[perso/Immae/Config/Nix.git] / systems / eldiron / databases / redis.nix

{ lib, config, pkgs, ... }:
let
    cfg = config.myServices.databases.redis;
in {
  options.myServices.databases.redis = {
    enable = lib.mkOption {
      default = false;
      example = true;
      description = "Whether to enable redis database";
      type = lib.types.bool;
    };
    socketsDir = lib.mkOption {
      type = lib.types.path;
      default = "/run/redis";
      description = ''
        The directory where Redis puts sockets.
        '';
    };
    # Output variables
    sockets = lib.mkOption {
      type = lib.types.attrsOf lib.types.path;
      default = {
        redis  = "${cfg.socketsDir}/redis.sock";
      };
      readOnly = true;
      description = ''
        Redis sockets
        '';
    };
  };

  config = lib.mkIf cfg.enable {
    users.users.redis.uid = config.ids.uids.redis;
    users.groups.redis.gid = config.ids.gids.redis;
    services.redis.servers."" = {
      enable = true;
      bind = "127.0.0.1";
      unixSocket = cfg.sockets.redis;
      unixSocketPerm = 777;
      maxclients = 1024;
    };
    systemd.services.redis.serviceConfig.Slice = "redis.slice";
    systemd.services.redis.serviceConfig.RuntimeDirectoryMode = lib.mkForce "0755";
    services.redis.servers."php-sessions" = {
      enable = true;
      maxclients = 1024;
      unixSocketPerm = 777;
      user = "wwwrun";
    };

    services.spiped = {
      enable = true;
      config.redis = {
        decrypt = true;
        source = "0.0.0.0:16379";
        target = "/run/redis/redis.sock";
        keyfile = config.secrets.fullPaths."redis/spiped_keyfile";
      };
    };
    systemd.services.spiped_redis = {
      description = "Secure pipe 'redis'";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        Slice = "redis.slice";
        Restart = "always";
        User = "spiped";
        PermissionsStartOnly = true;
        SupplementaryGroups = "keys";
      };

      script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
    };

    #services.filesWatcher.predixy = {
    #  restart = true;
    #  paths = [ config.secrets.fullPaths."redis/predixy.conf" ];
    #};

    networking.firewall.allowedTCPPorts = [ 16379 ];
    secrets.keys = {
      #"redis/predixy.conf" = {
      #  user = "redis";
      #  group = "redis";
      #  permissions = "0400";
      #  text = ''
      #    Name Predixy
      #    Bind 127.0.0.1:7617
      #    ClientTimeout 300
      #    WorkerThreads 1

      #    Authority {
      #        Auth "${config.myEnv.databases.redis.predixy.read}" {
      #            Mode read
      #        }
      #    }

      #    StandaloneServerPool {
      #      Databases 16
      #      RefreshMethod fixed
      #      Group shard001 {
      #        + ${config.myEnv.databases.redis.socket}
      #      }
      #    }
      #    '';
      #};
      "redis/spiped_keyfile" = {
        user = "spiped";
        group = "spiped";
        permissions = "0400";
        text = config.myEnv.databases.redis.spiped_key;
      };
    };

    systemd.slices.redis = {
      description = "Redis slice";
    };

    #systemd.services.predixy = {
    #  description = "Redis proxy";
    #  wantedBy = [ "multi-user.target" ];
    #  after = [ "redis.service" ];

    #  serviceConfig = {
    #    Slice = "redis.slice";
    #    User = "redis";
    #    Group = "redis";
    #    SupplementaryGroups = "keys";
    #    Type = "simple";

