nixos/invidious: change default database user to invidious

This makes sure we don't need any workarounds for running Invidious with a local PostgreSQL database. Changing the default user should be fine as the new init script for PostgreSQL automatically creates the new user and changes the existing database's owner to the new user. The old user will still linger and must be removed manually. See also: NixOS#266270
Lainera · Dec 20, 2023 · 8f7541d · 8f7541d
1 parent 79b5d47
commit 8f7541d
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 27 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -37,6 +37,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `k9s` was updated to v0.29. There have been breaking changes in the config file format, check out the [changelog](https://github.com/derailed/k9s/releases/tag/v0.29.0) for details.
 
+- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)
+
 - `mkosi` was updated to v19. Parts of the user interface have changed. Consult the
   [release notes](https://github.com/systemd/mkosi/releases/tag/v19) for a list of changes.
 

diff --git a/nixos/modules/services/web-apps/invidious.nix b/nixos/modules/services/web-apps/invidious.nix
@@ -114,7 +114,11 @@ let
       check_tables = true;
 
       db = {
-        user = lib.mkDefault "kemal";
+        user = lib.mkDefault (
+          if (lib.versionAtLeast config.system.stateVersion "24.05")
+          then "invidious"
+          else "kemal"
+        );
         dbname = lib.mkDefault "invidious";
         port = cfg.database.port;
         # Blank for unix sockets, see
@@ -143,31 +147,26 @@ let
 
   # Settings necessary for running with an automatically managed local database
   localDatabaseConfig = lib.mkIf cfg.database.createLocally {
+    assertions = [
+      {
+        assertion = cfg.settings.db.user == cfg.settings.db.dbname;
+        message = ''
+          For local automatic database provisioning (services.invidious.database.createLocally == true)
+          to  work, the username used to connect to PostgreSQL must match the database name, that is
+          services.invidious.database.user must match services.invidious.database.dbName.
+          This is the default since NixOS 24.05. For older systems, it is normally safe to manually set
+          services.invidious.database.user to "invidious" as the new user will be created with permissions
+          for the existing database.
+        '';
+      }
+    ];
     # Default to using the local database if we create it
     services.invidious.database.host = lib.mkDefault null;
 
-
-    # TODO(raitobezarius to maintainers of invidious): I strongly advise to clean up the kemal specific
-    # thing for 24.05 and use `ensureDBOwnership`.
-    # See https://github.com/NixOS/nixpkgs/issues/216989
-    systemd.services.postgresql.postStart = lib.mkAfter ''
-      $PSQL -tAc 'ALTER DATABASE "${cfg.settings.db.dbname}" OWNER TO "${cfg.settings.db.user}";'
-    '';
     services.postgresql = {
       enable = true;
-      ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = false; };
+      ensureUsers = lib.singleton { name = cfg.settings.db.user; ensureDBOwnership = true; };
       ensureDatabases = lib.singleton cfg.settings.db.dbname;
-      # This is only needed because the unix user invidious isn't the same as
-      # the database user. This tells postgres to map one to the other.
-      identMap = ''
-        invidious invidious ${cfg.settings.db.user}
-      '';
-      # And this specifically enables peer authentication for only this
-      # database, which allows passwordless authentication over the postgres
-      # unix socket for the user map given above.
-      authentication = ''
-        local ${cfg.settings.db.dbname} ${cfg.settings.db.user} peer map=invidious
-      '';
     };
   };
 

diff --git a/nixos/tests/invidious.nix b/nixos/tests/invidious.nix
@@ -10,12 +10,12 @@ import ./make-test-python.nix ({ pkgs, ... }: {
       services.postgresql = {
         enable = true;
         initialScript = pkgs.writeText "init-postgres-with-password" ''
-          CREATE USER kemal WITH PASSWORD 'correct horse battery staple';
-          CREATE DATABASE invidious WITH OWNER kemal;
+          CREATE USER invidious WITH PASSWORD 'correct horse battery staple';
+          CREATE DATABASE invidious WITH OWNER invidious;
         '';
         enableTCPIP = true;
         authentication = ''
-          host invidious kemal samenet scram-sha-256
+          host invidious invidious samenet scram-sha-256
         '';
       };
       networking.firewall.allowedTCPPorts = [ config.services.postgresql.port ];
@@ -24,10 +24,6 @@ import ./make-test-python.nix ({ pkgs, ... }: {
       services.invidious = {
         enable = true;
       };
-      services.postgresql.initialScript = pkgs.writeText "init-postgres-with-password" ''
-        CREATE USER kemal;
-        CREATE DATABASE invidious WITH OWNER kemal;
-      '';
 
       specialisation = {
         nginx.configuration = {