.0/reference/config-options> for details.''; 290 290 + description = mdDoc ''configuration options for influxdb2, see <https://docs.influxdata.com/influxdb/v2.0/reference/config-options> for details.''; 34 291 type = format.type; 35 292 }; 36 293 ··· 41 298 organization = mkOption { 42 299 type = types.str; 43 300 example = "main"; 44 44 - description = "Primary organization name"; 301 301 + description = mdDoc "Primary organization name"; 45 302 }; 46 303 47 304 bucket = mkOption { 48 305 type = types.str; 49 306 example = "example"; 50 50 - description = "Primary bucket name"; 307 307 + description = mdDoc "Primary bucket name"; 51 308 }; 52 309 53 310 username = mkOption { 54 311 type = types.str; 55 312 default = "admin"; 56 56 - description = "Primary username"; 313 313 + description = mdDoc "Primary username"; 57 314 }; 58 315 59 316 retention = mkOption { 60 60 - type = types.str; 61 61 - default = "0"; 62 62 - description = '' 63 63 - The duration for which the bucket will retain data (0 is infinite). 64 64 - Accepted units are `ns` (nanoseconds), `us` or `µs` (microseconds), `ms` (milliseconds), 65 65 - `s` (seconds), `m` (minutes), `h` (hours), `d` (days) and `w` (weeks). 66 66 - ''; 317 317 + type = types.ints.unsigned; 318 318 + default = 0; 319 319 + description = mdDoc "The duration in seconds for which the bucket will retain data (0 is infinite)."; 67 320 }; 68 321 69 322 passwordFile = mkOption { 70 323 type = types.path; 71 71 - description = "Password for primary user. Don't use a file from the nix store!"; 324 324 + description = mdDoc "Password for primary user. Don't use a file from the nix store!"; 72 325 }; 73 326 74 327 tokenFile = mkOption { 75 328 type = types.path; 76 76 - description = "API Token to set for the admin user. Don't use a file from the nix store!"; 329 329 + description = mdDoc "API Token to set for the admin user. Don't use a file from the nix store!"; 77 330 }; 78 331 }; 332 332 + 333 333 + organizations = mkOption { 334 334 + description = mdDoc "Organizations to provision."; 335 335 + example = literalExpression '' 336 336 + { 337 337 + myorg = { 338 338 + description = "My organization"; 339 339 + buckets.mybucket = { 340 340 + description = "My bucket"; 341 341 + retention = 31536000; # 1 year 342 342 + }; 343 343 + auths.mytoken = { 344 344 + readBuckets = ["mybucket"]; 345 345 + tokenFile = "/run/secrets/mytoken"; 346 346 + }; 347 347 + }; 348 348 + } 349 349 + ''; 350 350 + default = {}; 351 351 + type = types.attrsOf organizationSubmodule; 352 352 + }; 353 353 + 354 354 + users = mkOption { 355 355 + description = mdDoc "Users to provision."; 356 356 + default = {}; 357 357 + example = literalExpression '' 358 358 + { 359 359 + # admin = {}; /* The initialSetup.username will automatically be added. */ 360 360 + myuser.passwordFile = "/run/secrets/myuser_password"; 361 361 + } 362 362 + ''; 363 363 + type = types.attrsOf (types.submodule (userSubmod: let 364 364 + user = userSubmod.config._module.args.name; 365 365 + org = userSubmod.config.org; 366 366 + in { 367 367 + options = { 368 368 + present = mkOption { 369 369 + description = mdDoc "Whether to ensure that this user is present or absent."; 370 370 + type = types.bool; 371 371 + default = true; 372 372 + }; 373 373 + 374 374 + passwordFile = mkOption { 375 375 + description = mdDoc "Password for the user. If unset, the user will not be able to log in until a password is set by an operator! Don't use a file from the nix store!"; 376 376 + default = null; 377 377 + type = types.nullOr types.path; 378 378 + }; 379 379 + }; 380 380 + })); 381 381 + }; 79 382 }; 80 383 }; 81 384 }; 82 385 83 386 config = mkIf cfg.enable { 84 84 - assertions = [ 85 85 - { 86 86 - assertion = !