X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fdatabases%2Fredis.nix;h=685fa464cf60efdb7f7ef64a1e9008c4590cd769;hb=4c4652aabf2cb3ac8b40f2856eca07a1df9c27e0;hp=693f40261627d7b1cdba473446de86257c823525;hpb=dded66995529a0419cc56778f4ebb4247c2ab765;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 693f402..685fa46 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix @@ -1,4 +1,4 @@ -{ lib, config, pkgs, myconfig, ... }: +{ lib, config, pkgs, ... }: let cfg = config.myServices.databases.redis; in { @@ -17,16 +17,6 @@ in { ''; }; # Output variables - systemdRuntimeDirectory = lib.mkOption { - type = lib.types.str; - # Use ReadWritePaths= instead if socketsDir is outside of /run - default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; - lib.strings.removePrefix "/run/" cfg.socketsDir; - description = '' - Adjusted redis sockets directory for systemd - ''; - readOnly = true; - }; sockets = lib.mkOption { type = lib.types.attrsOf lib.types.path; default = { @@ -51,7 +41,7 @@ in { maxclients 1024 ''; }; - systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory; + systemd.services.redis.serviceConfig.Slice = "redis.slice"; services.spiped = { enable = true; @@ -59,7 +49,7 @@ in { decrypt = true; source = "0.0.0.0:16379"; target = "/run/redis/redis.sock"; - keyfile = "${config.secrets.location}/redis/spiped_keyfile"; + keyfile = config.secrets.fullPaths."redis/spiped_keyfile"; }; }; systemd.services.spiped_redis = { @@ -68,8 +58,9 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig = { - Restart = "always"; - User = "spiped"; + Slice = "redis.slice"; + Restart = "always"; + User = "spiped"; PermissionsStartOnly = true; SupplementaryGroups = "keys"; }; @@ -79,13 +70,12 @@ in { services.filesWatcher.predixy = { restart = true; - paths = [ "${config.secrets.location}/redis/predixy.conf" ]; + paths = [ config.secrets.fullPaths."redis/predixy.conf" ]; }; networking.firewall.allowedTCPPorts = [ 7617 16379 ]; - secrets.keys = [ - { - dest = "redis/predixy.conf"; + secrets.keys = { + "redis/predixy.conf" = { user = "redis"; group = "redis"; permissions = "0400"; @@ -96,7 +86,7 @@ in { WorkerThreads 1 Authority { - Auth "${myconfig.env.databases.redis.predixy.read}" { + Auth "${config.myEnv.databases.redis.predixy.read}" { Mode read } } @@ -105,19 +95,22 @@ in { Databases 16 RefreshMethod fixed Group shard001 { - + ${myconfig.env.databases.redis.socket} + + ${config.myEnv.databases.redis.socket} } } ''; - } - { - dest = "redis/spiped_keyfile"; + }; + "redis/spiped_keyfile" = { user = "spiped"; group = "spiped"; permissions = "0400"; - text = myconfig.env.databases.redis.spiped_key; - } - ]; + text = config.myEnv.databases.redis.spiped_key; + }; + }; + + systemd.slices.redis = { + description = "Redis slice"; + }; systemd.services.predixy = { description = "Redis proxy"; @@ -125,12 +118,13 @@ in { after = [ "redis.service" ]; serviceConfig = { + Slice = "redis.slice"; User = "redis"; Group = "redis"; SupplementaryGroups = "keys"; Type = "simple"; - ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf"; + ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}"; }; };