-{ lib, config, ... }:
+{ lib, config, pkgs, myconfig, ... }:
let
cfg = config.myServices.databases.redis;
in {
'';
};
systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
+
+ services.spiped = {
+ enable = true;
+ config.redis = {
+ decrypt = true;
+ source = "0.0.0.0:16379";
+ target = "/run/redis/redis.sock";
+ keyfile = "${config.secrets.location}/redis/spiped_keyfile";
+ };
+ };
+ systemd.services.spiped_redis = {
+ description = "Secure pipe 'redis'";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+
+ serviceConfig = {
+ Restart = "always";
+ User = "spiped";
+ PermissionsStartOnly = true;
+ SupplementaryGroups = "keys";
+ };
+
+ script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
+ };
+
+ services.filesWatcher.predixy = {
+ restart = true;
+ paths = [ "${config.secrets.location}/redis/predixy.conf" ];
+ };
+
+ networking.firewall.allowedTCPPorts = [ 7617 16379 ];
+ secrets.keys = [
+ {
+ dest = "redis/predixy.conf";
+ user = "redis";
+ group = "redis";
+ permissions = "0400";
+ text = ''
+ Name Predixy
+ Bind 127.0.0.1:7617
+ ClientTimeout 300
+ WorkerThreads 1
+
+ Authority {
+ Auth "${myconfig.env.databases.redis.predixy.read}" {
+ Mode read
+ }
+ }
+
+ StandaloneServerPool {
+ Databases 16
+ RefreshMethod fixed
+ Group shard001 {
+ + ${myconfig.env.databases.redis.socket}
+ }
+ }
+ '';
+ }
+ {
+ dest = "redis/spiped_keyfile";
+ user = "spiped";
+ group = "spiped";
+ permissions = "0400";
+ text = myconfig.env.databases.redis.spiped_key;
+ }
+ ];
+
+ systemd.services.predixy = {
+ description = "Redis proxy";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "redis.service" ];
+
+ serviceConfig = {
+ User = "redis";
+ Group = "redis";
+ SupplementaryGroups = "keys";
+ Type = "simple";
+
+ ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf";
+ };
+
+ };
};
}
projects / perso / Immae / Config / Nix.git / blobdiff