+++ /dev/null
-{ lib, config, pkgs, ... }:
-let
- cfg = config.myServices.databases.redis;
-in {
- options.myServices.databases.redis = {
- enable = lib.mkOption {
- default = false;
- example = true;
- description = "Whether to enable redis database";
- type = lib.types.bool;
- };
- socketsDir = lib.mkOption {
- type = lib.types.path;
- default = "/run/redis";
- description = ''
- The directory where Redis puts sockets.
- '';
- };
- # Output variables
- sockets = lib.mkOption {
- type = lib.types.attrsOf lib.types.path;
- default = {
- redis = "${cfg.socketsDir}/redis.sock";
- };
- readOnly = true;
- description = ''
- Redis sockets
- '';
- };
- };
-
- config = lib.mkIf cfg.enable {
- users.users.redis.uid = config.ids.uids.redis;
- users.groups.redis.gid = config.ids.gids.redis;
- services.redis = rec {
- enable = true;
- bind = "127.0.0.1";
- unixSocket = cfg.sockets.redis;
- extraConfig = ''
- unixsocketperm 777
- maxclients 1024
- '';
- };
- systemd.services.redis.serviceConfig.Slice = "redis.slice";
-
- services.spiped = {
- enable = true;
- config.redis = {
- decrypt = true;
- source = "0.0.0.0:16379";
- target = "/run/redis/redis.sock";
- keyfile = config.secrets.fullPaths."redis/spiped_keyfile";
- };
- };
- systemd.services.spiped_redis = {
- description = "Secure pipe 'redis'";
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
-
- serviceConfig = {
- Slice = "redis.slice";
- Restart = "always";
- User = "spiped";
- PermissionsStartOnly = true;
- SupplementaryGroups = "keys";
- };
-
- script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
- };
-
- services.filesWatcher.predixy = {
- restart = true;
- paths = [ config.secrets.fullPaths."redis/predixy.conf" ];
- };
-
- networking.firewall.allowedTCPPorts = [ 7617 16379 ];
- secrets.keys = {
- "redis/predixy.conf" = {
- user = "redis";
- group = "redis";
- permissions = "0400";
- text = ''
- Name Predixy
- Bind 127.0.0.1:7617
- ClientTimeout 300
- WorkerThreads 1
-
- Authority {
- Auth "${config.myEnv.databases.redis.predixy.read}" {
- Mode read
- }
- }
-
- StandaloneServerPool {
- Databases 16
- RefreshMethod fixed
- Group shard001 {
- + ${config.myEnv.databases.redis.socket}
- }
- }
- '';
- };
- "redis/spiped_keyfile" = {
- user = "spiped";
- group = "spiped";
- permissions = "0400";
- text = config.myEnv.databases.redis.spiped_key;
- };
- };
-
- systemd.slices.redis = {
- description = "Redis slice";
- };
-
- systemd.services.predixy = {
- description = "Redis proxy";
- wantedBy = [ "multi-user.target" ];
- after = [ "redis.service" ];
-
- serviceConfig = {
- Slice = "redis.slice";
- User = "redis";
- Group = "redis";
- SupplementaryGroups = "keys";
- Type = "simple";
-
- ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}";
- };
-
- };
- };
-}
-
projects / perso / Immae / Config / Nix.git / blobdiff