]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | |
2 | let | |
3 | cfg = config.services.myDatabases; | |
4 | in { | |
5 | options.services.myDatabases = { | |
6 | mariadb = { | |
7 | enable = lib.mkOption { | |
8 | default = cfg.enable; | |
9 | example = true; | |
10 | description = "Whether to enable mariadb database"; | |
11 | type = lib.types.bool; | |
12 | }; | |
13 | }; | |
14 | }; | |
15 | ||
16 | config = lib.mkIf cfg.enable { | |
17 | networking.firewall.allowedTCPPorts = [ 3306 ]; | |
18 | ||
19 | # for adminer, ssl is implemented with mysqli only, which is | |
20 | # currently disabled because it’s not compatible with pam. | |
21 | # Thus we need to generate two users for each 'remote': one remote | |
22 | # with SSL, and one localhost without SSL. | |
23 | # User identified by LDAP: | |
24 | # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; | |
25 | # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; | |
26 | services.mysql = rec { | |
27 | enable = cfg.mariadb.enable; | |
28 | package = pkgs.mariadb; | |
29 | extraOptions = '' | |
30 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | |
31 | ssl_key = /var/lib/acme/mysql/key.pem | |
32 | ssl_cert = /var/lib/acme/mysql/fullchain.pem | |
33 | ''; | |
34 | }; | |
35 | ||
36 | users.users.mysql.extraGroups = [ "keys" ]; | |
37 | security.acme.certs."mysql" = config.services.myCertificates.certConfig // { | |
38 | user = "mysql"; | |
39 | group = "mysql"; | |
40 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; | |
41 | domain = "db-1.immae.eu"; | |
42 | postRun = '' | |
43 | systemctl restart mysql.service | |
44 | ''; | |
45 | }; | |
46 | ||
47 | mySecrets.keys = [ | |
48 | { | |
49 | dest = "mysql/mysqldump"; | |
50 | permissions = "0400"; | |
51 | user = "root"; | |
52 | group = "root"; | |
53 | text = '' | |
54 | [mysqldump] | |
55 | user = root | |
56 | password = ${myconfig.env.databases.mysql.systemUsers.root} | |
57 | ''; | |
58 | } | |
59 | { | |
60 | dest = "mysql/pam"; | |
61 | permissions = "0400"; | |
62 | user = "mysql"; | |
63 | group = "mysql"; | |
64 | text = with myconfig.env.databases.mysql.pam; '' | |
65 | host ${myconfig.env.ldap.host} | |
66 | base ${myconfig.env.ldap.base} | |
67 | binddn ${dn} | |
68 | bindpw ${password} | |
69 | pam_filter ${filter} | |
70 | ssl start_tls | |
71 | ''; | |
72 | } | |
73 | ]; | |
74 | ||
75 | services.cron = { | |
76 | enable = true; | |
77 | systemCronJobs = [ | |
78 | '' | |
79 | 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql | |
80 | '' | |
81 | ]; | |
82 | }; | |
83 | ||
84 | security.pam.services = let | |
85 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | |
86 | in [ | |
87 | { | |
88 | name = "mysql"; | |
89 | text = '' | |
90 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | |
91 | auth required ${pam_ldap} config=/var/secrets/mysql/pam | |
92 | account required ${pam_ldap} config=/var/secrets/mysql/pam | |
93 | ''; | |
94 | } | |
95 | ]; | |
96 | ||
97 | }; | |
98 | } | |
99 |