Use attrs for secrets instead of lists

[perso/Immae/Config/Nix.git] / modules / private / databases / mariadb.nix

diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 3359064b9d3f6141be744f183c02225177c3dbe0..101eb3fb7c850157b9b31786199d4a4084543cb5 100644 (file)
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -94,35 +94,35 @@ in {
       enable = true;
       package = cfg.package;
       dataDir = cfg.dataDir;
-      extraOptions = ''
-        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
-        ssl_key = ${config.security.acme.directory}/mysql/key.pem
-        ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
+      settings = {
+        mysqld = {
+          ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+          ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem";
+          ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem";
 
-        # for replication
-        log-bin=mariadb-bin
-        server-id=1
+          # for replication
+          log-bin = "mariadb-bin";
+          server-id = "1";
 
-        # this introduces a small delay before storing on disk, but
-        # makes it order of magnitudes quicker
-        innodb_flush_log_at_trx_commit = 0
-        '';
+          # this introduces a small delay before storing on disk, but
+          # makes it order of magnitudes quicker
+          innodb_flush_log_at_trx_commit = "0";
+        };
+      };
     };
 
     users.users.mysql.extraGroups = [ "keys" ];
     security.acme.certs."mysql" = config.myServices.databasesCerts // {
       user = "mysql";
       group = "mysql";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
       domain = "db-1.immae.eu";
       postRun = ''
         systemctl restart mysql.service
       '';
     };
 
-    secrets.keys = [
-      {
-        dest = "mysql/mysqldump";
+    secrets.keys = {
+      "mysql/mysqldump" = {
         permissions = "0400";
         user = "root";
         group = "root";
@@ -131,9 +131,8 @@ in {
           user = root
           password = ${cfg.credentials.root}
         '';
-      }
-      {
-        dest = "mysql/pam";
+      };
+      "mysql/pam" = {
         permissions = "0400";
         user = "mysql";
         group = "mysql";
@@ -145,9 +144,8 @@ in {
           pam_filter ${filter}
           ssl start_tls
         '';
-      }
-      {
-        dest = "mysql/pam_replication";
+      };
+      "mysql/pam_replication" = {
         permissions = "0400";
         user = "mysql";
         group = "mysql";
@@ -159,28 +157,26 @@ in {
           pam_login_attribute cn
           ssl start_tls
         '';
-      }
-    ];
+      };
+    };
 
     security.pam.services = let
       pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-    in [
-      {
-        name = "mysql";
+    in {
+      mysql = {
         text = ''
           # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam
-          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
+          auth    required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"}
+          account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"}
           '';
-      }
-      {
-        name = "mysql_replication";
+      };
+      mysql_replication = {
         text = ''
-          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
-          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
+          auth    required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"}
+          account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"}
           '';
-      }
-    ];
+      };
+    };
 
   };
 }