diff options
Diffstat (limited to 'modules/private/databases/redis.nix')
-rw-r--r-- | modules/private/databases/redis.nix | 84 |
1 files changed, 83 insertions, 1 deletions
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index c23ffec..693f402 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { lib, config, ... }: | 1 | { lib, config, pkgs, myconfig, ... }: |
2 | let | 2 | let |
3 | cfg = config.myServices.databases.redis; | 3 | cfg = config.myServices.databases.redis; |
4 | in { | 4 | in { |
@@ -52,6 +52,88 @@ in { | |||
52 | ''; | 52 | ''; |
53 | }; | 53 | }; |
54 | systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory; | 54 | systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory; |
55 | |||
56 | services.spiped = { | ||
57 | enable = true; | ||
58 | config.redis = { | ||
59 | decrypt = true; | ||
60 | source = "0.0.0.0:16379"; | ||
61 | target = "/run/redis/redis.sock"; | ||
62 | keyfile = "${config.secrets.location}/redis/spiped_keyfile"; | ||
63 | }; | ||
64 | }; | ||
65 | systemd.services.spiped_redis = { | ||
66 | description = "Secure pipe 'redis'"; | ||
67 | after = [ "network.target" ]; | ||
68 | wantedBy = [ "multi-user.target" ]; | ||
69 | |||
70 | serviceConfig = { | ||
71 | Restart = "always"; | ||
72 | User = "spiped"; | ||
73 | PermissionsStartOnly = true; | ||
74 | SupplementaryGroups = "keys"; | ||
75 | }; | ||
76 | |||
77 | script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`"; | ||
78 | }; | ||
79 | |||
80 | services.filesWatcher.predixy = { | ||
81 | restart = true; | ||
82 | paths = [ "${config.secrets.location}/redis/predixy.conf" ]; | ||
83 | }; | ||
84 | |||
85 | networking.firewall.allowedTCPPorts = [ 7617 16379 ]; | ||
86 | secrets.keys = [ | ||
87 | { | ||
88 | dest = "redis/predixy.conf"; | ||
89 | user = "redis"; | ||
90 | group = "redis"; | ||
91 | permissions = "0400"; | ||
92 | text = '' | ||
93 | Name Predixy | ||
94 | Bind 127.0.0.1:7617 | ||
95 | ClientTimeout 300 | ||
96 | WorkerThreads 1 | ||
97 | |||
98 | Authority { | ||
99 | Auth "${myconfig.env.databases.redis.predixy.read}" { | ||
100 | Mode read | ||
101 | } | ||
102 | } | ||
103 | |||
104 | StandaloneServerPool { | ||
105 | Databases 16 | ||
106 | RefreshMethod fixed | ||
107 | Group shard001 { | ||
108 | + ${myconfig.env.databases.redis.socket} | ||
109 | } | ||
110 | } | ||
111 | ''; | ||
112 | } | ||
113 | { | ||
114 | dest = "redis/spiped_keyfile"; | ||
115 | user = "spiped"; | ||
116 | group = "spiped"; | ||
117 | permissions = "0400"; | ||
118 | text = myconfig.env.databases.redis.spiped_key; | ||
119 | } | ||
120 | ]; | ||
121 | |||
122 | systemd.services.predixy = { | ||
123 | description = "Redis proxy"; | ||
124 | wantedBy = [ "multi-user.target" ]; | ||
125 | after = [ "redis.service" ]; | ||
126 | |||
127 | serviceConfig = { | ||
128 | User = "redis"; | ||
129 | Group = "redis"; | ||
130 | SupplementaryGroups = "keys"; | ||
131 | Type = "simple"; | ||
132 | |||
133 | ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf"; | ||
134 | }; | ||
135 | |||
136 | }; | ||
55 | }; | 137 | }; |
56 | } | 138 | } |
57 | 139 | ||