enable = true;
package = cfg.package;
dataDir = cfg.dataDir;
- extraOptions = ''
- ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
- ssl_key = ${config.security.acme2.certs.mysql.directory}/key.pem
- ssl_cert = ${config.security.acme2.certs.mysql.directory}/fullchain.pem
+ settings = {
+ mysqld = {
+ ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+ ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem";
+ ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem";
- # for replication
- log-bin=mariadb-bin
- server-id=1
+ # for replication
+ log-bin = "mariadb-bin";
+ server-id = "1";
- # this introduces a small delay before storing on disk, but
- # makes it order of magnitudes quicker
- innodb_flush_log_at_trx_commit = 0
- '';
+ # this introduces a small delay before storing on disk, but
+ # makes it order of magnitudes quicker
+ innodb_flush_log_at_trx_commit = "0";
+ };
+ };
};
users.users.mysql.extraGroups = [ "keys" ];
- security.acme2.certs."mysql" = config.myServices.databasesCerts // {
+ security.acme.certs."mysql" = config.myServices.databasesCerts // {
user = "mysql";
group = "mysql";
- plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
domain = "db-1.immae.eu";
postRun = ''
systemctl restart mysql.service
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
- in [
- {
- name = "mysql";
+ in {
+ mysql = {
text = ''
# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam
account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
'';
- }
- {
- name = "mysql_replication";
+ };
+ mysql_replication = {
text = ''
auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
'';
- }
- ];
+ };
+ };
};
}