blob: a7239c0e1c1150c12742847a3101e8bf0bdee63b (
plain) (
tree)
|
|
{ lib, pkgs, config, ... }:
let
cfg = config.myServices.databases.mariadb;
in {
options.myServices.databases = {
mariadb = {
enable = lib.mkOption {
default = cfg.enable;
example = true;
description = "Whether to enable mariadb database";
type = lib.types.bool;
};
package = lib.mkOption {
type = lib.types.package;
default = pkgs.mariadb;
description = ''
Mariadb package to use.
'';
};
credentials = lib.mkOption {
default = {};
description = "Credentials";
type = lib.types.attrsOf lib.types.str;
};
ldapConfig = lib.mkOption {
description = "LDAP configuration to allow PAM identification via LDAP";
type = lib.types.submodule {
options = {
host = lib.mkOption { type = lib.types.str; };
base = lib.mkOption { type = lib.types.str; };
dn = lib.mkOption { type = lib.types.str; };
password = lib.mkOption { type = lib.types.str; };
filter = lib.mkOption { type = lib.types.str; };
};
};
};
dataDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/mysql";
description = ''
The directory where Mariadb stores its data.
'';
};
# Output variables
socketsDir = lib.mkOption {
type = lib.types.path;
default = "/run/mysqld";
description = ''
The directory where Mariadb puts sockets.
'';
};
sockets = lib.mkOption {
type = lib.types.attrsOf lib.types.path;
default = {
mysqld = "${cfg.socketsDir}/mysqld.sock";
};
readOnly = true;
description = ''
Mariadb sockets
'';
};
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 3306 ];
# for adminer, ssl is implemented with mysqli only, which is
# currently disabled because it’s not compatible with pam.
# Thus we need to generate two users for each 'remote': one remote
# with SSL, and one localhost without SSL.
# User identified by LDAP:
# CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
# CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
services.mysql = {
enable = true;
package = cfg.package;
dataDir = cfg.dataDir;
extraOptions = ''
ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
ssl_key = ${config.security.acme.directory}/mysql/key.pem
ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
'';
};
users.users.mysql.extraGroups = [ "keys" ];
security.acme.certs."mysql" = config.myServices.databasesCerts // {
user = "mysql";
group = "mysql";
plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
domain = "db-1.immae.eu";
postRun = ''
systemctl restart mysql.service
'';
};
secrets.keys = [
{
dest = "mysql/mysqldump";
permissions = "0400";
user = "root";
group = "root";
text = ''
[mysqldump]
user = root
password = ${cfg.credentials.root}
'';
}
{
dest = "mysql/pam";
permissions = "0400";
user = "mysql";
group = "mysql";
text = with cfg.ldapConfig; ''
host ${host}
base ${base}
binddn ${dn}
bindpw ${password}
pam_filter ${filter}
ssl start_tls
'';
}
];
services.cron = {
enable = true;
systemCronJobs = [
''
30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
''
];
};
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
in [
{
name = "mysql";
text = ''
# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam
account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
'';
}
];
};
}
|
