]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/databases/redis.nix
projects / perso / Immae / Config / Nix.git / blob
? search:


4b26283ee1b928887653445b74c8721775c34ff5
[perso/Immae/Config/Nix.git] / modules / private / databases / redis.nix
1 { lib, config, pkgs, ... }:
2 let
3 cfg = config.myServices.databases.redis;
4 in {
5 options.myServices.databases.redis = {
6 enable = lib.mkOption {
7 default = false;
8 example = true;
9 description = "Whether to enable redis database";
10 type = lib.types.bool;
11 };
12 socketsDir = lib.mkOption {
13 type = lib.types.path;
14 default = "/run/redis";
15 description = ''
16 The directory where Redis puts sockets.
17 '';
18 };
19 # Output variables
20 systemdRuntimeDirectory = lib.mkOption {
21 type = lib.types.str;
22 # Use ReadWritePaths= instead if socketsDir is outside of /run
23 default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
24 lib.strings.removePrefix "/run/" cfg.socketsDir;
25 description = ''
26 Adjusted redis sockets directory for systemd
27 '';
28 readOnly = true;
29 };
30 sockets = lib.mkOption {
31 type = lib.types.attrsOf lib.types.path;
32 default = {
33 redis = "${cfg.socketsDir}/redis.sock";
34 };
35 readOnly = true;
36 description = ''
37 Redis sockets
38 '';
39 };
40 };
41
42 config = lib.mkIf cfg.enable {
43 users.users.redis.uid = config.ids.uids.redis;
44 users.groups.redis.gid = config.ids.gids.redis;
45 services.redis = rec {
46 enable = true;
47 bind = "127.0.0.1";
48 unixSocket = cfg.sockets.redis;
49 extraConfig = ''
50 unixsocketperm 777
51 maxclients 1024
52 '';
53 };
54 systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
55
56 services.spiped = {
57 enable = true;
58 config.redis = {
59 decrypt = true;
60 source = "0.0.0.0:16379";
61 target = "/run/redis/redis.sock";
62 keyfile = "${config.secrets.location}/redis/spiped_keyfile";
63 };
64 };
65 systemd.services.spiped_redis = {
66 description = "Secure pipe 'redis'";
67 after = [ "network.target" ];
68 wantedBy = [ "multi-user.target" ];
69
70 serviceConfig = {
71 Restart = "always";
72 User = "spiped";
73 PermissionsStartOnly = true;
74 SupplementaryGroups = "keys";
75 };
76
77 script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
78 };
79
80 services.filesWatcher.predixy = {
81 restart = true;
82 paths = [ "${config.secrets.location}/redis/predixy.conf" ];
83 };
84
85 networking.firewall.allowedTCPPorts = [ 7617 16379 ];
86 secrets.keys = [
87 {
88 dest = "redis/predixy.conf";
89 user = "redis";
90 group = "redis";
91 permissions = "0400";
92 text = ''
93 Name Predixy
94 Bind 127.0.0.1:7617
95 ClientTimeout 300
96 WorkerThreads 1
97
98 Authority {
99 Auth "${config.myEnv.databases.redis.predixy.read}" {
100 Mode read
101 }
102 }
103
104 StandaloneServerPool {
105 Databases 16
106 RefreshMethod fixed
107 Group shard001 {
108 + ${config.myEnv.databases.redis.socket}
109 }
110 }
111 '';
112 }
113 {
114 dest = "redis/spiped_keyfile";
115 user = "spiped";
116 group = "spiped";
117 permissions = "0400";
118 text = config.myEnv.databases.redis.spiped_key;
119 }
120 ];
121
122 systemd.services.predixy = {
123 description = "Redis proxy";
124 wantedBy = [ "multi-user.target" ];
125 after = [ "redis.service" ];
126
127 serviceConfig = {
128 User = "redis";
129 Group = "redis";
130 SupplementaryGroups = "keys";
131 Type = "simple";
132
133 ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf";
134 };
135
136 };
137 };
138 }
139
My infrastructure configuration