]>
Commit | Line | Data |
---|---|---|
4d4f13f4 IB |
1 | { lib, pkgs, config, mylibs, ... }: |
2 | let | |
3 | cfg = config.services.myDatabases; | |
4 | in { | |
5 | options.services.myDatabases = { | |
6 | enable = lib.mkEnableOption "my databases service"; | |
7 | postgresql = { | |
8 | enable = lib.mkOption { | |
9 | default = cfg.enable; | |
10 | example = true; | |
11 | description = "Whether to enable postgresql database"; | |
12 | type = lib.types.bool; | |
13 | }; | |
14 | }; | |
15 | ||
16 | mariadb = { | |
17 | enable = lib.mkOption { | |
18 | default = cfg.enable; | |
19 | example = true; | |
20 | description = "Whether to enable mariadb database"; | |
21 | type = lib.types.bool; | |
22 | }; | |
23 | }; | |
24 | ||
25 | redis = { | |
26 | enable = lib.mkOption { | |
27 | default = cfg.enable; | |
28 | example = true; | |
29 | description = "Whether to enable redis database"; | |
30 | type = lib.types.bool; | |
31 | }; | |
32 | }; | |
33 | }; | |
34 | ||
35 | config = lib.mkIf cfg.enable { | |
36 | nixpkgs.config.packageOverrides = oldpkgs: rec { | |
37 | postgresql = postgresql111; | |
38 | postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec { | |
39 | passthru = old.passthru // { psqlSchema = "11.0"; }; | |
40 | name = "postgresql-11.1"; | |
41 | src = pkgs.fetchurl { | |
42 | url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; | |
43 | sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; | |
44 | }; | |
45 | }); | |
46 | mariadb = mariadbPAM; | |
47 | mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { | |
48 | cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; | |
49 | buildInputs = old.buildInputs ++ [ pkgs.pam ]; | |
50 | }); | |
51 | }; | |
52 | ||
53 | networking.firewall.allowedTCPPorts = [ 3306 5432 ]; | |
54 | ||
55 | # FIXME: initial sync | |
56 | # FIXME: backup | |
57 | # FIXME: restart after pam | |
58 | # FIXME: pam access doesn’t work (because of php module) | |
59 | # FIXME: ssl | |
60 | services.mysql = rec { | |
61 | enable = cfg.mariadb.enable; | |
62 | package = pkgs.mariadb; | |
63 | }; | |
64 | ||
65 | # FIXME: initial sync | |
66 | # FIXME: backup | |
67 | # FIXME: ssl | |
68 | services.postgresql = rec { | |
69 | enable = cfg.postgresql.enable; | |
70 | package = pkgs.postgresql; | |
71 | enableTCPIP = true; | |
72 | extraConfig = '' | |
73 | max_connections = 100 | |
74 | wal_level = logical | |
75 | shared_buffers = 128MB | |
76 | max_wal_size = 1GB | |
77 | min_wal_size = 80MB | |
78 | log_timezone = 'Europe/Paris' | |
79 | datestyle = 'iso, mdy' | |
80 | timezone = 'Europe/Paris' | |
81 | lc_messages = 'en_US.UTF-8' | |
82 | lc_monetary = 'en_US.UTF-8' | |
83 | lc_numeric = 'en_US.UTF-8' | |
84 | lc_time = 'en_US.UTF-8' | |
85 | default_text_search_config = 'pg_catalog.english' | |
86 | # ssl = on | |
87 | # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem' | |
88 | # ssl_key_file = '/var/lib/acme/eldiron/key.pem' | |
89 | ''; | |
90 | authentication = '' | |
91 | local all postgres ident | |
92 | local all all md5 | |
93 | host all all samehost md5 | |
94 | host all all 178.33.252.96/32 md5 | |
95 | host all all 188.165.209.148/32 md5 | |
96 | #host all all all pam | |
97 | ''; | |
98 | }; | |
99 | ||
100 | security.pam.services = let | |
101 | pam_ldap = pkgs.pam_ldap; | |
102 | pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD"; | |
103 | pkgs.writeText "mysql.conf" '' | |
104 | host ldap.immae.eu | |
105 | base dc=immae,dc=eu | |
106 | binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | |
107 | bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} | |
108 | pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | |
109 | ''; | |
110 | in [ | |
111 | { | |
112 | name = "mysql"; | |
113 | text = '' | |
114 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | |
115 | auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} | |
116 | account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} | |
117 | ''; | |
118 | } | |
119 | ]; | |
120 | ||
121 | # FIXME: backup | |
122 | # Nextcloud: 14 | |
123 | services.redis = rec { | |
124 | enable = config.services.myDatabases.redis.enable; | |
125 | bind = "127.0.0.1"; | |
126 | unixSocket = "/run/redis/redis.sock"; | |
127 | extraConfig = '' | |
128 | unixsocketperm 777 | |
129 | maxclients 1024 | |
130 | ''; | |
131 | }; | |
42429ef0 IB |
132 | system.activationScripts.redis = '' |
133 | mkdir -p /run/redis | |
134 | chown redis /run/redis | |
135 | ''; | |
4d4f13f4 IB |
136 | }; |
137 | } |