X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fdatabases%2Fmysql.nix;fp=nixops%2Fmodules%2Fdatabases%2Fmysql.nix;h=0000000000000000000000000000000000000000;hb=182ae57f53731be220075bc87aff4d47a35563b8;hp=6739aaa401f23bee97179d2acb9cfc9466a61847;hpb=6c97d2d715620a1cdc3b8a785174590ec0dafb98;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix deleted file mode 100644 index 6739aaa..0000000 --- a/nixops/modules/databases/mysql.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ lib, pkgs, config, myconfig, ... }: -let - cfg = config.services.myDatabases; -in { - options.services.myDatabases = { - mariadb = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable mariadb database"; - type = lib.types.bool; - }; - }; - }; - - config = lib.mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 3306 ]; - - # for adminer, ssl is implemented with mysqli only, which is - # currently disabled because it’s not compatible with pam. - # Thus we need to generate two users for each 'remote': one remote - # with SSL, and one localhost without SSL. - # User identified by LDAP: - # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; - # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; - services.mysql = rec { - enable = cfg.mariadb.enable; - package = pkgs.mariadb; - extraOptions = '' - ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ssl_key = /var/lib/acme/mysql/key.pem - ssl_cert = /var/lib/acme/mysql/fullchain.pem - ''; - }; - - users.users.mysql.extraGroups = [ "keys" ]; - security.acme.certs."mysql" = config.services.myCertificates.certConfig // { - user = "mysql"; - group = "mysql"; - plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; - domain = "db-1.immae.eu"; - postRun = '' - systemctl restart mysql.service - ''; - }; - - secrets.keys = [ - { - dest = "mysql/mysqldump"; - permissions = "0400"; - user = "root"; - group = "root"; - text = '' - [mysqldump] - user = root - password = ${myconfig.env.databases.mysql.systemUsers.root} - ''; - } - { - dest = "mysql/pam"; - permissions = "0400"; - user = "mysql"; - group = "mysql"; - text = with myconfig.env.databases.mysql.pam; '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${dn} - bindpw ${password} - pam_filter ${filter} - ssl start_tls - ''; - } - ]; - - services.cron = { - enable = true; - systemCronJobs = [ - '' - 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql - '' - ]; - }; - - security.pam.services = let - pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; - in [ - { - name = "mysql"; - text = '' - # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ - auth required ${pam_ldap} config=/var/secrets/mysql/pam - account required ${pam_ldap} config=/var/secrets/mysql/pam - ''; - } - ]; - - }; -} -