(hasAttr "bolt-path" cfg.settings) && !(hasAttr "engine-path" cfg.settings); 87 87 - message = "services.influxdb2.config: bolt-path and engine-path should not be set as they are managed by systemd"; 88 88 - } 89 89 - ]; 387 387 + assertions = 388 388 + [ 389 389 + { 390 390 + assertion = !(hasAttr "bolt-path" cfg.settings) && !(hasAttr "engine-path" cfg.settings); 391 391 + message = "services.influxdb2.config: bolt-path and engine-path should not be set as they are managed by systemd"; 392 392 + } 393 393 + ] 394 394 + ++ flatten (flip mapAttrsToList cfg.provision.organizations (orgName: org: 395 395 + flip mapAttrsToList org.auths (authName: auth: 396 396 + [ 397 397 + { 398 398 + assertion = 1 == count (x: x) [ 399 399 + auth.operator 400 400 + auth.allAccess 401 401 + (auth.readPermissions != [] 402 402 + || auth.writePermissions != [] 403 403 + || auth.readBuckets != [] 404 404 + || auth.writeBuckets != []) 405 405 + ]; 406 406 + message = "influxdb2: provision.organizations.${orgName}.auths.${authName}: The `operator` and `allAccess` options are mutually exclusive with each other and the granular permission settings."; 407 407 + } 408 408 + (let unknownBuckets = subtractLists (attrNames org.buckets) auth.readBuckets; in { 409 409 + assertion = unknownBuckets == []; 410 410 + message = "influxdb2: provision.organizations.${orgName}.auths.${authName}: Refers to invalid buckets in readBuckets: ${toString unknownBuckets}"; 411 411 + }) 412 412 + (let unknownBuckets = subtractLists (attrNames org.buckets) auth.writeBuckets; in { 413 413 + assertion = unknownBuckets == []; 414 414 + message = "influxdb2: provision.organizations.${orgName}.auths.${authName}: Refers to invalid buckets in writeBuckets: ${toString unknownBuckets}"; 415 415 + }) 416 416 + ] 417 417 + ) 418 418 + )); 419 419 + 420 420 + services.influxdb2.provision = mkIf cfg.provision.enable { 421 421 + organizations.${cfg.provision.initialSetup.organization} = { 422 422 + buckets.${cfg.provision.initialSetup.bucket} = { 423 423 + inherit (cfg.provision.initialSetup) retention; 424 424 + }; 425 425 + }; 426 426 + users.${cfg.provision.initialSetup.username} = { 427 427 + inherit (cfg.provision.initialSetup) passwordFile; 428 428 + }; 429 429 + }; 90 430 91 431 systemd.services.influxdb2 = { 92 432 description = "InfluxDB is an open-source, distributed, time series database"; ··· 111 451 "admin-password:${cfg.provision.initialSetup.passwordFile}" 112 452 "admin-token:${cfg.provision.initialSetup.tokenFile}" 113 453 ]; 454 454 + 455 455 + ExecStartPost = mkIf cfg.provision.enable ( 456 456 + [provisioningScript] ++ 457 457 + # Only the restarter runs with elevated privileges 458 458 + optional anyAuthDefined "+${restarterScript}" 459 459 + ); 114 460 }; 115 461 116 116 - path = [pkgs.influxdb2-cli]; 462 462 + path = [ 463 463 + pkgs.influxdb2-cli 464 464 + pkgs.jq 465 465 + ]; 117 466 118 118 - # Mark if this is the first startup so postStart can do the initial setup 119 119 - preStart = mkIf cfg.provision.enable '' 467 467 + # Mark if this is the first startup so postStart can do the initial setup. 468 468 + # Also extract any token secret mappings and apply them if this isn't the first start. 