    #    ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}";
    #  };

    #};
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, config, pkgs, ... }:
182ae57f IB	2	let
	3	cfg = config.myServices.databases.redis;
	4	in {
	5	options.myServices.databases.redis = {
	6	enable = lib.mkOption {
8415083e	7	default = false;
182ae57f IB	8	example = true;
	9	description = "Whether to enable redis database";
	10	type = lib.types.bool;
	11	};
	12	socketsDir = lib.mkOption {
	13	type = lib.types.path;
	14	default = "/run/redis";
	15	description = ''
	16	The directory where Redis puts sockets.
	17	'';
	18	};
	19	# Output variables
182ae57f IB	20	sockets = lib.mkOption {
	21	type = lib.types.attrsOf lib.types.path;
	22	default = {
	23	redis = "${cfg.socketsDir}/redis.sock";
	24	};
	25	readOnly = true;
	26	description = ''
	27	Redis sockets
	28	'';
	29	};
	30	};
	31
	32	config = lib.mkIf cfg.enable {
	33	users.users.redis.uid = config.ids.uids.redis;
	34	users.groups.redis.gid = config.ids.gids.redis;
1a64deeb	35	services.redis.servers."" = {
182ae57f IB	36	enable = true;
	37	bind = "127.0.0.1";
	38	unixSocket = cfg.sockets.redis;
1a64deeb IB	39	unixSocketPerm = 777;
1a64deeb IB	40	maxclients = 1024;
182ae57f	41	};
850adcf4	42	systemd.services.redis.serviceConfig.Slice = "redis.slice";
1a64deeb IB	43	systemd.services.redis.serviceConfig.RuntimeDirectoryMode = lib.mkForce "0755";
	44	services.redis.servers."php-sessions" = {
	45	enable = true;
	46	maxclients = 1024;
	47	unixSocketPerm = 777;
	48	user = "wwwrun";
	49	};
dded6699 IB	50
	51	services.spiped = {
	52	enable = true;
	53	config.redis = {
	54	decrypt = true;
	55	source = "0.0.0.0:16379";
	56	target = "/run/redis/redis.sock";
da30ae4f	57	keyfile = config.secrets.fullPaths."redis/spiped_keyfile";
dded6699 IB	58	};
	59	};
	60	systemd.services.spiped_redis = {
	61	description = "Secure pipe 'redis'";
	62	after = [ "network.target" ];
	63	wantedBy = [ "multi-user.target" ];
	64
	65	serviceConfig = {
850adcf4 IB	66	Slice = "redis.slice";
	67	Restart = "always";
	68	User = "spiped";
dded6699 IB	69	PermissionsStartOnly = true;
	70	SupplementaryGroups = "keys";
	71	};
	72
	73	script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
	74	};
	75
1a64deeb IB	76	#services.filesWatcher.predixy = {
	77	# restart = true;
	78	# paths = [ config.secrets.fullPaths."redis/predixy.conf" ];
	79	#};
dded6699	80
1a64deeb	81	networking.firewall.allowedTCPPorts = [ 16379 ];
4c4652aa	82	secrets.keys = {
1a64deeb IB	83	#"redis/predixy.conf" = {
	84	# user = "redis";
	85	# group = "redis";
	86	# permissions = "0400";
	87	# text = ''
	88	# Name Predixy
	89	# Bind 127.0.0.1:7617
	90	# ClientTimeout 300
	91	# WorkerThreads 1
dded6699	92
1a64deeb IB	93	# Authority {
	94	# Auth "${config.myEnv.databases.redis.predixy.read}" {
	95	# Mode read
	96	# }
	97	# }
dded6699	98
1a64deeb IB	99	# StandaloneServerPool {
	100	# Databases 16
	101	# RefreshMethod fixed
	102	# Group shard001 {
	103	# + ${config.myEnv.databases.redis.socket}
	104	# }
	105	# }
	106	# '';
	107	#};
4c4652aa	108	"redis/spiped_keyfile" = {
dded6699 IB	109	user = "spiped";
	110	group = "spiped";
	111	permissions = "0400";
ab8f306d	112	text = config.myEnv.databases.redis.spiped_key;
4c4652aa IB	113	};
4c4652aa IB	114	};
dded6699	115
850adcf4 IB	116	systemd.slices.redis = {
	117	description = "Redis slice";
	118	};
	119
1a64deeb IB	120	#systemd.services.predixy = {
	121	# description = "Redis proxy";
	122	# wantedBy = [ "multi-user.target" ];
	123	# after = [ "redis.service" ];
dded6699	124
1a64deeb IB	125	# serviceConfig = {
	126	# Slice = "redis.slice";
	127	# User = "redis";
	128	# Group = "redis";
	129	# SupplementaryGroups = "keys";
	130	# Type = "simple";
dded6699	131
1a64deeb IB	132	# ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}";
1a64deeb IB	133	# };
dded6699	134
1a64deeb	135	#};
182ae57f IB	136	};
	137	}
	138