-{ lib, config, ... }:
+{ lib, config, pkgs, ... }:
let
cfg = config.myServices.databases.redis;
in {
'';
};
# Output variables
- systemdRuntimeDirectory = lib.mkOption {
- type = lib.types.str;
- # Use ReadWritePaths= instead if socketsDir is outside of /run
- default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
- lib.strings.removePrefix "/run/" cfg.socketsDir;
- description = ''
- Adjusted redis sockets directory for systemd
- '';
- readOnly = true;
- };
sockets = lib.mkOption {
type = lib.types.attrsOf lib.types.path;
default = {
maxclients 1024
'';
};
- systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
+ systemd.services.redis.serviceConfig.Slice = "redis.slice";
+
+ services.spiped = {
+ enable = true;
+ config.redis = {
+ decrypt = true;
+ source = "0.0.0.0:16379";
+ target = "/run/redis/redis.sock";
+ keyfile = config.secrets.fullPaths."redis/spiped_keyfile";
+ };
+ };
+ systemd.services.spiped_redis = {
+ description = "Secure pipe 'redis'";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+
+ serviceConfig = {
+ Slice = "redis.slice";
+ Restart = "always";
+ User = "spiped";
+ PermissionsStartOnly = true;
+ SupplementaryGroups = "keys";
+ };
+
+ script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
+ };
+
+ services.filesWatcher.predixy = {
+ restart = true;
+ paths = [ config.secrets.fullPaths."redis/predixy.conf" ];
+ };
+
+ networking.firewall.allowedTCPPorts = [ 7617 16379 ];
+ secrets.keys = {
+ "redis/predixy.conf" = {
+ user = "redis";
+ group = "redis";
+ permissions = "0400";
+ text = ''
+ Name Predixy
+ Bind 127.0.0.1:7617
+ ClientTimeout 300
+ WorkerThreads 1
+
+ Authority {
+ Auth "${config.myEnv.databases.redis.predixy.read}" {
+ Mode read
+ }
+ }
+
+ StandaloneServerPool {
+ Databases 16
+ RefreshMethod fixed
+ Group shard001 {
+ + ${config.myEnv.databases.redis.socket}
+ }
+ }
+ '';
+ };
+ "redis/spiped_keyfile" = {
+ user = "spiped";
+ group = "spiped";
+ permissions = "0400";
+ text = config.myEnv.databases.redis.spiped_key;
+ };
+ };
+
+ systemd.slices.redis = {
+ description = "Redis slice";
+ };
+
+ systemd.services.predixy = {
+ description = "Redis proxy";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "redis.service" ];
+
+ serviceConfig = {
+ Slice = "redis.slice";
+ User = "redis";
+ Group = "redis";
+ SupplementaryGroups = "keys";
+ Type = "simple";
+
+ ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}";
+ };
+
+ };
};
}