aboutsummaryrefslogblamecommitdiff
path: root/modules/private/databases/redis.nix
blob: 46025105c64b4318a3a9332508cb5c118d48985f (plain) (tree)
1
2
3
4
5
6
7
                           




                                            
                      











                                                       























                                                   











































                                                                                
                                                                   







                                
                                                      








                                      
                                                       

















                                                                                                


    
{ lib, config, pkgs, ... }:
let
    cfg = config.myServices.databases.redis;
in {
  options.myServices.databases.redis = {
    enable = lib.mkOption {
      default = false;
      example = true;
      description = "Whether to enable redis database";
      type = lib.types.bool;
    };
    socketsDir = lib.mkOption {
      type = lib.types.path;
      default = "/run/redis";
      description = ''
        The directory where Redis puts sockets.
        '';
    };
    # Output variables
    sockets = lib.mkOption {
      type = lib.types.attrsOf lib.types.path;
      default = {
        redis  = "${cfg.socketsDir}/redis.sock";
      };
      readOnly = true;
      description = ''
        Redis sockets
        '';
    };
  };

  config = lib.mkIf cfg.enable {
    users.users.redis.uid = config.ids.uids.redis;
    users.groups.redis.gid = config.ids.gids.redis;
    services.redis = rec {
      enable = true;
      bind = "127.0.0.1";
      unixSocket = cfg.sockets.redis;
      extraConfig = ''
        unixsocketperm 777
        maxclients 1024
        '';
    };

    services.spiped = {
      enable = true;
      config.redis = {
        decrypt = true;
        source = "0.0.0.0:16379";
        target = "/run/redis/redis.sock";
        keyfile = "${config.secrets.location}/redis/spiped_keyfile";
      };
    };
    systemd.services.spiped_redis = {
      description = "Secure pipe 'redis'";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        Restart   = "always";
        User      = "spiped";
        PermissionsStartOnly = true;
        SupplementaryGroups = "keys";
      };

      script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
    };

    services.filesWatcher.predixy = {
      restart = true;
      paths = [ "${config.secrets.location}/redis/predixy.conf" ];
    };

    networking.firewall.allowedTCPPorts = [ 7617 16379 ];
    secrets.keys = [
      {
        dest = "redis/predixy.conf";
        user = "redis";
        group = "redis";
        permissions = "0400";
        text = ''
          Name Predixy
          Bind 127.0.0.1:7617
          ClientTimeout 300
          WorkerThreads 1

          Authority {
              Auth "${config.myEnv.databases.redis.predixy.read}" {
                  Mode read
              }
          }

          StandaloneServerPool {
            Databases 16
            RefreshMethod fixed
            Group shard001 {
              + ${config.myEnv.databases.redis.socket}
            }
          }
          '';
      }
      {
        dest = "redis/spiped_keyfile";
        user = "spiped";
        group = "spiped";
        permissions = "0400";
        text = config.myEnv.databases.redis.spiped_key;
      }
    ];

    systemd.services.predixy = {
      description = "Redis proxy";
      wantedBy = [ "multi-user.target" ];
      after = [ "redis.service" ];

      serviceConfig = {
        User = "redis";
        Group = "redis";
        SupplementaryGroups = "keys";
        Type = "simple";

        ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf";
      };

    };
  };
}