From: Ismaël Bouya <ismael.bouya@normalesup.org>
Date: Fri, 28 Dec 2018 15:56:48 +0000 (+0100)
Subject: Add mysql
X-Git-Tag: nur_publish~400
X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=dedf591df65bcd1222a9e053fd6fc7631f74ab7e;p=perso%2FImmae%2FConfig%2FNix.git

Add mysql
---

diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index 04b11b8..cfbb464 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -8,7 +8,7 @@
     networking = {
       firewall = {
         enable = true;
-        allowedTCPPorts = [ 22 80 443 5432 ];
+        allowedTCPPorts = [ 22 80 443 3306 5432 ];
       };
     };
 
@@ -62,7 +62,41 @@
       };
     };
 
+    # FIXME: environment variables ?
+    security.pam.services = let
+      pam_ldap = pkgs.pam_ldap;
+      pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
+        host ldap.immae.eu
+        base dc=immae,dc=eu
+        binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
+        bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
+        pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
+        '';
+    in [
+      {
+        name = "mysql";
+        text = ''
+          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
+          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          '';
+      }
+    ];
+
+    # FIXME: initial sync
+    # FIXME: backup
+    # FIXME: restart after pam
+    # FIXME: pam access doesn’t work (because of php module)
+    services.mysql = rec {
+      enable = true;
+      package = pkgs.mariadb.overrideAttrs(old: rec {
+        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
+        buildInputs = old.buildInputs ++ [ pkgs.pam ];
+      });
+    };
+
     # FIXME: initial sync
+    # FIXME: backup
     services.postgresql = rec {
       enable = true;
       package = pkgs.postgresql100.overrideAttrs(old: rec {