diff options
Diffstat (limited to 'nixops/modules/databases/mysql.nix')
-rw-r--r-- | nixops/modules/databases/mysql.nix | 48 |
1 files changed, 31 insertions, 17 deletions
diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix index 635f212..95de972 100644 --- a/nixops/modules/databases/mysql.nix +++ b/nixops/modules/databases/mysql.nix | |||
@@ -41,6 +41,7 @@ in { | |||
41 | ''; | 41 | ''; |
42 | }; | 42 | }; |
43 | 43 | ||
44 | users.users.mysql.extraGroups = [ "keys" ]; | ||
44 | security.acme.certs."mysql" = config.services.myCertificates.certConfig // { | 45 | security.acme.certs."mysql" = config.services.myCertificates.certConfig // { |
45 | user = "mysql"; | 46 | user = "mysql"; |
46 | group = "mysql"; | 47 | group = "mysql"; |
@@ -51,39 +52,52 @@ in { | |||
51 | ''; | 52 | ''; |
52 | }; | 53 | }; |
53 | 54 | ||
54 | services.cron = { | 55 | deployment.keys = { |
55 | enable = true; | 56 | mysqldump = { |
56 | systemCronJobs = let | 57 | destDir = "/run/keys/mysql"; |
57 | mycnf = pkgs.writeText "my.cnf" '' | 58 | permissions = "0400"; |
59 | user = "root"; | ||
60 | group = "root"; | ||
61 | text = '' | ||
58 | [mysqldump] | 62 | [mysqldump] |
59 | user = root | 63 | user = root |
60 | password = ${myconfig.env.databases.mysql.systemUsers.root} | 64 | password = ${myconfig.env.databases.mysql.systemUsers.root} |
65 | ''; | ||
66 | }; | ||
67 | mysql-pam = { | ||
68 | destDir = "/run/keys/mysql"; | ||
69 | permissions = "0400"; | ||
70 | user = "mysql"; | ||
71 | group = "mysql"; | ||
72 | text = with myconfig.env.databases.mysql.pam; '' | ||
73 | host ${myconfig.env.ldap.host} | ||
74 | base ${myconfig.env.ldap.base} | ||
75 | binddn ${dn} | ||
76 | bindpw ${password} | ||
77 | pam_filter ${filter} | ||
78 | ssl start_tls | ||
61 | ''; | 79 | ''; |
62 | in [ | 80 | }; |
81 | }; | ||
82 | |||
83 | services.cron = { | ||
84 | enable = true; | ||
85 | systemCronJobs = [ | ||
63 | '' | 86 | '' |
64 | 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${mycnf} --all-databases > /var/lib/mysql/backup.sql | 87 | 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql |
65 | '' | 88 | '' |
66 | ]; | 89 | ]; |
67 | }; | 90 | }; |
68 | 91 | ||
69 | security.pam.services = let | 92 | security.pam.services = let |
70 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 93 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; |
71 | pam_ldap_mysql = with myconfig.env.databases.mysql.pam; | ||
72 | pkgs.writeText "mysql.conf" '' | ||
73 | host ${myconfig.env.ldap.host} | ||
74 | base ${myconfig.env.ldap.base} | ||
75 | binddn ${dn} | ||
76 | bindpw ${password} | ||
77 | pam_filter ${filter} | ||
78 | ssl start_tls | ||
79 | ''; | ||
80 | in [ | 94 | in [ |
81 | { | 95 | { |
82 | name = "mysql"; | 96 | name = "mysql"; |
83 | text = '' | 97 | text = '' |
84 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | 98 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ |
85 | auth required ${pam_ldap} config=${pam_ldap_mysql} | 99 | auth required ${pam_ldap} config=/run/keys/mysql/mysql-pam |
86 | account required ${pam_ldap} config=${pam_ldap_mysql} | 100 | account required ${pam_ldap} config=/run/keys/mysql/mysql-pam |
87 | ''; | 101 | ''; |
88 | } | 102 | } |
89 | ]; | 103 | ]; |