diff options
Diffstat (limited to 'modules/private/databases/mariadb.nix')
-rw-r--r-- | modules/private/databases/mariadb.nix | 53 |
1 files changed, 43 insertions, 10 deletions
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 4293f02..632306c 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix | |||
@@ -34,6 +34,17 @@ in { | |||
34 | }; | 34 | }; |
35 | }; | 35 | }; |
36 | }; | 36 | }; |
37 | replicationLdapConfig = lib.mkOption { | ||
38 | description = "LDAP configuration to allow replication"; | ||
39 | type = lib.types.submodule { | ||
40 | options = { | ||
41 | host = lib.mkOption { type = lib.types.str; }; | ||
42 | base = lib.mkOption { type = lib.types.str; }; | ||
43 | dn = lib.mkOption { type = lib.types.str; }; | ||
44 | password = lib.mkOption { type = lib.types.str; }; | ||
45 | }; | ||
46 | }; | ||
47 | }; | ||
37 | dataDir = lib.mkOption { | 48 | dataDir = lib.mkOption { |
38 | type = lib.types.path; | 49 | type = lib.types.path; |
39 | default = "/var/lib/mysql"; | 50 | default = "/var/lib/mysql"; |
@@ -72,6 +83,13 @@ in { | |||
72 | # User identified by LDAP: | 83 | # User identified by LDAP: |
73 | # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; | 84 | # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; |
74 | # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; | 85 | # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; |
86 | |||
87 | # To create a user (host) for replication: | ||
88 | # CREATE USER 'host'@'%' IDENTIFIED VIA pam USING 'mysql_replication' REQUIRE SSL; | ||
89 | # GRANT REPLICATION SLAVE, REPLICATION CLIENT, RELOAD, LOCK TABLES, SELECT, SHOW VIEW ON *.* TO 'host'@'%'; | ||
90 | # (the lock/select grant permits to let the replication host handle | ||
91 | # the initial fetch of the database) | ||
92 | # % should be valid for both localhost (for cron dumps) and the origin host. | ||
75 | services.mysql = { | 93 | services.mysql = { |
76 | enable = true; | 94 | enable = true; |
77 | package = cfg.package; | 95 | package = cfg.package; |
@@ -80,6 +98,10 @@ in { | |||
80 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | 98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt |
81 | ssl_key = ${config.security.acme.directory}/mysql/key.pem | 99 | ssl_key = ${config.security.acme.directory}/mysql/key.pem |
82 | ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem | 100 | ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem |
101 | |||
102 | # for replication | ||
103 | log-bin=mariadb-bin | ||
104 | server-id=1 | ||
83 | ''; | 105 | ''; |
84 | }; | 106 | }; |
85 | 107 | ||
@@ -120,17 +142,22 @@ in { | |||
120 | ssl start_tls | 142 | ssl start_tls |
121 | ''; | 143 | ''; |
122 | } | 144 | } |
145 | { | ||
146 | dest = "mysql/pam_replication"; | ||
147 | permissions = "0400"; | ||
148 | user = "mysql"; | ||
149 | group = "mysql"; | ||
150 | text = with cfg.replicationLdapConfig; '' | ||
151 | host ${host} | ||
152 | base ${base} | ||
153 | binddn ${dn} | ||
154 | bindpw ${password} | ||
155 | pam_login_attribute cn | ||
156 | ssl start_tls | ||
157 | ''; | ||
158 | } | ||
123 | ]; | 159 | ]; |
124 | 160 | ||
125 | services.cron = { | ||
126 | enable = true; | ||
127 | systemCronJobs = [ | ||
128 | '' | ||
129 | 30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql | ||
130 | '' | ||
131 | ]; | ||
132 | }; | ||
133 | |||
134 | security.pam.services = let | 161 | security.pam.services = let |
135 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 162 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; |
136 | in [ | 163 | in [ |
@@ -142,8 +169,14 @@ in { | |||
142 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam | 169 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam |
143 | ''; | 170 | ''; |
144 | } | 171 | } |
172 | { | ||
173 | name = "mysql_replication"; | ||
174 | text = '' | ||
175 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication | ||
176 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication | ||
177 | ''; | ||
178 | } | ||
145 | ]; | 179 | ]; |
146 | 180 | ||
147 | }; | 181 | }; |
148 | } | 182 | } |
149 | |||