X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=systems%2Feldiron%2Fdatabases%2Fmariadb.nix;fp=modules%2Fprivate%2Fdatabases%2Fmariadb.nix;h=b4a6917a76018aaea2bc41ee5591bf4133b5ced4;hb=1a64deeb894dc95e2645a75771732c6cc53a79ad;hp=101eb3fb7c850157b9b31786199d4a4084543cb5;hpb=fa25ffd4583cc362075cd5e1b4130f33306103f0;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/databases/mariadb.nix b/systems/eldiron/databases/mariadb.nix similarity index 92% rename from modules/private/databases/mariadb.nix rename to systems/eldiron/databases/mariadb.nix index 101eb3f..b4a6917 100644 --- a/modules/private/databases/mariadb.nix +++ b/systems/eldiron/databases/mariadb.nix @@ -74,7 +74,7 @@ in { }; config = lib.mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 3306 ]; + networking.firewall.allowedTCPPorts = [ config.myEnv.databases.mysql.port ]; # for adminer, ssl is implemented with mysqli only, which is # currently disabled because it’s not compatible with pam. @@ -96,6 +96,7 @@ in { dataDir = cfg.dataDir; settings = { mysqld = { + port = config.myEnv.databases.mysql.port; ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem"; ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem"; @@ -107,13 +108,18 @@ in { # this introduces a small delay before storing on disk, but # makes it order of magnitudes quicker innodb_flush_log_at_trx_commit = "0"; + + # This is necessary since the default ("dialog") is not + # supported by php's mysqlnd plugin (in mysqli). But with that + # change only regular login+password schemes can work (no + # "fancy" authentication methods like fprintd or keys) + pam_use_cleartext_plugin = true; }; }; }; users.users.mysql.extraGroups = [ "keys" ]; - security.acme.certs."mysql" = config.myServices.databasesCerts // { - user = "mysql"; + security.acme.certs."mysql" = { group = "mysql"; domain = "db-1.immae.eu"; postRun = ''