nixos/mysql: fix initalScript option after security fix

services.mysql.initalScript runs with the root@localhost mysql user.
This seems consistent with the other invocations that run in the first
startup of mysql.
After the security fix, the mysql command executing the initial script
was broken as it tried to connect to root@localhost while being the mysql
system user.

We could instead use the mysql@localhost mysql user, but this would be
inconsistent with the other invocations.

Co-Authored-By: osnyx <os@flyingcircus.io>
(cherry picked from commit 6f5d20fe0c)
This commit is contained in:
Leona Maroni 2026-06-24 10:56:49 +02:00 committed by github-actions[bot]
commit 0fecee37ee

View file

@ -662,11 +662,6 @@ in
) | ${cfg.package}/bin/mysql -u ${superUser} -N
''}
# Secure root@localhost for MySQL/Percona on first initialization
${lib.optionalString (cfg.secureSuperUserByDefault && !isMariaDB) ''
echo "ALTER USER root@localhost IDENTIFIED WITH auth_socket;" | ${cfg.package}/bin/mysql -u ${superUser} -N
''}
${lib.optionalString (cfg.initialScript != null) ''
# Execute initial script
# using toString to avoid copying the file to nix store if given as path instead of string,
@ -674,6 +669,11 @@ in
cat ${toString cfg.initialScript} | ${cfg.package}/bin/mysql -u ${superUser} -N
''}
# Secure root@localhost for MySQL/Percona on first initialization
${lib.optionalString (cfg.secureSuperUserByDefault && !isMariaDB) ''
echo "ALTER USER root@localhost IDENTIFIED WITH auth_socket;" | ${cfg.package}/bin/mysql -u ${superUser} -N
''}
rm ${cfg.dataDir}/mysql_init
fi