X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fdatabases%2Fredis.nix;h=685fa464cf60efdb7f7ef64a1e9008c4590cd769;hb=4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0;hp=1ba6eed6ccecc83e81e5bbf16ce7d2c6fb214264;hpb=4aac110f17f0528d90510eec00c9a8df60bcf04f;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
index 1ba6eed..685fa46 100644
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -1,10 +1,10 @@
-{ lib, config, ... }:
+{ lib, config, pkgs, ... }:
 let
     cfg = config.myServices.databases.redis;
 in {
   options.myServices.databases.redis = {
     enable = lib.mkOption {
-      default = cfg.enable;
+      default = false;
       example = true;
       description = "Whether to enable redis database";
       type = lib.types.bool;
@@ -17,16 +17,6 @@ in {
         '';
     };
     # Output variables
-    systemdRuntimeDirectory = lib.mkOption {
-      type = lib.types.str;
-      # Use ReadWritePaths= instead if socketsDir is outside of /run
-      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
-        lib.strings.removePrefix "/run/" cfg.socketsDir;
-      description = ''
-      Adjusted redis sockets directory for systemd
-      '';
-      readOnly = true;
-    };
     sockets = lib.mkOption {
       type = lib.types.attrsOf lib.types.path;
       default = {
@@ -51,7 +41,93 @@ in {
         maxclients 1024
         '';
     };
-    systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
+    systemd.services.redis.serviceConfig.Slice = "redis.slice";
+
+    services.spiped = {
+      enable = true;
+      config.redis = {
+        decrypt = true;
+        source = "0.0.0.0:16379";
+        target = "/run/redis/redis.sock";
+        keyfile = config.secrets.fullPaths."redis/spiped_keyfile";
+      };
+    };
+    systemd.services.spiped_redis = {
+      description = "Secure pipe 'redis'";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Slice = "redis.slice";
+        Restart = "always";
+        User = "spiped";
+        PermissionsStartOnly = true;
+        SupplementaryGroups = "keys";
+      };
+
+      script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
+    };
+
+    services.filesWatcher.predixy = {
+      restart = true;
+      paths = [ config.secrets.fullPaths."redis/predixy.conf" ];
+    };
+
+    networking.firewall.allowedTCPPorts = [ 7617 16379 ];
+    secrets.keys = {
+      "redis/predixy.conf" = {
+        user = "redis";
+        group = "redis";
+        permissions = "0400";
+        text = ''
+          Name Predixy
+          Bind 127.0.0.1:7617
+          ClientTimeout 300
+          WorkerThreads 1
+
+          Authority {
+              Auth "${config.myEnv.databases.redis.predixy.read}" {
+                  Mode read
+              }
+          }
+
+          StandaloneServerPool {
+            Databases 16
+            RefreshMethod fixed
+            Group shard001 {
+              + ${config.myEnv.databases.redis.socket}
+            }
+          }
+          '';
+      };
+      "redis/spiped_keyfile" = {
+        user = "spiped";
+        group = "spiped";
+        permissions = "0400";
+        text = config.myEnv.databases.redis.spiped_key;
+      };
+    };
+
+    systemd.slices.redis = {
+      description = "Redis slice";
+    };
+
+    systemd.services.predixy = {
+      description = "Redis proxy";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "redis.service" ];
+
+      serviceConfig = {
+        Slice = "redis.slice";
+        User = "redis";
+        Group = "redis";
+        SupplementaryGroups = "keys";
+        Type = "simple";
+
+        ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}";
+      };
+
+    };
   };
 }