aboutsummaryrefslogtreecommitdiff
path: root/systems/eldiron/databases/mariadb.nix
blob: b4a6917a76018aaea2bc41ee5591bf4133b5ced4 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
{ lib, pkgs, config, ... }:
let
    cfg = config.myServices.databases.mariadb;
in {
  options.myServices.databases = {
    mariadb = {
      enable = lib.mkOption {
        default = false;
        example = true;
        description = "Whether to enable mariadb database";
        type = lib.types.bool;
      };
      package = lib.mkOption {
        type = lib.types.package;
        default = pkgs.mariadb;
        description = ''
          Mariadb package to use.
          '';
      };
      credentials = lib.mkOption {
        default = {};
        description = "Credentials";
        type = lib.types.attrsOf lib.types.str;
      };
      ldapConfig = lib.mkOption {
        description = "LDAP configuration to allow PAM identification via LDAP";
        type = lib.types.submodule {
          options = {
            host = lib.mkOption { type = lib.types.str; };
            base = lib.mkOption { type = lib.types.str; };
            dn = lib.mkOption { type = lib.types.str; };
            password = lib.mkOption { type = lib.types.str; };
            filter = lib.mkOption { type = lib.types.str; };
          };
        };
      };
      replicationLdapConfig = lib.mkOption {
        description = "LDAP configuration to allow replication";
        type = lib.types.submodule {
          options = {
            host = lib.mkOption { type = lib.types.str; };
            base = lib.mkOption { type = lib.types.str; };
            dn = lib.mkOption { type = lib.types.str; };
            password = lib.mkOption { type = lib.types.str; };
          };
        };
      };
      dataDir = lib.mkOption {
        type = lib.types.path;
        default = "/var/lib/mysql";
        description = ''
          The directory where Mariadb stores its data.
        '';
      };
      # Output variables
      socketsDir = lib.mkOption {
        type = lib.types.path;
        default = "/run/mysqld";
        description = ''
          The directory where Mariadb puts sockets.
          '';
      };
      sockets = lib.mkOption {
        type = lib.types.attrsOf lib.types.path;
        default = {
          mysqld  = "${cfg.socketsDir}/mysqld.sock";
        };
        readOnly = true;
        description = ''
          Mariadb sockets
          '';
      };
    };
  };

  config = lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ config.myEnv.databases.mysql.port ];

    # for adminer, ssl is implemented with mysqli only, which is
    # currently disabled because it’s not compatible with pam.
    # Thus we need to generate two users for each 'remote': one remote
    # with SSL, and one localhost without SSL.
    # User identified by LDAP:
    # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
    # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';

    # To create a user (host) for replication:
    # CREATE USER 'host'@'%' IDENTIFIED VIA pam USING 'mysql_replication' REQUIRE SSL;
    # GRANT REPLICATION SLAVE, REPLICATION CLIENT, RELOAD, LOCK TABLES, SELECT, SHOW VIEW ON *.* TO 'host'@'%';
    # (the lock/select grant permits to let the replication host handle
    # the initial fetch of the database)
    # % should be valid for both localhost (for cron dumps) and the origin host.
    services.mysql = {
      enable = true;
      package = cfg.package;
      dataDir = cfg.dataDir;
      settings = {
        mysqld = {
          port = config.myEnv.databases.mysql.port;
          ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
          ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem";
          ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem";

          # for replication
          log-bin = "mariadb-bin";
          server-id = "1";

          # this introduces a small delay before storing on disk, but
          # makes it order of magnitudes quicker
          innodb_flush_log_at_trx_commit = "0";

          # This is necessary since the default ("dialog") is not
          # supported by php's mysqlnd plugin (in mysqli). But with that
          # change only regular login+password schemes can work (no
          # "fancy" authentication methods like fprintd or keys)
          pam_use_cleartext_plugin = true;
        };
      };
    };

    users.users.mysql.extraGroups = [ "keys" ];
    security.acme.certs."mysql" = {
      group = "mysql";
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl restart mysql.service
      '';
    };

    secrets.keys = {
      "mysql/mysqldump" = {
        permissions = "0400";
        user = "root";
        group = "root";
        text = ''
          [mysqldump]
          user = root
          password = ${cfg.credentials.root}
        '';
      };
      "mysql/pam" = {
        permissions = "0400";
        user = "mysql";
        group = "mysql";
        text =  with cfg.ldapConfig; ''
          host ${host}
          base ${base}
          binddn ${dn}
          bindpw ${password}
          pam_filter ${filter}
          ssl start_tls
        '';
      };
      "mysql/pam_replication" = {
        permissions = "0400";
        user = "mysql";
        group = "mysql";
        text =  with cfg.replicationLdapConfig; ''
          host ${host}
          base ${base}
          binddn ${dn}
          bindpw ${password}
          pam_login_attribute cn
          ssl start_tls
        '';
      };
    };

    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
    in {
      mysql = {
        text = ''
          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
          auth    required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"}
          account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam"}
          '';
      };
      mysql_replication = {
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"}
          account required ${pam_ldap} config=${config.secrets.fullPaths."mysql/pam_replication"}
          '';
      };
    };

  };
}