pvv-nixos-config/hosts/bicep/services/mysql.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

54 lines
1.4 KiB
Nix
Raw Permalink Normal View History

{ pkgs, lib, config, values, ... }:
2023-05-18 15:40:13 +02:00
{
sops.secrets."mysql/password" = {
owner = "mysql";
group = "mysql";
};
users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
2023-05-18 15:40:13 +02:00
services.mysql = {
enable = true;
dataDir = "/data/mysql";
package = pkgs.mariadb;
settings = {
mysqld = {
# PVV allows a lot of connections at the same time
max_connect_errors = 10000;
2024-08-04 02:30:25 +02:00
bind-address = values.services.mysql.ipv4;
skip-networking = 0;
2024-08-04 02:30:25 +02:00
# This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0;
2023-05-18 15:40:13 +02:00
};
};
2023-07-09 23:45:32 +02:00
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and
# a password which can be found in /secrets/ildkule/ildkule.yaml
# We have also changed both the host and auth plugin of this user
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
2023-07-09 23:45:32 +02:00
ensureUsers = [{
name = "prometheus_mysqld_exporter";
ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
2023-07-09 23:45:32 +02:00
};
}];
2023-05-18 15:40:13 +02:00
};
services.mysqlBackup = {
enable = true;
location = "/var/lib/mysql/backups";
};
2023-07-09 23:45:32 +02:00
networking.firewall.allowedTCPPorts = [ 3306 ];
systemd.services.mysql.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
];
};
2023-05-18 15:40:13 +02:00
}