469 469 + preStart = let 470 470 + tokenPaths = listToAttrs (flatten 471 471 + # For all organizations 472 472 + (flip mapAttrsToList cfg.provision.organizations 473 473 + # For each contained token that has a token file 474 474 + (_: org: flip mapAttrsToList (filterAttrs (_: x: x.tokenFile != null) org.auths) 475 475 + # Collect id -> tokenFile for the mapping 476 476 + (_: auth: nameValuePair auth.id auth.tokenFile)))); 477 477 + tokenMappings = pkgs.writeText "token_mappings.json" (builtins.toJSON tokenPaths); 478 478 + in mkIf cfg.provision.enable '' 120 479 if ! test -e "$STATE_DIRECTORY/influxd.bolt"; then 121 480 touch "$STATE_DIRECTORY/.first_startup" 481 481 + else 482 482 + # Manipulate provisioned api tokens if necessary 483 483 + ${getExe pkgs.influxdb2-token-manipulator} "$STATE_DIRECTORY/influxd.bolt" ${tokenMappings} 122 484 fi 123 485 ''; 124 124 - 125 125 - postStart = let 126 126 - initCfg = cfg.provision.initialSetup; 127 127 - in mkIf cfg.provision.enable ( 128 128 - '' 129 129 - set -euo pipefail 130 130 - export INFLUX_HOST="http://"${escapeShellArg (cfg.settings.http-bind-address or "localhost:8086")} 131 131 - 132 132 - # Wait for the influxdb server to come online 133 133 - count=0 134 134 - while ! influx ping &>/dev/null; do 135 135 - if [ "$count" -eq 300 ]; then 136 136 - echo "Tried for 30 seconds, giving up..." 137 137 - exit 1 138 138 - fi 139 139 - 140 140 - if ! kill -0 "$MAINPID"; then 141 141 - echo "Main server died, giving up..." 142 142 - exit 1 143 143 - fi 144 144 - 145 145 - sleep 0.1 146 146 - count=$((count++)) 147 147 - done 148 148 - 149 149 - # Do the initial database setup. Pass /dev/null as configs-path to 150 150 - # avoid saving the token as the active config. 151 151 - if test -e "$STATE_DIRECTORY/.first_startup"; then 152 152 - influx setup \ 153 153 - --configs-path /dev/null \ 154 154 - --org ${escapeShellArg initCfg.organization} \ 155 155 - --bucket ${escapeShellArg initCfg.bucket} \ 156 156 - --username ${escapeShellArg initCfg.username} \ 157 157 - --password "$(< "$CREDENTIALS_DIRECTORY/admin-password")" \ 158 158 - --token "$(< "$CREDENTIALS_DIRECTORY/admin-token")" \ 159 159 - --retention ${escapeShellArg initCfg.retention} \ 160 160 - --force >/dev/null 161 161 - 162 162 - rm -f "$STATE_DIRECTORY/.first_startup" 163 163 - fi 164 164 - '' 165 165 - ); 166 486 }; 167 487 168 488 users.extraUsers.influxdb2 = {

+191 -2

nixos/tests/influxdb2.nix

··· 6 6 7 7 nodes.machine = { lib, ... }: { 8 8 environment.systemPackages = [ pkgs.influxdb2-cli ]; 9 9 + # Make sure that the service is restarted immediately if tokens need to be rewritten 10 10 + # without relying on any Restart=on-failure behavior 11 11 + systemd.services.influxdb2.serviceConfig.RestartSec = 6000; 9 12 services.influxdb2.enable = true; 10 13 services.influxdb2.provision = { 11 14 enable = true; ··· 15 18 passwordFile = pkgs.writeText "admin-pw" "ExAmPl3PA55W0rD"; 16 19 tokenFile = pkgs.writeText "admin-token" "verysecureadmintoken"; 17 20 }; 21 21 + organizations.someorg = { 22 22 + buckets.somebucket = {}; 23 23 + auths.sometoken = { 24 24 + description = "some auth token"; 25 25 + readBuckets = ["somebucket"]; 26 26 + writeBuckets = ["somebucket"]; 27 27 + }; 28 28 + }; 29 29 + users.someuser.passwordFile = pkgs.writeText "tmp-pw" "abcgoiuhaoga"; 30 30 + }; 31 31 + 32 32 + specialisation.withModifications.configuration = { ... }: { 33 33 + services.influxdb2.provision = { 34 34 + organizations.someorg.buckets.somebucket.present = false; 35 35 + organizations.someorg.auths.sometoken.present = false; 36 36 + users.someuser.present = false; 37 37 + 38 38 + organizations.myorg = { 39 39 + description = "Myorg description"; 40 40 + buckets.mybucket = { 41 41 + description = "Mybucket description"; 42 42 + }; 43 43 + auths.mytoken = { 44 44 + operator = true; 45 45 + description = "operator token"; 46 46 + tokenFile = pkgs.writeText "tmp-tok" "someusertoken"; 47 47 + }; 48 48 + }; 49 49 + users.myuser.passwordFile = pkgs.writeText "tmp-pw" "abcgoiuhaoga"; 50 50 + }; 51 51 + }; 52 52 + 53 53 + specialisation.withParentDelete.configuration = { ... }: { 54 54 + services.influxdb2.provision = { 55 55 + organizations.someorg.present = false; 56 56 + # Deleting the parent implies: 57 57 + #organizations.someorg.buckets.somebucket.present = false; 58 58 + #organizations.someorg.auths.sometoken.present = false; 59 59 + }; 60 60 + }; 61 61 + 62 62 + specialisation.withNewTokens.configuration = { ... }: { 63 63 + services.influxdb2.provision = { 64 64 + organizations.default = { 65 65 + auths.operator = { 66 66 + operator = true; 67 67 + description = "new optoken"; 68 68 + tokenFile = pkgs.writeText "tmp-tok" "newoptoken"; 69 69 + }; 70 70 + auths.allaccess = { 71 71 + operator = true; 72 72 + description = "new allaccess"; 73 73 + tokenFile = pkgs.writeText "tmp-tok" "newallaccess"; 74 74 + }; 75 75 + auths.specifics = { 76 76 + description = "new specifics"; 77 77 + readPermissions = ["users" "tasks"]; 78 78 + writePermissions = ["tasks"]; 79 79 + tokenFile = pkgs.writeText "tmp-tok" "newspecificstoken"; 80 80 + }; 81 81 + }; 82 82 + }; 18 83 }; 19 84 }; 20 85 21 86 testScript = { nodes, ... }: 22 87 let 88 88 + specialisations = "${nodes.machine.system.build.toplevel}/specialisation"; 23 89 tokenArg = "--token verysecureadmintoken"; 24 90 in '' 91 91 + def assert_contains(haystack, needle): 92 92 + if needle not in haystack: 93 93 + print("The haystack that will cause the following exception is:") 94 94 + print("---") 95 95 + print(haystack) 96 96 + print("---") 97 97 + raise Exception(f"Expected string '{needle}' was not found") 98 98 + 99 99 + def assert_lacks(haystack, needle): 100 100 + if needle in haystack: 101 101 + print("The haystack that will cause the following exception is:") 102 102 + print("---") 103 103 + print(haystack, end="") 104 104 + print("---") 105 105 + raise Exception(f"Unexpected string '{needle}' was found") 106 106 + 25 107 machine.wait_for_unit("influxdb2.service") 26 108 27 109 machine.fail("curl --fail -X POST 'http://localhost:8086/api/v2/signin' -u admin:wrongpassword") 28 110 machine.succeed("curl --fail -X POST 'http://localhost:8086/api/v2/signin' -u admin:ExAmPl3PA55W0rD") 29 111 30 112 out = machine.succeed("influx org list ${tokenArg}") 31 31 - assert "default" in out 113 113 + assert_contains(out, "default") 114 114 + assert_lacks(out, "myorg") 115 115 + assert_contains(out, "someorg") 32 116 33 117 out = machine.succeed("influx bucket list ${tokenArg} --org default") 34 34 - assert "default" in out 118 118 + assert_contains(out, "default") 119 119 + 120 120 + machine.fail("influx bucket list ${tokenArg} --org myorg") 121 121 + 122 122 + out = machine.succeed("influx bucket list ${tokenArg} --org someorg") 123 123 + assert_contains(out, "somebucket") 124 124 + 125 125 + out = machine.succeed("influx user list ${tokenArg}") 126 126 + assert_contains(out, "admin") 127 127 + assert_lacks(out, "myuser") 128 128 + assert_contains(out, "someuser") 129 129 + 130 130 + out = machine.succeed("influx auth list ${tokenArg}") 131 131 + assert_lacks(out, "operator token") 132 132 + assert_contains(out, "some auth token") 133 133 + 134 134 + with subtest("withModifications"): 135 135 + machine.succeed('${specialisations}/withModifications/bin/switch-to-configuration test') 136 136 + machine.wait_for_unit("influxdb2.service") 137 137 + 138 138 + out = machine.succeed("influx org list ${tokenArg}") 139 139 + assert_contains(out, "default") 140 140 + assert_contains(out, "myorg") 