};
config = lib.mkIf cfg.enable {
- nixpkgs.overlays = [ (self: super: rec {
- mariadb = mariadbPAM;
- mariadbPAM = super.mariadb.overrideAttrs(old: rec {
- cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
- buildInputs = old.buildInputs ++ [ self.pam ];
- });
- }) ];
-
networking.firewall.allowedTCPPorts = [ 3306 ];
# for adminer, ssl is implemented with mysqli only, which is
'';
};
- deployment.keys = {
- mysqldump = {
- destDir = "/run/keys/mysql";
+ mySecrets.keys = [
+ {
+ dest = "mysql/mysqldump";
permissions = "0400";
user = "root";
group = "root";
user = root
password = ${myconfig.env.databases.mysql.systemUsers.root}
'';
- };
- mysql-pam = {
- destDir = "/run/keys/mysql";
+ }
+ {
+ dest = "mysql/pam";
permissions = "0400";
user = "mysql";
group = "mysql";
pam_filter ${filter}
ssl start_tls
'';
- };
- };
+ }
+ ];
services.cron = {
enable = true;
systemCronJobs = [
''
- 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
+ 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
''
];
};
name = "mysql";
text = ''
# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
- auth required ${pam_ldap} config=/run/keys/mysql/mysql-pam
- account required ${pam_ldap} config=/run/keys/mysql/mysql-pam
+ auth required ${pam_ldap} config=/var/secrets/mysql/pam
+ account required ${pam_ldap} config=/var/secrets/mysql/pam
'';
}
];