[perso/Immae/Config/Nix.git] / modules / private / databases / mariadb.nix

{ lib, pkgs, config, ... }:
let
    cfg = config.myServices.databases.mariadb;
in {
  options.myServices.databases = {
    mariadb = {
      enable = lib.mkOption {
        default = false;
        example = true;
        description = "Whether to enable mariadb database";
        type = lib.types.bool;
      };
      package = lib.mkOption {
        type = lib.types.package;
        default = pkgs.mariadb;
        description = ''
          Mariadb package to use.
          '';
      };
      credentials = lib.mkOption {
        default = {};
        description = "Credentials";
        type = lib.types.attrsOf lib.types.str;
      };
      ldapConfig = lib.mkOption {
        description = "LDAP configuration to allow PAM identification via LDAP";
        type = lib.types.submodule {
          options = {
            host = lib.mkOption { type = lib.types.str; };
            base = lib.mkOption { type = lib.types.str; };
            dn = lib.mkOption { type = lib.types.str; };
            password = lib.mkOption { type = lib.types.str; };
            filter = lib.mkOption { type = lib.types.str; };
          };
        };
      };
      dataDir = lib.mkOption {
        type = lib.types.path;
        default = "/var/lib/mysql";
        description = ''
          The directory where Mariadb stores its data.
        '';
      };
      # Output variables
      socketsDir = lib.mkOption {
        type = lib.types.path;
        default = "/run/mysqld";
        description = ''
          The directory where Mariadb puts sockets.
          '';
      };
      sockets = lib.mkOption {
        type = lib.types.attrsOf lib.types.path;
        default = {
          mysqld  = "${cfg.socketsDir}/mysqld.sock";
        };
        readOnly = true;
        description = ''
          Mariadb sockets
          '';
      };
    };
  };

  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ 3306 ];

    # for adminer, ssl is implemented with mysqli only, which is
    # currently disabled because it’s not compatible with pam.
    # Thus we need to generate two users for each 'remote': one remote
    # with SSL, and one localhost without SSL.
    # User identified by LDAP:
    # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
    # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
    services.mysql = {
      enable = true;
      package = cfg.package;
      dataDir = cfg.dataDir;
      extraOptions = ''
        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
        ssl_key = ${config.security.acme.directory}/mysql/key.pem
        ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
        '';
    };

    users.users.mysql.extraGroups = [ "keys" ];
    security.acme.certs."mysql" = config.myServices.databasesCerts // {
      user = "mysql";
      group = "mysql";
      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl restart mysql.service
      '';
    };

    secrets.keys = [
      {
        dest = "mysql/mysqldump";
        permissions = "0400";
        user = "root";
        group = "root";
        text = ''
          [mysqldump]
          user = root
          password = ${cfg.credentials.root}
        '';
      }
      {
        dest = "mysql/pam";
        permissions = "0400";
        user = "mysql";
        group = "mysql";
        text =  with cfg.ldapConfig; ''
          host ${host}
          base ${base}
          binddn ${dn}
          bindpw ${password}
          pam_filter ${filter}
          ssl start_tls
        '';
      }
    ];

    services.cron = {
      enable = true;
      systemCronJobs = [
        ''
          30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
        ''
      ];
    };

    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
    in [
      {
        name = "mysql";
        text = ''
          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam
          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
          '';
      }
    ];

