blob: 46025105c64b4318a3a9332508cb5c118d48985f (
plain) (
tree)
|
|
{ lib, config, pkgs, ... }:
let
cfg = config.myServices.databases.redis;
in {
options.myServices.databases.redis = {
enable = lib.mkOption {
default = false;
example = true;
description = "Whether to enable redis database";
type = lib.types.bool;
};
socketsDir = lib.mkOption {
type = lib.types.path;
default = "/run/redis";
description = ''
The directory where Redis puts sockets.
'';
};
# Output variables
sockets = lib.mkOption {
type = lib.types.attrsOf lib.types.path;
default = {
redis = "${cfg.socketsDir}/redis.sock";
};
readOnly = true;
description = ''
Redis sockets
'';
};
};
config = lib.mkIf cfg.enable {
users.users.redis.uid = config.ids.uids.redis;
users.groups.redis.gid = config.ids.gids.redis;
services.redis = rec {
enable = true;
bind = "127.0.0.1";
unixSocket = cfg.sockets.redis;
extraConfig = ''
unixsocketperm 777
maxclients 1024
'';
};
services.spiped = {
enable = true;
config.redis = {
decrypt = true;
source = "0.0.0.0:16379";
target = "/run/redis/redis.sock";
keyfile = "${config.secrets.location}/redis/spiped_keyfile";
};
};
systemd.services.spiped_redis = {
description = "Secure pipe 'redis'";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "always";
User = "spiped";
PermissionsStartOnly = true;
SupplementaryGroups = "keys";
};
script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
};
services.filesWatcher.predixy = {
restart = true;
paths = [ "${config.secrets.location}/redis/predixy.conf" ];
};
networking.firewall.allowedTCPPorts = [ 7617 16379 ];
secrets.keys = [
{
dest = "redis/predixy.conf";
user = "redis";
group = "redis";
permissions = "0400";
text = ''
Name Predixy
Bind 127.0.0.1:7617
ClientTimeout 300
WorkerThreads 1
Authority {
Auth "${config.myEnv.databases.redis.predixy.read}" {
Mode read
}
}
StandaloneServerPool {
Databases 16
RefreshMethod fixed
Group shard001 {
+ ${config.myEnv.databases.redis.socket}
}
}
'';
}
{
dest = "redis/spiped_keyfile";
user = "spiped";
group = "spiped";
permissions = "0400";
text = config.myEnv.databases.redis.spiped_key;
}
];
systemd.services.predixy = {
description = "Redis proxy";
wantedBy = [ "multi-user.target" ];
after = [ "redis.service" ];
serviceConfig = {
User = "redis";
Group = "redis";
SupplementaryGroups = "keys";
Type = "simple";
ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf";
};
};
};
}
|