Hydra service fails to correctly set PostgreSQL configuration when services.postgresql.authentication is already set

joepie91 commented 6 years ago

Issue description

The Hydra module for NixOS contains a configuration setting that, on deployments with a local PostgreSQL database, is meant to add an authentication line to the pg_hba.conffor PostgreSQL to allow access to all Hydra-related users.

However, when the services.postgresql.authentication option is already set elsewhere in the system configuration, this line does not get added due to conflicting options - or presumably, the existing authentication configuration could be overwritten by the Hydra-specified configuration in different circumstances.

Instead, the Hydra service should append this authentication line to the existing authentication configuration when one already exists.

Workaround in the meantime: manually add local hydra all ident map=hydra-users to your services.postgresql.authentication configuration option, wherever you have currently specified it.

For the issue search: the following is the error that shows in Hydra when authentication fails due to this issue:

DBIx::Class::Storage::DBI::catch {...} (): DBI Connection failed: DBI connect('dbname=hydra;user=hydra;','',...) failed: FATAL: Peer authentication failed for user "hydra" at /nix/store/76s6zdh8m1zvr1rclvfsvpn1k3y7vjrl-hydra-perl-deps/lib/perl5/site_perl/5.24.3/DBIx/Class/Storage/DBI.pm line 1517. at /nix/store/f9vv25rfq30k03r8dsjb25g9hbl8jpjn-hydra-2017-11-21/libexec/hydra/lib/Hydra/Helper/CatalystUtils.pm line 356

... and the PostgreSQL service logs show the following:

Nov 26 09:28:34 desktop-home postgresql-start[29383]: LOG:  provided user name (hydra) and authenticated user name (hydra-queue-runner) do not match
Nov 26 09:28:34 desktop-home postgresql-start[29383]: FATAL:  Peer authentication failed for user "hydra"
Nov 26 09:28:34 desktop-home postgresql-start[29383]: DETAIL:  Connection matched pg_hba.conf line 1: "                                local all all ident"

Steps to reproduce

Enable the PostgreSQL service and add a services.postgresql.authentication option to your system configuration (eg. /etc/nixos/configuration.nix).
Enable the Hydra service; the exact configuration does not matter, so long as you do not specify a services.hydra.dbi option and let it default to the local database.
Load the Hydra web interface at the configured port (default: 3000).

For completeness' sake, below is my Hydra configuration:

    services.hydra = {
        enable = true;
        port = 3333;
        hydraURL = "http://localhost:3333/";
        notificationSender = "hydra@cryto.net";
        useSubstitutes = true;
        minimumDiskFree = 20;
        minimumDiskFreeEvaluator = 20;
    };

Technical details

system: "x86_64-linux"
host os: Linux 4.9.61, NixOS, 17.09.2182.7f6f0c49f0 (Hummingbird)
multi-user?: yes
sandbox: no
version: nix-env (Nix) 1.11.15
channels(sven): ""
channels(root): "nixos-17.09.2182.7f6f0c49f0"
nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs

stale[bot] commented 4 years ago

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

Search for maintainers and people that previously touched the related code and @ mention them in a comment.
Ask on the NixOS Discourse.
Ask on the #nixos channel on irc.freenode.net.

Ma27 commented 4 years ago

@joepie91 do you still have this issue?

stale[bot] commented 3 years ago

I marked this as stale due to inactivity. → More info

NixOS / nixpkgs