X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fdatabases%2Fmysql.nix;h=23b8b909b66ead7be53895b5a01765bc4f9b5903;hb=1a7188052f235fb632700478fad0108e4306107d;hp=95de9721ab3e6aff69a588452b875ba83759e1cb;hpb=e1da84b06c408ea5d4d093de39efdda71ad6dc95;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix
index 95de972..23b8b90 100644
--- a/nixops/modules/databases/mysql.nix
+++ b/nixops/modules/databases/mysql.nix
@@ -14,14 +14,6 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    nixpkgs.overlays = [ (self: super: rec {
-      mariadb = mariadbPAM;
-      mariadbPAM = super.mariadb.overrideAttrs(old: rec {
-        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
-        buildInputs = old.buildInputs ++ [ self.pam ];
-      });
-    }) ];
-
     networking.firewall.allowedTCPPorts = [ 3306 ];
 
     # for adminer, ssl is implemented with mysqli only, which is
@@ -52,9 +44,9 @@ in {
       '';
     };
 
-    deployment.keys = {
-      mysqldump = {
-        destDir = "/run/keys/mysql";
+    secrets.keys = [
+      {
+        dest = "mysql/mysqldump";
         permissions = "0400";
         user = "root";
         group = "root";
@@ -63,9 +55,9 @@ in {
           user = root
           password = ${myconfig.env.databases.mysql.systemUsers.root}
         '';
-      };
-      mysql-pam = {
-        destDir = "/run/keys/mysql";
+      }
+      {
+        dest = "mysql/pam";
         permissions = "0400";
         user = "mysql";
         group = "mysql";
@@ -77,14 +69,14 @@ in {
           pam_filter ${filter}
           ssl start_tls
           '';
-      };
-    };
+      }
+    ];
 
     services.cron = {
       enable = true;
       systemCronJobs = [
         ''
-          30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
+          30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
         ''
       ];
     };
@@ -96,8 +88,8 @@ in {
         name = "mysql";
         text = ''
           # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap} config=/run/keys/mysql/mysql-pam
-          account required ${pam_ldap} config=/run/keys/mysql/mysql-pam
+          auth    required ${pam_ldap} config=/var/secrets/mysql/pam
+          account required ${pam_ldap} config=/var/secrets/mysql/pam
           '';
       }
     ];