]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - virtual/modules/databases/default.nix
Fix deprecation for networking addresses in hetzner
[perso/Immae/Config/Nix.git] / virtual / modules / databases / default.nix
1 { lib, pkgs, config, mylibs, ... }:
2 let
3 cfg = config.services.myDatabases;
4 in {
5 options.services.myDatabases = {
6 enable = lib.mkEnableOption "my databases service";
7 postgresql = {
8 enable = lib.mkOption {
9 default = cfg.enable;
10 example = true;
11 description = "Whether to enable postgresql database";
12 type = lib.types.bool;
13 };
14 };
16 mariadb = {
17 enable = lib.mkOption {
18 default = cfg.enable;
19 example = true;
20 description = "Whether to enable mariadb database";
21 type = lib.types.bool;
22 };
23 };
25 redis = {
26 enable = lib.mkOption {
27 default = cfg.enable;
28 example = true;
29 description = "Whether to enable redis database";
30 type = lib.types.bool;
31 };
32 };
33 };
35 config = lib.mkIf cfg.enable {
36 nixpkgs.config.packageOverrides = oldpkgs: rec {
37 postgresql = postgresql111;
38 postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
39 passthru = old.passthru // { psqlSchema = "11.0"; };
40 name = "postgresql-11.1";
41 src = pkgs.fetchurl {
42 url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
43 sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
44 };
45 configureFlags = old.configureFlags ++ [ "--with-pam" ];
46 buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
47 patches = old.patches ++ [
48 ./postgresql_run_socket_path.patch
49 ];
50 });
51 mariadb = mariadbPAM;
52 mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
53 cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
54 buildInputs = old.buildInputs ++ [ pkgs.pam ];
55 });
56 };
58 networking.firewall.allowedTCPPorts = [ 3306 5432 ];
60 services.mysql = rec {
61 enable = cfg.mariadb.enable;
62 package = pkgs.mariadb;
63 };
65 security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
66 user = "postgres";
67 group = "postgres";
68 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
69 domain = "db-1.immae.eu";
70 postRun = ''
71 systemctl reload postgresql.service
72 '';
73 };
75 system.activationScripts.postgresql = ''
76 install -m 0755 -o postgres -g postgres -d /run/postgresql
77 '';
79 services.postgresql = rec {
80 enable = cfg.postgresql.enable;
81 package = pkgs.postgresql;
82 enableTCPIP = true;
83 extraConfig = ''
84 max_connections = 100
85 wal_level = logical
86 shared_buffers = 128MB
87 max_wal_size = 1GB
88 min_wal_size = 80MB
89 log_timezone = 'Europe/Paris'
90 datestyle = 'iso, mdy'
91 timezone = 'Europe/Paris'
92 lc_messages = 'en_US.UTF-8'
93 lc_monetary = 'en_US.UTF-8'
94 lc_numeric = 'en_US.UTF-8'
95 lc_time = 'en_US.UTF-8'
96 default_text_search_config = 'pg_catalog.english'
97 ssl = on
98 ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
99 ssl_key_file = '/var/lib/acme/postgresql/key.pem'
100 '';
101 authentication = ''
102 local all postgres ident
103 local all all md5
104 hostssl all all samehost md5
105 hostssl all all md5
106 hostssl all all md5
107 hostssl all all all pam
108 hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
109 hostssl replication backup-1 pam pamservice=postgresql_replication
110 '';
111 };
113 security.pam.services = let
114 pam_ldap = pkgs.pam_ldap;
115 pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
116 pkgs.writeText "mysql.conf" ''
117 host ldap.immae.eu
118 base dc=immae,dc=eu
119 binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
120 bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
121 pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
122 '';
123 pam_ldap_postgresql_replication = assert mylibs.checkEnv "NIXOPS_ELDIRON_LDAP_PASSWORD";
124 pkgs.writeText "postgresql.conf" ''
125 host ldap.immae.eu
126 base dc=immae,dc=eu
127 binddn cn=eldiron,ou=hosts,dc=immae,dc=eu
128 bindpw ${builtins.getEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"}
129 pam_login_attribute cn
130 '';
131 in [
132 {
133 name = "mysql";
134 text = ''
135 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
136 auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
137 account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
138 '';
139 }
140 {
141 name = "postgresql";
142 text = ''
143 auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
144 account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
145 '';
146 }
147 {
148 name = "postgresql_replication";
149 text = ''
150 auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
151 account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
152 '';
153 }
154 ];
156 # Diaspora: 15
157 # Nextcloud: 14
158 # Mastodon: 13
159 # Mediagoblin: 12
160 # wallabag: 0 ?
161 services.redis = rec {
162 enable = config.services.myDatabases.redis.enable;
163 bind = "";
164 unixSocket = "/run/redis/redis.sock";
165 extraConfig = ''
166 unixsocketperm 777
167 maxclients 1024
168 '';
169 };
170 system.activationScripts.redis = ''
171 mkdir -p /run/redis
172 chown redis /run/redis
173 '';
174 };
175 }