X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fdatabases%2Fmariadb.nix;h=04e4bd626d02ee659eb5307e97a9671aa24c1ed8;hb=5400b9b6f65451d41a9106fae6fc00f97d83f4ef;hp=4293f02cf9e1aec47513de3fac24941f73f33522;hpb=8415083eb6acc343dfa404dbbc12fa0171a48a20;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 4293f02..04e4bd6 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix @@ -34,6 +34,17 @@ in { }; }; }; + replicationLdapConfig = lib.mkOption { + description = "LDAP configuration to allow replication"; + type = lib.types.submodule { + options = { + host = lib.mkOption { type = lib.types.str; }; + base = lib.mkOption { type = lib.types.str; }; + dn = lib.mkOption { type = lib.types.str; }; + password = lib.mkOption { type = lib.types.str; }; + }; + }; + }; dataDir = lib.mkOption { type = lib.types.path; default = "/var/lib/mysql"; @@ -72,14 +83,29 @@ in { # User identified by LDAP: # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; + + # To create a user (host) for replication: + # CREATE USER 'host'@'%' IDENTIFIED VIA pam USING 'mysql_replication' REQUIRE SSL; + # GRANT REPLICATION SLAVE, REPLICATION CLIENT, RELOAD, LOCK TABLES, SELECT, SHOW VIEW ON *.* TO 'host'@'%'; + # (the lock/select grant permits to let the replication host handle + # the initial fetch of the database) + # % should be valid for both localhost (for cron dumps) and the origin host. services.mysql = { enable = true; package = cfg.package; dataDir = cfg.dataDir; extraOptions = '' ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ssl_key = ${config.security.acme.directory}/mysql/key.pem - ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem + ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem + ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem + + # for replication + log-bin=mariadb-bin + server-id=1 + + # this introduces a small delay before storing on disk, but + # makes it order of magnitudes quicker + innodb_flush_log_at_trx_commit = 0 ''; }; @@ -87,7 +113,7 @@ in { security.acme.certs."mysql" = config.myServices.databasesCerts // { user = "mysql"; group = "mysql"; - plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; + plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; domain = "db-1.immae.eu"; postRun = '' systemctl restart mysql.service @@ -120,17 +146,22 @@ in { ssl start_tls ''; } + { + dest = "mysql/pam_replication"; + permissions = "0400"; + user = "mysql"; + group = "mysql"; + text = with cfg.replicationLdapConfig; '' + host ${host} + base ${base} + binddn ${dn} + bindpw ${password} + pam_login_attribute cn + ssl start_tls + ''; + } ]; - services.cron = { - enable = true; - systemCronJobs = [ - '' - 30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql - '' - ]; - }; - security.pam.services = let pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; in [ @@ -142,8 +173,14 @@ in { account required ${pam_ldap} config=${config.secrets.location}/mysql/pam ''; } + { + name = "mysql_replication"; + text = '' + auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication + account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication + ''; + } ]; }; } -