zabbixWeb could not connect to a database

[alsvartr]

Nix tells ZabbixWeb to use file_get_contents function for retrieving DB password from file. And seems that it adds a newline symbol to a password string so auth failing.

        services.zabbixWeb = {
                enable = true;
                virtualHost = {
                        hostName = "zabbix.localhost";
                        adminAddr = "webmaster@localhost";
                };
                server.address = "localhost";

                database.type = "mysql";
                database.host = "127.0.0.1";
                database.name = "zabbix";
                database.user = "zabbix";
                database.passwordFile = zbxMysqlPassFile;

zabbix.conf:

<?php
// Zabbix GUI configuration file.
global $DB;
$DB['TYPE'] = 'MYSQL';
$DB['SERVER'] = '127.0.0.1';
$DB['PORT'] = '3306';
$DB['DATABASE'] = 'zabbix';
$DB['USER'] = 'zabbix';
$DB['PASSWORD'] = file_get_contents('/etc/nixos/creds/mysql-zabbix');

[root@box:~]# nix-shell -p nix-info --run "nix-info -m"

• system: "x86_64-linux"
• host os: Linux 5.10.71, NixOS, 21.05.3834.88b914e7e43 (Okapi)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3.15
• channels(root): "nixos-21.05.3834.88b914e7e43, nixos-unstable-21.11pre323079.2cf9db0e3d4"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

[aanderse]

Thanks for reporting this. I'll take a look when I get a chance.

If actually you're connecting to localhost (as opposed to using localhost as a simple and reproducible example) I would really suggest using socket authentication which is more secure and doesn't require a password.

[aanderse]

Oh... I reviewed the code:

$DB['PASSWORD'] = ${if cfg.database.passwordFile != null then "file_get_contents('${cfg.database.passwordFile}')" else "''"};

You mean that you put a newline in your password file? Just remove the newline in the password file.

[alsvartr]

Oh... I reviewed the code:

$DB['PASSWORD'] = ${if cfg.database.passwordFile != null then "file_get_contents('${cfg.database.passwordFile}')" else "''"};

You mean that you put a newline in your password file? Just remove the newline in the password file.

Of course not. Newline is added by file_get_contents I assume. Why do we need such an obscure way of configuration? Why we can't just add a 'password' option instead of passwordFile?

[aanderse]

Your password ends up in the nix store and is readable by any user on the OS. Then you commit your configuration to github and the situation worsens. Unfortunately we must avoid password options in NixOS.

[aanderse]

https://stackoverflow.com/questions/18254566/file-get-contents-seems-to-add-extra-returns-to-the-data

I'll whip up a PR.

[alsvartr]

Your password ends up in the nix store and is readable by any user on the OS. Then you commit your configuration to github and the situation worsens. Unfortunately we must avoid password options in NixOS.

It's up to end user to decide. I'd use blocks like this for example:

zbxMysqlPassFile = "/etc/nixos/creds/mysql-zabbix";
zbxMysqlPass = (builtins.readFile zbxMysqlPassFile);

Otherwise you'll end up with over engineered costructions with nix functions generating php functions, etc. It's pretty annoying to debug.

[aanderse]

It's up to end user to decide.

I agree, the user should be given a footgun in this scenario.

I'd use blocks like this for example:

What you're looking for is:

{
  services.zabbixWeb.database.passwordFile = pkgs.writeText "footgun.txt" "this-is-my-password";
}

It's pretty annoying to debug.

I bet it was. I'm sorry this issue exists and you ran into it 😞. PR incoming.

Unfortunate (from your perspective, fortunate from other persons perspective) people who commit NixOS module generally agree that adding password options is a bad idea. The very first post of #102397 includes a number of links if you're interested in hearing the arguments.