  };
}
Commit	Line	Data
4aac110f	1	{ lib, pkgs, config, ... }:
4ff90563	2	let
182ae57f	3	cfg = config.myServices.databases.mariadb;
4ff90563	4	in {
182ae57f	5	options.myServices.databases = {
4ff90563 IB	6	mariadb = {
4ff90563 IB	7	enable = lib.mkOption {
8415083e	8	default = false;
4ff90563 IB	9	example = true;
	10	description = "Whether to enable mariadb database";
	11	type = lib.types.bool;
	12	};
4aac110f IB	13	package = lib.mkOption {
	14	type = lib.types.package;
	15	default = pkgs.mariadb;
	16	description = ''
	17	Mariadb package to use.
	18	'';
	19	};
	20	credentials = lib.mkOption {
	21	default = {};
	22	description = "Credentials";
	23	type = lib.types.attrsOf lib.types.str;
	24	};
	25	ldapConfig = lib.mkOption {
	26	description = "LDAP configuration to allow PAM identification via LDAP";
	27	type = lib.types.submodule {
	28	options = {
	29	host = lib.mkOption { type = lib.types.str; };
	30	base = lib.mkOption { type = lib.types.str; };
	31	dn = lib.mkOption { type = lib.types.str; };
	32	password = lib.mkOption { type = lib.types.str; };
	33	filter = lib.mkOption { type = lib.types.str; };
	34	};
	35	};
	36	};
182ae57f IB	37	dataDir = lib.mkOption {
	38	type = lib.types.path;
	39	default = "/var/lib/mysql";
	40	description = ''
	41	The directory where Mariadb stores its data.
	42	'';
	43	};
	44	# Output variables
	45	socketsDir = lib.mkOption {
	46	type = lib.types.path;
	47	default = "/run/mysqld";
	48	description = ''
	49	The directory where Mariadb puts sockets.
	50	'';
	51	};
	52	sockets = lib.mkOption {
	53	type = lib.types.attrsOf lib.types.path;
	54	default = {
	55	mysqld = "${cfg.socketsDir}/mysqld.sock";
	56	};
	57	readOnly = true;
	58	description = ''
	59	Mariadb sockets
	60	'';
	61	};
4ff90563 IB	62	};
	63	};
	64
	65	config = lib.mkIf cfg.enable {
4ff90563 IB	66	networking.firewall.allowedTCPPorts = [ 3306 ];
	67
	68	# for adminer, ssl is implemented with mysqli only, which is
	69	# currently disabled because it’s not compatible with pam.
	70	# Thus we need to generate two users for each 'remote': one remote
	71	# with SSL, and one localhost without SSL.
	72	# User identified by LDAP:
	73	# CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
	74	# CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
182ae57f IB	75	services.mysql = {
182ae57f IB	76	enable = true;
4aac110f	77	package = cfg.package;
182ae57f	78	dataDir = cfg.dataDir;
4ff90563 IB	79	extraOptions = ''
4ff90563 IB	80	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
9ade8f6e IB	81	ssl_key = ${config.security.acme.directory}/mysql/key.pem
9ade8f6e IB	82	ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
4ff90563 IB	83	'';
	84	};
	85
e1da84b0	86	users.users.mysql.extraGroups = [ "keys" ];
182ae57f	87	security.acme.certs."mysql" = config.myServices.databasesCerts // {
4ff90563 IB	88	user = "mysql";
	89	group = "mysql";
	90	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
	91	domain = "db-1.immae.eu";
	92	postRun = ''
	93	systemctl restart mysql.service
	94	'';
	95	};
	96
1a718805	97	secrets.keys = [
7178c2b1 IB	98	{
7178c2b1 IB	99	dest = "mysql/mysqldump";
e1da84b0 IB	100	permissions = "0400";
	101	user = "root";
	102	group = "root";
	103	text = ''
85fe2b41 IB	104	[mysqldump]
85fe2b41 IB	105	user = root
4aac110f	106	password = ${cfg.credentials.root}
e1da84b0	107	'';
7178c2b1 IB	108	}
	109	{
	110	dest = "mysql/pam";
e1da84b0 IB	111	permissions = "0400";
	112	user = "mysql";
	113	group = "mysql";
4aac110f IB	114	text = with cfg.ldapConfig; ''
	115	host ${host}
	116	base ${base}
e1da84b0 IB	117	binddn ${dn}
	118	bindpw ${password}
	119	pam_filter ${filter}
	120	ssl start_tls
4aac110f	121	'';
7178c2b1 IB	122	}
7178c2b1 IB	123	];
e1da84b0 IB	124
	125	services.cron = {
	126	enable = true;
	127	systemCronJobs = [
85fe2b41	128	''
4aac110f	129	30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
85fe2b41 IB	130	''
	131	];
	132	};
	133
4ff90563 IB	134	security.pam.services = let
4ff90563 IB	135	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
4ff90563 IB	136	in [
	137	{
	138	name = "mysql";
	139	text = ''
	140	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
182ae57f IB	141	auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam
182ae57f IB	142	account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
4ff90563 IB	143	'';
	144	}
	145	];
	146
	147	};
	148	}
	149