diff options
Diffstat (limited to 'modules/private/databases/mariadb.nix')
-rw-r--r-- | modules/private/databases/mariadb.nix | 39 |
1 files changed, 19 insertions, 20 deletions
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 04e4bd6..36edaeb 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix | |||
@@ -94,26 +94,27 @@ in { | |||
94 | enable = true; | 94 | enable = true; |
95 | package = cfg.package; | 95 | package = cfg.package; |
96 | dataDir = cfg.dataDir; | 96 | dataDir = cfg.dataDir; |
97 | extraOptions = '' | 97 | settings = { |
98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | 98 | mysqld = { |
99 | ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem | 99 | ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
100 | ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem | 100 | ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem"; |
101 | ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem"; | ||
101 | 102 | ||
102 | # for replication | 103 | # for replication |
103 | log-bin=mariadb-bin | 104 | log-bin = "mariadb-bin"; |
104 | server-id=1 | 105 | server-id = "1"; |
105 | 106 | ||
106 | # this introduces a small delay before storing on disk, but | 107 | # this introduces a small delay before storing on disk, but |
107 | # makes it order of magnitudes quicker | 108 | # makes it order of magnitudes quicker |
108 | innodb_flush_log_at_trx_commit = 0 | 109 | innodb_flush_log_at_trx_commit = "0"; |
109 | ''; | 110 | }; |
111 | }; | ||
110 | }; | 112 | }; |
111 | 113 | ||
112 | users.users.mysql.extraGroups = [ "keys" ]; | 114 | users.users.mysql.extraGroups = [ "keys" ]; |
113 | security.acme.certs."mysql" = config.myServices.databasesCerts // { | 115 | security.acme.certs."mysql" = config.myServices.databasesCerts // { |
114 | user = "mysql"; | 116 | user = "mysql"; |
115 | group = "mysql"; | 117 | group = "mysql"; |
116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | ||
117 | domain = "db-1.immae.eu"; | 118 | domain = "db-1.immae.eu"; |
118 | postRun = '' | 119 | postRun = '' |
119 | systemctl restart mysql.service | 120 | systemctl restart mysql.service |
@@ -164,23 +165,21 @@ in { | |||
164 | 165 | ||
165 | security.pam.services = let | 166 | security.pam.services = let |
166 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 167 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; |
167 | in [ | 168 | in { |
168 | { | 169 | mysql = { |
169 | name = "mysql"; | ||
170 | text = '' | 170 | text = '' |
171 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | 171 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ |
172 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam | 172 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam |
173 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam | 173 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam |
174 | ''; | 174 | ''; |
175 | } | 175 | }; |
176 | { | 176 | mysql_replication = { |
177 | name = "mysql_replication"; | ||
178 | text = '' | 177 | text = '' |
179 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication | 178 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication |
180 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication | 179 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication |
181 | ''; | 180 | ''; |
182 | } | 181 | }; |
183 | ]; | 182 | }; |
184 | 183 | ||
185 | }; | 184 | }; |
186 | } | 185 | } |