1 files changed, 133 insertions, 0 deletions
diff --git a/virtual/modules/databases.nix b/virtual/modules/databases.nix
new file mode 100644
index 0000000..25bd645
--- /dev/null
+++ b/virtual/modules/databases.nix
@@ -0,0 +1,133 @@
+{ lib, pkgs, config, mylibs, ... }:
+let
+    cfg = config.services.myDatabases;
+in {
+  options.services.myDatabases = {
+    enable = lib.mkEnableOption "my databases service";
+    postgresql = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable postgresql database";
+        type = lib.types.bool;
+      };
+    };
+    mariadb = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable mariadb database";
+        type = lib.types.bool;
+      };
+    };
+    redis = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable redis database";
+        type = lib.types.bool;
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    nixpkgs.config.packageOverrides = oldpkgs: rec {
+      postgresql = postgresql111;
+      postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
+        passthru = old.passthru // { psqlSchema = "11.0"; };
+        name = "postgresql-11.1";
+        src = pkgs.fetchurl {
+          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
+          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
+        };
+      });
+      mariadb = mariadbPAM;
+      mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
+        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
+        buildInputs = old.buildInputs ++ [ pkgs.pam ];
+      });
+    };
+    networking.firewall.allowedTCPPorts = [ 3306 5432 ];
+    # FIXME: initial sync
+    # FIXME: backup
+    # FIXME: restart after pam
+    # FIXME: pam access doesn’t work (because of php module)
+    # FIXME: ssl
+    services.mysql = rec {
+      enable = cfg.mariadb.enable;
+      package = pkgs.mariadb;
+    };
+    # FIXME: initial sync
+    # FIXME: backup
+    # FIXME: ssl
+    services.postgresql = rec {
+      enable = cfg.postgresql.enable;
+      package = pkgs.postgresql;
+      enableTCPIP = true;
+      extraConfig = ''
+        max_connections = 100
+        wal_level = logical
+        shared_buffers = 128MB
+        max_wal_size = 1GB
+        min_wal_size = 80MB
+        log_timezone = 'Europe/Paris'
+        datestyle = 'iso, mdy'
+        timezone = 'Europe/Paris'
+        lc_messages = 'en_US.UTF-8'
+        lc_monetary = 'en_US.UTF-8'
+        lc_numeric = 'en_US.UTF-8'
+        lc_time = 'en_US.UTF-8'
+        default_text_search_config = 'pg_catalog.english'
+        # ssl = on
+        # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
+        # ssl_key_file = '/var/lib/acme/eldiron/key.pem'
+        '';
+      authentication = ''
+        local   all     postgres                                ident
+        local   all     all                                     md5
+        host    all     all             samehost                md5
+        host    all     all             178.33.252.96/32        md5
+        host    all     all             188.165.209.148/32      md5
+        #host   all     all             all                     pam
+      '';
+    };
+    security.pam.services = let
+      pam_ldap = pkgs.pam_ldap;
+      pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
+              pkgs.writeText "mysql.conf" ''
+        host ldap.immae.eu
+        base dc=immae,dc=eu
+        binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
+        bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
+        pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
+        '';
+    in [
+      {
+        name = "mysql";
+        text = ''
+          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
+          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          '';
+      }
+    ];
+    # FIXME: backup
+    # Nextcloud: 14
+    services.redis = rec {
+      enable = config.services.myDatabases.redis.enable;
+      bind = "127.0.0.1";
