1 files changed, 138 insertions, 0 deletions
diff --git a/systems/eldiron/databases/redis.nix b/systems/eldiron/databases/redis.nix
new file mode 100644
index 0000000..1f57aa9
--- /dev/null
+++ b/systems/eldiron/databases/redis.nix
@@ -0,0 +1,138 @@
+{ lib, config, pkgs, ... }:
+let
+    cfg = config.myServices.databases.redis;
+in {
+  options.myServices.databases.redis = {
+    enable = lib.mkOption {
+      default = false;
+      example = true;
+      description = "Whether to enable redis database";
+      type = lib.types.bool;
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/redis";
+      description = ''
+        The directory where Redis puts sockets.
+        '';
+    };
+    # Output variables
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        redis  = "${cfg.socketsDir}/redis.sock";
+      };
+      readOnly = true;
+      description = ''
+        Redis sockets
+        '';
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    users.users.redis.uid = config.ids.uids.redis;
+    users.groups.redis.gid = config.ids.gids.redis;
+    services.redis.servers."" = {
+      enable = true;
+      bind = "127.0.0.1";
+      unixSocket = cfg.sockets.redis;
+      unixSocketPerm = 777;
+      maxclients = 1024;
+    };
+    systemd.services.redis.serviceConfig.Slice = "redis.slice";
+    systemd.services.redis.serviceConfig.RuntimeDirectoryMode = lib.mkForce "0755";
+    services.redis.servers."php-sessions" = {
+      enable = true;
+      maxclients = 1024;
+      unixSocketPerm = 777;
+      user = "wwwrun";
+    };
+    services.spiped = {
+      enable = true;
+      config.redis = {
+        decrypt = true;
+        source = "0.0.0.0:16379";
+        target = "/run/redis/redis.sock";
+        keyfile = config.secrets.fullPaths."redis/spiped_keyfile";
+      };
+    };
+    systemd.services.spiped_redis = {
+      description = "Secure pipe 'redis'";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Slice = "redis.slice";
+        Restart = "always";
+        User = "spiped";
+        PermissionsStartOnly = true;
+        SupplementaryGroups = "keys";
+      };
+      script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
+    };
+    #services.filesWatcher.predixy = {
+    #  restart = true;
+    #  paths = [ config.secrets.fullPaths."redis/predixy.conf" ];
+    #};
+    networking.firewall.allowedTCPPorts = [ 16379 ];
+    secrets.keys = {
+      #"redis/predixy.conf" = {
+      #  user = "redis";
+      #  group = "redis";
+      #  permissions = "0400";
+      #  text = ''
+      #    Name Predixy
+      #    Bind 127.0.0.1:7617
+      #    ClientTimeout 300
+      #    WorkerThreads 1
+      #    Authority {
+      #        Auth "${config.myEnv.databases.redis.predixy.read}" {
+      #            Mode read
+      #        }
+      #    }
+      #    StandaloneServerPool {
+      #      Databases 16
+      #      RefreshMethod fixed
+      #      Group shard001 {
+      #        + ${config.myEnv.databases.redis.socket}
+      #      }
+      #    }
+      #    '';
+      #};
+      "redis/spiped_keyfile" = {
+        user = "spiped";
+        group = "spiped";
+        permissions = "0400";
+        text = config.myEnv.databases.redis.spiped_key;
+      };
+    };
+    systemd.slices.redis = {
+      description = "Redis slice";
+    };
+    #systemd.services.predixy = {
+    #  description = "Redis proxy";
+    #  wantedBy = [ "multi-user.target" ];
+    #  after = [ "redis.service" ];
+    #  serviceConfig = {
+    #    Slice = "redis.slice";
+    #    User = "redis";
+    #    Group = "redis";
+    #    SupplementaryGroups = "keys";
+    #    Type = "simple";
+    #    ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}";
+    #  };
+    #};
+  };
+}

diff --git a/systems/eldiron/databases/redis.nix b/systems/eldiron/databases/redis.nix new file mode 100644 index 0000000..1f57aa9 --- /dev/null +++ b/systems/eldiron/databases/redis.nix
@@ -0,0 +1,138 @@
	1	{ lib, config, pkgs, ... }:
	2	let
	3	cfg = config.myServices.databases.redis;
	4	in {
	5	options.myServices.databases.redis = {
	6	enable = lib.mkOption {
	7	default = false;
	8	example = true;
	9	description = "Whether to enable redis database";
	10	type = lib.types.bool;
	11	};
	12	socketsDir = lib.mkOption {
	13	type = lib.types.path;
	14	default = "/run/redis";
	15	description = ''
