};
config = lib.mkIf cfg.enable {
- networking.firewall.allowedTCPPorts = [ 3306 ];
+ networking.firewall.allowedTCPPorts = [ config.myEnv.databases.mysql.port ];
# for adminer, ssl is implemented with mysqli only, which is
# currently disabled because it’s not compatible with pam.
dataDir = cfg.dataDir;
settings = {
mysqld = {
+ port = config.myEnv.databases.mysql.port;
ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem";
ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem";
# this introduces a small delay before storing on disk, but
# makes it order of magnitudes quicker
innodb_flush_log_at_trx_commit = "0";
+
+ # This is necessary since the default ("dialog") is not
+ # supported by php's mysqlnd plugin (in mysqli). But with that
+ # change only regular login+password schemes can work (no
+ # "fancy" authentication methods like fprintd or keys)
+ pam_use_cleartext_plugin = true;
};
};
};
users.users.mysql.extraGroups = [ "keys" ];
- security.acme.certs."mysql" = config.myServices.databasesCerts // {
- user = "mysql";
+ security.acme.certs."mysql" = {
group = "mysql";
domain = "db-1.immae.eu";
postRun = ''