projects / perso / Immae / Config / Nix.git / blame
| Commit | Line | Data |
|---|---|---|
| ab8f306d | 1 | { lib, config, pkgs, ... }: |
| 182ae57f IB |
2 | let |
| 3 | cfg = config.myServices.databases.redis; | |
| 4 | in { | |
| 5 | options.myServices.databases.redis = { | |
| 6 | enable = lib.mkOption { | |
| 8415083e | 7 | default = false; |
| 182ae57f IB |
8 | example = true; |
| 9 | description = "Whether to enable redis database"; | |
| 10 | type = lib.types.bool; | |
| 11 | }; | |
| 12 | socketsDir = lib.mkOption { | |
| 13 | type = lib.types.path; | |
| 14 | default = "/run/redis"; | |
| 15 | description = '' | |
| 16 | The directory where Redis puts sockets. | |
| 17 | ''; | |
| 18 | }; | |
| 19 | # Output variables | |
| 182ae57f IB |
20 | sockets = lib.mkOption { |
| 21 | type = lib.types.attrsOf lib.types.path; | |
| 22 | default = { | |
| 23 | redis = "${cfg.socketsDir}/redis.sock"; | |
| 24 | }; | |
| 25 | readOnly = true; | |
| 26 | description = '' | |
| 27 | Redis sockets | |
| 28 | ''; | |
| 29 | }; | |
| 30 | }; | |
| 31 | ||
| 32 | config = lib.mkIf cfg.enable { | |
| 33 | users.users.redis.uid = config.ids.uids.redis; | |
| 34 | users.groups.redis.gid = config.ids.gids.redis; | |
| 35 | services.redis = rec { | |
| 36 | enable = true; | |
| 37 | bind = "127.0.0.1"; | |
| 38 | unixSocket = cfg.sockets.redis; | |
| 39 | extraConfig = '' | |
| 40 | unixsocketperm 777 | |
| 41 | maxclients 1024 | |
| 42 | ''; | |
| 43 | }; | |
| dded6699 IB |
44 | |
| 45 | services.spiped = { | |
| 46 | enable = true; | |
| 47 | config.redis = { | |
| 48 | decrypt = true; | |
| 49 | source = "0.0.0.0:16379"; | |
| 50 | target = "/run/redis/redis.sock"; | |
| 51 | keyfile = "${config.secrets.location}/redis/spiped_keyfile"; | |
| 52 | }; | |
| 53 | }; | |
| 54 | systemd.services.spiped_redis = { | |
| 55 | description = "Secure pipe 'redis'"; | |
| 56 | after = [ "network.target" ]; | |
| 57 | wantedBy = [ "multi-user.target" ]; | |
| 58 | ||
| 59 | serviceConfig = { | |
| 60 | Restart = "always"; | |
| 61 | User = "spiped"; | |
| 62 | PermissionsStartOnly = true; | |
| 63 | SupplementaryGroups = "keys"; | |
| 64 | }; | |
| 65 | ||
| 66 | script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`"; | |
| 67 | }; | |
| 68 | ||
| 69 | services.filesWatcher.predixy = { | |
| 70 | restart = true; | |
| 71 | paths = [ "${config.secrets.location}/redis/predixy.conf" ]; | |
| 72 | }; | |
| 73 | ||
| 74 | networking.firewall.allowedTCPPorts = [ 7617 16379 ]; | |
| 75 | secrets.keys = [ | |
| 76 | { | |
| 77 | dest = "redis/predixy.conf"; | |
| 78 | user = "redis"; | |
| 79 | group = "redis"; | |
| 80 | permissions = "0400"; | |
| 81 | text = '' | |
| 82 | Name Predixy | |
| 83 | Bind 127.0.0.1:7617 | |
| 84 | ClientTimeout 300 | |
| 85 | WorkerThreads 1 | |
| 86 | ||
| 87 | Authority { | |
| ab8f306d | 88 | Auth "${config.myEnv.databases.redis.predixy.read}" { |
| dded6699 IB |
89 | Mode read |
| 90 | } | |
| 91 | } | |
| 92 | ||
| 93 | StandaloneServerPool { | |
| 94 | Databases 16 | |
| 95 | RefreshMethod fixed | |
| 96 | Group shard001 { | |
| ab8f306d | 97 | + ${config.myEnv.databases.redis.socket} |
| dded6699 IB |
98 | } |
| 99 | } | |
| 100 | ''; | |
| 101 | } | |
| 102 | { | |
| 103 | dest = "redis/spiped_keyfile"; | |
| 104 | user = "spiped"; | |
| 105 | group = "spiped"; | |
| 106 | permissions = "0400"; | |
| ab8f306d | 107 | text = config.myEnv.databases.redis.spiped_key; |
| dded6699 IB |
108 | } |
| 109 | ]; | |
| 110 | ||
| 111 | systemd.services.predixy = { | |
| 112 | description = "Redis proxy"; | |
| 113 | wantedBy = [ "multi-user.target" ]; | |
| 114 | after = [ "redis.service" ]; | |
| 115 | ||
| 116 | serviceConfig = { | |
| 117 | User = "redis"; | |
| 118 | Group = "redis"; | |
| 119 | SupplementaryGroups = "keys"; | |
| 120 | Type = "simple"; | |
| 121 | ||
| 122 | ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf"; | |
| 123 | }; | |
| 124 | ||
| 125 | }; | |
| 182ae57f IB |
126 | }; |
| 127 | } | |
| 128 |