X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fdatabases%2Fmariadb.nix;h=75ea747147896437ad6480a2159a52a0e19f31e6;hb=da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2;hp=ed647ea662f5b5e96c2a603ffa4db6dc60541e9a;hpb=981fa80354fd6f00f49446777c38f77bd8a65f65;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index ed647ea..75ea747 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -94,26 +94,27 @@ in {
       enable = true;
       package = cfg.package;
       dataDir = cfg.dataDir;
-      extraOptions = ''
-        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
-        ssl_key = ${config.security.acme2.certs.mysql.directory}/key.pem
-        ssl_cert = ${config.security.acme2.certs.mysql.directory}/fullchain.pem
+      settings = {
+        mysqld = {
+          ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+          ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem";
+          ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem";
 
-        # for replication
-        log-bin=mariadb-bin
-        server-id=1
+          # for replication
+          log-bin = "mariadb-bin";
+          server-id = "1";
 
-        # this introduces a small delay before storing on disk, but
-        # makes it order of magnitudes quicker
-        innodb_flush_log_at_trx_commit = 0
-        '';
+          # this introduces a small delay before storing on disk, but
+          # makes it order of magnitudes quicker
+          innodb_flush_log_at_trx_commit = "0";
+        };
+      };
     };
 
     users.users.mysql.extraGroups = [ "keys" ];
-    security.acme2.certs."mysql" = config.myServices.databasesCerts // {
+    security.acme.certs."mysql" = config.myServices.databasesCerts // {
       user = "mysql";
       group = "mysql";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
       domain = "db-1.immae.eu";
       postRun = ''
         systemctl restart mysql.service
@@ -164,23 +165,21 @@ in {
 
     security.pam.services = let
       pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-    in [
-      {
-        name = "mysql";
+    in {
+      mysql = {
         text = ''
           # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam
-          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
+          auth    required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"}
+          account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"}
           '';
-      }
-      {
-        name = "mysql_replication";
+      };
+      mysql_replication = {
         text = ''
-          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
-          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
+          auth    required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"}
+          account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"}
           '';
-      }
-    ];
+      };
+    };
 
   };
 }