-{ lib, pkgs, config, mylibs, ... }:
+{ lib, pkgs, config, myconfig, mylibs, ... }:
let
cfg = config.services.myDatabases;
in {
};
system.activationScripts.postgresql = ''
- install -m 0755 -o postgres -g postgres -d /run/postgresql
+ install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
'';
services.postgresql = rec {
};
security.pam.services = let
- pam_ldap = pkgs.pam_ldap;
- pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
- pkgs.writeText "mysql.conf" ''
- host ldap.immae.eu
- base dc=immae,dc=eu
+ pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+ pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
- bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
+ bindpw ${myconfig.env.databases.mysql.pam_password}
+ ssl start_tls
pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
'';
- pam_ldap_postgresql_replication = assert mylibs.checkEnv "NIXOPS_ELDIRON_LDAP_PASSWORD";
- pkgs.writeText "postgresql.conf" ''
- host ldap.immae.eu
- base dc=immae,dc=eu
- binddn cn=eldiron,ou=hosts,dc=immae,dc=eu
- bindpw ${builtins.getEnv "NIXOPS_ELDIRON_LDAP_PASSWORD"}
+ pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
+ binddn ${myconfig.env.ldap.host_dn}
+ bindpw ${myconfig.env.ldap.password}
+ ssl start_tls
pam_login_attribute cn
'';
in [
name = "mysql";
text = ''
# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
- auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
- account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+ auth required ${pam_ldap} config=${pam_ldap_mysql}
+ account required ${pam_ldap} config=${pam_ldap_mysql}
'';
}
{
name = "postgresql";
text = ''
- auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
- account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+ auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+ account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
'';
}
{
name = "postgresql_replication";
text = ''
- auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
- account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+ auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+ account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
'';
}
];
- # Diaspora: 15
- # Nextcloud: 14
- # Mastodon: 13
- # Mediagoblin: 12
- # wallabag: 0 ?
services.redis = rec {
enable = config.services.myDatabases.redis.enable;
bind = "127.0.0.1";
- unixSocket = "/run/redis/redis.sock";
+ unixSocket = myconfig.env.databases.redis.socket;
extraConfig = ''
unixsocketperm 777
maxclients 1024
'';
};
system.activationScripts.redis = ''
- mkdir -p /run/redis
- chown redis /run/redis
+ mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
+ chown redis $(dirname ${myconfig.env.databases.redis.socket})
'';
};
}