141 141 + assert_contains(out, "someorg") 142 142 + 143 143 + out = machine.succeed("influx bucket list ${tokenArg} --org myorg") 144 144 + assert_contains(out, "mybucket") 145 145 + 146 146 + out = machine.succeed("influx bucket list ${tokenArg} --org someorg") 147 147 + assert_lacks(out, "somebucket") 148 148 + 149 149 + out = machine.succeed("influx user list ${tokenArg}") 150 150 + assert_contains(out, "admin") 151 151 + assert_contains(out, "myuser") 152 152 + assert_lacks(out, "someuser") 153 153 + 154 154 + out = machine.succeed("influx auth list ${tokenArg}") 155 155 + assert_contains(out, "operator token") 156 156 + assert_lacks(out, "some auth token") 157 157 + 158 158 + # Make sure the user token is also usable 159 159 + machine.succeed("influx auth list --token someusertoken") 160 160 + 161 161 + with subtest("keepsUnrelated"): 162 162 + machine.succeed('${nodes.machine.system.build.toplevel}/bin/switch-to-configuration test') 163 163 + machine.wait_for_unit("influxdb2.service") 164 164 + 165 165 + out = machine.succeed("influx org list ${tokenArg}") 166 166 + assert_contains(out, "default") 167 167 + assert_contains(out, "myorg") 168 168 + assert_contains(out, "someorg") 169 169 + 170 170 + out = machine.succeed("influx bucket list ${tokenArg} --org default") 171 171 + assert_contains(out, "default") 172 172 + 173 173 + out = machine.succeed("influx bucket list ${tokenArg} --org myorg") 174 174 + assert_contains(out, "mybucket") 175 175 + 176 176 + out = machine.succeed("influx bucket list ${tokenArg} --org someorg") 177 177 + assert_contains(out, "somebucket") 178 178 + 179 179 + out = machine.succeed("influx user list ${tokenArg}") 180 180 + assert_contains(out, "admin") 181 181 + assert_contains(out, "myuser") 182 182 + assert_contains(out, "someuser") 183 183 + 184 184 + out = machine.succeed("influx auth list ${tokenArg}") 185 185 + assert_contains(out, "operator token") 186 186 + assert_contains(out, "some auth token") 187 187 + 188 188 + with subtest("withParentDelete"): 189 189 + machine.succeed('${specialisations}/withParentDelete/bin/switch-to-configuration test') 190 190 + machine.wait_for_unit("influxdb2.service") 191 191 + 192 192 + out = machine.succeed("influx org list ${tokenArg}") 193 193 + assert_contains(out, "default") 194 194 + assert_contains(out, "myorg") 195 195 + assert_lacks(out, "someorg") 196 196 + 197 197 + out = machine.succeed("influx bucket list ${tokenArg} --org default") 198 198 + assert_contains(out, "default") 199 199 + 200 200 + out = machine.succeed("influx bucket list ${tokenArg} --org myorg") 201 201 + assert_contains(out, "mybucket") 202 202 + 203 203 + machine.fail("influx bucket list ${tokenArg} --org someorg") 204 204 + 205 205 + out = machine.succeed("influx user list ${tokenArg}") 206 206 + assert_contains(out, "admin") 207 207 + assert_contains(out, "myuser") 208 208 + assert_contains(out, "someuser") 209 209 + 210 210 + out = machine.succeed("influx auth list ${tokenArg}") 211 211 + assert_contains(out, "operator token") 212 212 + assert_lacks(out, "some auth token") 213 213 + 214 214 + with subtest("withNewTokens"): 215 215 + machine.succeed('${specialisations}/withNewTokens/bin/switch-to-configuration test') 216 216 + machine.wait_for_unit("influxdb2.service") 217 217 + 218 218 + out = machine.succeed("influx auth list ${tokenArg}") 219 219 + assert_contains(out, "operator token") 220 220 + assert_contains(out, "some auth token") 221 221 + assert_contains(out, "new optoken") 222 222 + assert_contains(out, "new allaccess") 223 223 + assert_contains(out, "new specifics") 35 224 ''; 36 225 })