1 files changed, 43 insertions, 10 deletions

diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 4293f02..632306c 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -34,6 +34,17 @@ in {
           };
         };
       };
+      replicationLdapConfig = lib.mkOption {
+        description = "LDAP configuration to allow replication";
+        type = lib.types.submodule {
+          options = {
+            host = lib.mkOption { type = lib.types.str; };
+            base = lib.mkOption { type = lib.types.str; };
+            dn = lib.mkOption { type = lib.types.str; };
+            password = lib.mkOption { type = lib.types.str; };
+          };
+        };
+      };
       dataDir = lib.mkOption {
         type = lib.types.path;
         default = "/var/lib/mysql";
@@ -72,6 +83,13 @@ in {
     # User identified by LDAP:
     # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
     # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
+
+    # To create a user (host) for replication:
+    # CREATE USER 'host'@'%' IDENTIFIED VIA pam USING 'mysql_replication' REQUIRE SSL;
+    # GRANT REPLICATION SLAVE, REPLICATION CLIENT, RELOAD, LOCK TABLES, SELECT, SHOW VIEW ON *.* TO 'host'@'%';
+    # (the lock/select grant permits to let the replication host handle
+    # the initial fetch of the database)
+    # % should be valid for both localhost (for cron dumps) and the origin host.
     services.mysql = {
       enable = true;
       package = cfg.package;
@@ -80,6 +98,10 @@ in {
         ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
         ssl_key = ${config.security.acme.directory}/mysql/key.pem
         ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
+
+        # for replication
+        log-bin=mariadb-bin
+        server-id=1
         '';
     };
 
@@ -120,17 +142,22 @@ in {
           ssl start_tls
         '';
       }
+      {
+        dest = "mysql/pam_replication";
+        permissions = "0400";
+        user = "mysql";
+        group = "mysql";
+        text =  with cfg.replicationLdapConfig; ''
+          host ${host}
+          base ${base}
+          binddn ${dn}
+          bindpw ${password}
+          pam_login_attribute cn
+          ssl start_tls
+        '';
+      }
     ];
 
-    services.cron = {
-      enable = true;
-      systemCronJobs = [
-        ''
-          30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
-        ''
-      ];
-    };
-
     security.pam.services = let
       pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
     in [
@@ -142,8 +169,14 @@ in {
           account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
           '';
       }
+      {
+        name = "mysql_replication";
+        text = ''
+          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
+          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
+          '';
+      }
     ];
 
   };
 }
-