1 files changed, 83 insertions, 1 deletions
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
index c23ffec..693f402 100644
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, pkgs, myconfig, ... }:
 let
    cfg = config.myServices.databases.redis;
 in {
@@ -52,6 +52,88 @@ in {
        '';
    };
    systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
+    services.spiped = {
+      enable = true;
+      config.redis = {
+        decrypt = true;
+        source = "0.0.0.0:16379";
+        target = "/run/redis/redis.sock";
+        keyfile = "${config.secrets.location}/redis/spiped_keyfile";
+      };
+    };
+    systemd.services.spiped_redis = {
+      description = "Secure pipe 'redis'";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Restart   = "always";
+        User      = "spiped";
+        PermissionsStartOnly = true;
+        SupplementaryGroups = "keys";
+      };
+      script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
+    };
+    services.filesWatcher.predixy = {
+      restart = true;
+      paths = [ "${config.secrets.location}/redis/predixy.conf" ];
+    };
+    networking.firewall.allowedTCPPorts = [ 7617 16379 ];
+    secrets.keys = [
+      {
+        dest = "redis/predixy.conf";
+        user = "redis";
+        group = "redis";
+        permissions = "0400";
+        text = ''
+          Name Predixy
+          Bind 127.0.0.1:7617
+          ClientTimeout 300
+          WorkerThreads 1
+          Authority {
+              Auth "${myconfig.env.databases.redis.predixy.read}" {
+                  Mode read
+              }
+          }
+          StandaloneServerPool {
+            Databases 16
+            RefreshMethod fixed
+            Group shard001 {
+              + ${myconfig.env.databases.redis.socket}
+            }
+          }
+          '';
+      }
+      {
+        dest = "redis/spiped_keyfile";
+        user = "spiped";
+        group = "spiped";
+        permissions = "0400";
+        text = myconfig.env.databases.redis.spiped_key;
+      }
+    ];
+    systemd.services.predixy = {
+      description = "Redis proxy";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "redis.service" ];
+      serviceConfig = {
+        User = "redis";
+        Group = "redis";
+        SupplementaryGroups = "keys";
+        Type = "simple";
+        ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf";
+      };
+    };
  };
 }

diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index c23ffec..693f402 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix
@@ -1,4 +1,4 @@
1	{ lib, config, ... }:	1	{ lib, config, pkgs, myconfig, ... }:
2	let	2	let
3	cfg = config.myServices.databases.redis;	3	cfg = config.myServices.databases.redis;
4	in {	4	in {
@@ -52,6 +52,88 @@ in {
52	'';	52	'';
53	};	53	};
54	systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;	54	systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
		55
		56	services.spiped = {
		57	enable = true;
		58	config.redis = {
		59	decrypt = true;
		60	source = "0.0.0.0:16379";
		61	target = "/run/redis/redis.sock";
		62	keyfile = "${config.secrets.location}/redis/spiped_keyfile";
		63	};
		64	};
		65	systemd.services.spiped_redis = {
		66	description = "Secure pipe 'redis'";
		67	after = [ "network.target" ];
		68	wantedBy = [ "multi-user.target" ];
		69
		70	serviceConfig = {
		71	Restart = "always";
		72	User = "spiped";
		73	PermissionsStartOnly = true;
		74	SupplementaryGroups = "keys";
		75	};
		76
		77	script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
		78	};
		79
		80	services.filesWatcher.predixy = {
		81	restart = true;
		82	paths = [ "${config.secrets.location}/redis/predixy.conf" ];
		83	};
		84
		85	networking.firewall.allowedTCPPorts = [ 7617 16379 ];
		86	secrets.keys = [
		87	{
		88	dest = "redis/predixy.conf";
		89	user = "redis";
		90	group = "redis";
		91	permissions = "0400";
		92	text = ''
		93	Name Predixy
		94	Bind 127.0.0.1:7617
		95	ClientTimeout 300
		96	WorkerThreads 1
		97
		98	Authority {
		99	Auth "${myconfig.env.databases.redis.predixy.read}" {
		100	Mode read
		101	}
		102	}
		103
		104	StandaloneServerPool {
		105	Databases 16
		106	RefreshMethod fixed
		107	Group shard001 {
		108	+ ${myconfig.env.databases.redis.socket}
		109	}
		110	}
		111	'';
		112	}
		113	{
		114	dest = "redis/spiped_keyfile";
		115	user = "spiped";
		116	group = "spiped";
		117	permissions = "0400";
		118	text = myconfig.env.databases.redis.spiped_key;
		119	}
		120	];
		121
		122	systemd.services.predixy = {
		123	description = "Redis proxy";
		124	wantedBy = [ "multi-user.target" ];
		125	after = [ "redis.service" ];
		126
		127	serviceConfig = {
		128	User = "redis";
		129	Group = "redis";
		130	SupplementaryGroups = "keys";
		131	Type = "simple";
		132
		133	ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.location}/redis/predixy.conf";
		134	};
		135
		136	};
55	};	137	};
56	}	138	}
57		139