-{ lib, pkgs, config, mylibs, ... }:
+{ lib, pkgs, config, myconfig, mylibs, ... }:
let
cfg = config.services.myDatabases;
in {
networking.firewall.allowedTCPPorts = [ 3306 5432 ];
- # FIXME: initial sync
- # FIXME: backup
- # FIXME: restart after pam
- # FIXME: pam access doesn’t work (because of php module)
- # FIXME: ssl
services.mysql = rec {
enable = cfg.mariadb.enable;
package = pkgs.mariadb;
};
- # Cannot use eldiron: psql complains too much rights on the key, and
- # setfacl cannot work properly because of acme prestart script
security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
user = "postgres";
group = "postgres";
};
system.activationScripts.postgresql = ''
- install -m 0755 -o postgres -g postgres -d /run/postgresql
+ install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
'';
- # FIXME: initial sync
services.postgresql = rec {
enable = cfg.postgresql.enable;
package = pkgs.postgresql;
};
security.pam.services = let
- pam_ldap = pkgs.pam_ldap;
- pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
- pkgs.writeText "mysql.conf" ''
- host ldap.immae.eu
- base dc=immae,dc=eu
+ pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+ pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
- bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
+ bindpw ${myconfig.env.databases.mysql.pam_password}
+ ssl start_tls
pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
'';
- pam_ldap_postgresql_replication = assert mylibs.checkEnv "NIXOPS_ELDIRON_LDAP_PASSWORD";
- pkgs.writeText "postgresql.conf" ''
- host ldap.immae.eu
- base dc=immae,dc=eu
- binddn cn=eldiron,ou=hosts,dc=immae,dc=eu
- bindpw ${builtins.getEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"}
+ pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
+ binddn ${myconfig.env.ldap.host_dn}
+ bindpw ${myconfig.env.ldap.password}
+ ssl start_tls
pam_login_attribute cn
'';
in [
name = "mysql";
text = ''
# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
- auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
- account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+ auth required ${pam_ldap} config=${pam_ldap_mysql}
+ account required ${pam_ldap} config=${pam_ldap_mysql}
'';
}
{
name = "postgresql";
text = ''
- auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
- account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+ auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+ account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
'';
}
{
name = "postgresql_replication";
text = ''
- auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
- account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+ auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+ account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
'';
}
];
- # FIXME: backup
- # Diaspora: 15
- # Nextcloud: 14
- # Mastodon: 13
- # Mediagoblin: 12
services.redis = rec {
enable = config.services.myDatabases.redis.enable;
bind = "127.0.0.1";
- unixSocket = "/run/redis/redis.sock";
+ unixSocket = myconfig.env.databases.redis.socket;
extraConfig = ''
unixsocketperm 777
maxclients 1024
'';
};
system.activationScripts.redis = ''
- mkdir -p /run/redis
- chown redis /run/redis
+ mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
+ chown redis $(dirname ${myconfig.env.databases.redis.socket})
'';
};
}
projects / perso / Immae / Config / Nix.git / blobdiff