From 8a84069dcf6da1aa0a7bf8c7e6218a759d6c85e0 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 27 Jan 2026 17:23:38 +0900
Subject: [PATCH] bicep/mysql: use `BindPaths` to access `dataDir`

---
 hosts/bicep/services/mysql.nix | 39 ++++++++++++++++++++++++----------
 1 file changed, 28 insertions(+), 11 deletions(-)

diff --git a/hosts/bicep/services/mysql.nix b/hosts/bicep/services/mysql.nix
index 56b289f..a3d1c38 100644
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -1,4 +1,8 @@
-{ pkgs, lib, config, values, ... }:
+{ config, pkgs, lib, values, ... }:
+let
+  cfg = config.services.mysql;
+  dataDir = "/data/mysql";
+in
 {
   sops.secrets."mysql/password" = {
     owner = "mysql";
@@ -9,7 +13,6 @@
 
   services.mysql = {
     enable = true;
-    dataDir = "/data/mysql";
     package = pkgs.mariadb;
     settings = {
       mysqld = {
@@ -36,20 +39,34 @@
     }];
   };
 
-  services.mysqlBackup = {
+  services.mysqlBackup = lib.mkIf cfg.enable {
     enable = true;
     location = "/var/lib/mysql/backups";
   };
 
-  networking.firewall.allowedTCPPorts = [ 3306 ];
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
 
-  systemd.services.mysql.serviceConfig = {
-    IPAddressDeny = "any";
-    IPAddressAllow = [
-      values.ipv4-space
-      values.ipv6-space
-      values.hosts.ildkule.ipv4
-      values.hosts.ildkule.ipv6
+  systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
+    inherit (cfg) user group;
+    mode = "0700";
+  };
+
+  systemd.services.mysql = lib.mkIf cfg.enable {
+    after = [
+      "systemd-tmpfiles-setup.service"
+      "systemd-tmpfiles-resetup.service"
     ];
+
+    serviceConfig = {
+      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
+
+      IPAddressDeny = "any";
+      IPAddressAllow = [
+        values.ipv4-space
+        values.ipv6-space
+        values.hosts.ildkule.ipv4
+        values.hosts.ildkule.ipv6
+      ];
+    };
   };
 }