aboutsummaryrefslogtreecommitdiff
path: root/modules/private/databases/mariadb.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/private/databases/mariadb.nix')
-rw-r--r--modules/private/databases/mariadb.nix53
1 files changed, 43 insertions, 10 deletions
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 4293f02..632306c 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -34,6 +34,17 @@ in {
34 }; 34 };
35 }; 35 };
36 }; 36 };
37 replicationLdapConfig = lib.mkOption {
38 description = "LDAP configuration to allow replication";
39 type = lib.types.submodule {
40 options = {
41 host = lib.mkOption { type = lib.types.str; };
42 base = lib.mkOption { type = lib.types.str; };
43 dn = lib.mkOption { type = lib.types.str; };
44 password = lib.mkOption { type = lib.types.str; };
45 };
46 };
47 };
37 dataDir = lib.mkOption { 48 dataDir = lib.mkOption {
38 type = lib.types.path; 49 type = lib.types.path;
39 default = "/var/lib/mysql"; 50 default = "/var/lib/mysql";
@@ -72,6 +83,13 @@ in {
72 # User identified by LDAP: 83 # User identified by LDAP:
73 # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; 84 # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
74 # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; 85 # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
86
87 # To create a user (host) for replication:
88 # CREATE USER 'host'@'%' IDENTIFIED VIA pam USING 'mysql_replication' REQUIRE SSL;
89 # GRANT REPLICATION SLAVE, REPLICATION CLIENT, RELOAD, LOCK TABLES, SELECT, SHOW VIEW ON *.* TO 'host'@'%';
90 # (the lock/select grant permits to let the replication host handle
91 # the initial fetch of the database)
92 # % should be valid for both localhost (for cron dumps) and the origin host.
75 services.mysql = { 93 services.mysql = {
76 enable = true; 94 enable = true;
77 package = cfg.package; 95 package = cfg.package;
@@ -80,6 +98,10 @@ in {
80 ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt 98 ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
81 ssl_key = ${config.security.acme.directory}/mysql/key.pem 99 ssl_key = ${config.security.acme.directory}/mysql/key.pem
82 ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem 100 ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
101
102 # for replication
103 log-bin=mariadb-bin
104 server-id=1
83 ''; 105 '';
84 }; 106 };
85 107
@@ -120,17 +142,22 @@ in {
120 ssl start_tls 142 ssl start_tls
121 ''; 143 '';
122 } 144 }
145 {
146 dest = "mysql/pam_replication";
147 permissions = "0400";
148 user = "mysql";
149 group = "mysql";
150 text = with cfg.replicationLdapConfig; ''
151 host ${host}
152 base ${base}
153 binddn ${dn}
154 bindpw ${password}
155 pam_login_attribute cn
156 ssl start_tls
157 '';
158 }
123 ]; 159 ];
124 160
125 services.cron = {
126 enable = true;
127 systemCronJobs = [
128 ''
129 30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
130 ''
131 ];
132 };
133
134 security.pam.services = let 161 security.pam.services = let
135 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; 162 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
136 in [ 163 in [
@@ -142,8 +169,14 @@ in {
142 account required ${pam_ldap} config=${config.secrets.location}/mysql/pam 169 account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
143 ''; 170 '';
144 } 171 }
172 {
173 name = "mysql_replication";
174 text = ''
175 auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
176 account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
177 '';
178 }
145 ]; 179 ];
146 180
147 }; 181 };
148} 182}
149