	16	The directory where Redis puts sockets.
	17	'';
	18	};
	19	# Output variables
	20	sockets = lib.mkOption {
	21	type = lib.types.attrsOf lib.types.path;
	22	default = {
	23	redis = "${cfg.socketsDir}/redis.sock";
	24	};
	25	readOnly = true;
	26	description = ''
	27	Redis sockets
	28	'';
	29	};
	30	};
	31
	32	config = lib.mkIf cfg.enable {
	33	users.users.redis.uid = config.ids.uids.redis;
	34	users.groups.redis.gid = config.ids.gids.redis;
	35	services.redis.servers."" = {
	36	enable = true;
	37	bind = "127.0.0.1";
	38	unixSocket = cfg.sockets.redis;
	39	unixSocketPerm = 777;
	40	maxclients = 1024;
	41	};
	42	systemd.services.redis.serviceConfig.Slice = "redis.slice";
	43	systemd.services.redis.serviceConfig.RuntimeDirectoryMode = lib.mkForce "0755";
	44	services.redis.servers."php-sessions" = {
	45	enable = true;
	46	maxclients = 1024;
	47	unixSocketPerm = 777;
	48	user = "wwwrun";
	49	};
	50
	51	services.spiped = {
	52	enable = true;
	53	config.redis = {
	54	decrypt = true;
	55	source = "0.0.0.0:16379";
	56	target = "/run/redis/redis.sock";
	57	keyfile = config.secrets.fullPaths."redis/spiped_keyfile";
	58	};
	59	};
	60	systemd.services.spiped_redis = {
	61	description = "Secure pipe 'redis'";
	62	after = [ "network.target" ];
	63	wantedBy = [ "multi-user.target" ];
	64
	65	serviceConfig = {
	66	Slice = "redis.slice";
	67	Restart = "always";
	68	User = "spiped";
	69	PermissionsStartOnly = true;
	70	SupplementaryGroups = "keys";
	71	};
	72
	73	script = "exec ${pkgs.spiped}/bin/spiped -F `cat /etc/spiped/redis.spec`";
	74	};
	75
	76	#services.filesWatcher.predixy = {
	77	# restart = true;
	78	# paths = [ config.secrets.fullPaths."redis/predixy.conf" ];
	79	#};
	80
	81	networking.firewall.allowedTCPPorts = [ 16379 ];
	82	secrets.keys = {
	83	#"redis/predixy.conf" = {
	84	# user = "redis";
	85	# group = "redis";
	86	# permissions = "0400";
	87	# text = ''
	88	# Name Predixy
	89	# Bind 127.0.0.1:7617
	90	# ClientTimeout 300
	91	# WorkerThreads 1
	92
	93	# Authority {
	94	# Auth "${config.myEnv.databases.redis.predixy.read}" {
	95	# Mode read
	96	# }
	97	# }
	98
	99	# StandaloneServerPool {
	100	# Databases 16
	101	# RefreshMethod fixed
	102	# Group shard001 {
	103	# + ${config.myEnv.databases.redis.socket}
	104	# }
	105	# }
	106	# '';
	107	#};
	108	"redis/spiped_keyfile" = {
	109	user = "spiped";
	110	group = "spiped";
	111	permissions = "0400";
	112	text = config.myEnv.databases.redis.spiped_key;
	113	};
	114	};
	115
	116	systemd.slices.redis = {
	117	description = "Redis slice";
	118	};
	119
	120	#systemd.services.predixy = {
	121	# description = "Redis proxy";
	122	# wantedBy = [ "multi-user.target" ];
	123	# after = [ "redis.service" ];
	124
	125	# serviceConfig = {
	126	# Slice = "redis.slice";
	127	# User = "redis";
	128	# Group = "redis";
	129	# SupplementaryGroups = "keys";
	130	# Type = "simple";
	131
	132	# ExecStart = "${pkgs.predixy}/bin/predixy ${config.secrets.fullPaths."redis/predixy.conf"}";
	133	# };
	134
	135	#};
	136	};
	137	}
	138