+      unixSocket = "/run/redis/redis.sock";
+      extraConfig = ''
+        unixsocketperm 777
+        maxclients 1024
+        '';
+    };
+  };
+}

diff --git a/virtual/modules/databases.nix b/virtual/modules/databases.nix new file mode 100644 index 0000000..25bd645 --- /dev/null +++ b/virtual/modules/databases.nix
@@ -0,0 +1,133 @@
	1	{ lib, pkgs, config, mylibs, ... }:
	2	let
	3	cfg = config.services.myDatabases;
	4	in {
	5	options.services.myDatabases = {
	6	enable = lib.mkEnableOption "my databases service";
	7	postgresql = {
	8	enable = lib.mkOption {
	9	default = cfg.enable;
	10	example = true;
	11	description = "Whether to enable postgresql database";
	12	type = lib.types.bool;
	13	};
	14	};
	15
	16	mariadb = {
	17	enable = lib.mkOption {
	18	default = cfg.enable;
	19	example = true;
	20	description = "Whether to enable mariadb database";
	21	type = lib.types.bool;
	22	};
	23	};
	24
	25	redis = {
	26	enable = lib.mkOption {
	27	default = cfg.enable;
	28	example = true;
	29	description = "Whether to enable redis database";
	30	type = lib.types.bool;
	31	};
	32	};
	33	};
	34
	35	config = lib.mkIf cfg.enable {
	36	nixpkgs.config.packageOverrides = oldpkgs: rec {
	37	postgresql = postgresql111;
	38	postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
	39	passthru = old.passthru // { psqlSchema = "11.0"; };
	40	name = "postgresql-11.1";
	41	src = pkgs.fetchurl {
	42	url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
	43	sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
	44	};
	45	});
	46	mariadb = mariadbPAM;
	47	mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
	48	cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
	49	buildInputs = old.buildInputs ++ [ pkgs.pam ];
	50	});
	51	};
	52
	53	networking.firewall.allowedTCPPorts = [ 3306 5432 ];
	54
	55	# FIXME: initial sync
	56	# FIXME: backup
	57	# FIXME: restart after pam
	58	# FIXME: pam access doesn’t work (because of php module)
	59	# FIXME: ssl
	60	services.mysql = rec {
	61	enable = cfg.mariadb.enable;
	62	package = pkgs.mariadb;
	63	};
	64
	65	# FIXME: initial sync
	66	# FIXME: backup
	67	# FIXME: ssl
	68	services.postgresql = rec {
	69	enable = cfg.postgresql.enable;
	70	package = pkgs.postgresql;
	71	enableTCPIP = true;
	72	extraConfig = ''
	73	max_connections = 100
	74	wal_level = logical
	75	shared_buffers = 128MB
	76	max_wal_size = 1GB
	77	min_wal_size = 80MB
	78	log_timezone = 'Europe/Paris'
	79	datestyle = 'iso, mdy'
	80	timezone = 'Europe/Paris'
	81	lc_messages = 'en_US.UTF-8'
	82	lc_monetary = 'en_US.UTF-8'
	83	lc_numeric = 'en_US.UTF-8'
	84	lc_time = 'en_US.UTF-8'
	85	default_text_search_config = 'pg_catalog.english'
	86	# ssl = on
	87	# ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
	88	# ssl_key_file = '/var/lib/acme/eldiron/key.pem'
	89	'';
	90	authentication = ''
	91	local all postgres ident
	92	local all all md5
	93	host all all samehost md5
	94	host all all 178.33.252.96/32 md5
	95	host all all 188.165.209.148/32 md5
	96	#host all all all pam
	97	'';
	98	};
	99
	100	security.pam.services = let
	101	pam_ldap = pkgs.pam_ldap;
	102	pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
	103	pkgs.writeText "mysql.conf" ''
	104	host ldap.immae.eu
	105	base dc=immae,dc=eu
	106	binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
	107	bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
	108	pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
	109	'';
	110	in [
	111	{
	112	name = "mysql";
	113	text = ''
	114	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
	115	auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
	116	account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
	117	'';
	118	}
	119	];
	120
	121	# FIXME: backup
	122	# Nextcloud: 14
	123	services.redis = rec {
	124	enable = config.services.myDatabases.redis.enable;
	125	bind = "127.0.0.1";
	126	unixSocket = "/run/redis/redis.sock";
	127	extraConfig = ''
	128	unixsocketperm 777
	129	maxclients 1024
	130	'';
	131	};
	132	};
	133	}