]>
Commit | Line | Data |
---|---|---|
1 | { lib, config, pkgs, ... }: | |
2 | let | |
3 | cfg = config.myServices.databases.redis; | |
4 | in { | |
5 | options.myServices.databases.redis = { | |
6 | enable = lib.mkOption { | |
7 | default = false; | |
8 | example = true; | |
9 | description = "Whether to enable redis database"; | |
10 | type = lib.types.bool; | |
11 | }; | |
12 | socketsDir = lib.mkOption { | |
13 | type = lib.types.path; | |
14 | default = "/run/redis"; | |
15 | description = '' | |
16 | The directory where Redis puts sockets. | |
17 | ''; | |
18 | }; | |
19 | # Output variables | |
20 | systemdRuntimeDirectory = lib.mkOption { | |
21 | type = lib.types.str; | |
22 | # Use ReadWritePaths= instead if socketsDir is outside of /run | |
23 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | |
24 | lib.strings.removePrefix "/run/" cfg.socketsDir; | |
25 | description = '' | |
26 | Adjusted redis sockets directory for systemd | |
27 | ''; | |
28 | readOnly = true; | |
29 | }; | |
30 | sockets = lib.mkOption { | |
31 | type = lib.types.attrsOf lib.types.path; | |
32 | default = { | |
33 | redis = "${cfg.socketsDir}/redis.sock"; | |
34 | }; | |
35 | readOnly = true; | |
36 | description = '' | |
37 | Redis sockets | |
38 | ''; | |
39 | }; | |
40 | }; | |
41 | ||
42 | config = lib.mkIf cfg.enable { | |
43 | users.users.redis.uid = config.ids.uids.redis; | |
44 | users.groups.redis.gid = config.ids.gids.redis; | |
45 | services.redis = rec { | |
46 | enable = true; | |
47 | bind = "127.0.0.1"; | |
48 | unixSocket = cfg.sockets.redis; | |
49 | extraConfig = '' | |
50 | unixsocketperm 777 | |
51 | maxclients 1024 | |
52 | ''; | |
53 | }; | |
54 | systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory; | |
55 | ||
56 | services.spiped = { | |
57 | enable = true; | |
58 | config.redis = { | |
59 | decrypt = true; | |
60 | source = "0.0.0.0:16379"; | |
61 | target = "/run/redis/redis.sock"; | |
62 | keyfile = "${config.secrets.location}/redis/spiped_keyfile"; | |
63 | }; | |
64 | }; | |
65 | systemd.services.spiped_redis = { | |
66 | description = "Secure pipe 'redis'"; | |
67 | after = [ "network.target" ]; | |
68 | wantedBy = [ "multi-user.target" ]; | |
69 | ||
70 | serviceConfig = { | |
71 | Restart = "always"; | |
72 | User = "spiped"; | |
73 | PermissionsStartOnly = true; | |
74 | SupplementaryGroups = "keys"; | |
75 | }; | |
76 | ||
77 | script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`"; | |
78 | }; | |
79 | ||
80 | services.filesWatcher.predixy = { | |
81 | restart = true; | |
82 | paths = [ "${config.secrets.location}/redis/predixy.conf" ]; | |
83 | }; | |
84 | ||
85 | networking.firewall.allowedTCPPorts = [ 7617 16379 ]; | |
86 | secrets.keys = [ | |
87 | { | |
88 | dest = "redis/predixy.conf"; | |
89 | user = "redis"; | |
90 | group = "redis"; | |
91 | permissions = "0400"; | |
92 | text = '' | |
93 | Name Predixy | |
94 | Bind 127.0.0.1:7617 | |
95 | ClientTimeout 300 | |
96 | WorkerThreads 1 | |
97 | ||
98 | Authority { | |
99 | Auth "${config.myEnv.databases.redis.predixy.read}" { | |
100 | Mode read | |
101 | } | |
102 | } | |
103 | ||
104 | StandaloneServerPool { | |
105 | Databases 16 | |
106 | RefreshMethod fixed | |
107 | Group shard001 { | |
108 | + ${config.myEnv.databases.redis.socket} | |
109 | } | |
110 | } | |
111 | ''; | |
112 | } | |
113 | { | |
114 | dest = "redis/spiped_keyfile"; | |
115 | user = "spiped"; | |
116 | group = "spiped"; | |
117 | permissions = "0400"; | |
118 | text = config.myEnv.databases.redis.spiped_key; | |
119 | } | |
120 | ]; | |
121 | ||
122 | systemd.services.predixy = { | |
123 | description = "Redis proxy"; | |
124 | wantedBy = [ "multi-user.target" ]; | |
125 | after = [ "redis.service" ]; | |
126 | ||
127 | serviceConfig = { | |
128 | User = "redis"; | |
129 | Group = "redis"; | |
130 | SupplementaryGroups = "keys"; | |
131 | Type = "simple"; | |
132 | ||
133 | ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf"; | |
134 | }; | |
135 | ||
136 | }; | |
137 | }; | |
138 | } | |
139 |