bicep/mysql: use BindPaths to access dataDir

2026-02-04 09:10:01 +01:00 · 2026-01-27 17:23:38 +09:00
parent cda84be5b0
commit 8a84069dcf
1 changed files with 28 additions and 11 deletions
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -1,4 +1,8 @@
-{ pkgs, lib, config, values, ... }:
+{ config, pkgs, lib, values, ... }:
+let
+  cfg = config.services.mysql;
+  dataDir = "/data/mysql";
+in
 {
  sops.secrets."mysql/password" = {
    owner = "mysql";
@@ -9,7 +13,6 @@

  services.mysql = {
    enable = true;
-    dataDir = "/data/mysql";
    package = pkgs.mariadb;
    settings = {
      mysqld = {
@@ -36,20 +39,34 @@
    }];
  };

-  services.mysqlBackup = {
+  services.mysqlBackup = lib.mkIf cfg.enable {
    enable = true;
    location = "/var/lib/mysql/backups";
  };

-  networking.firewall.allowedTCPPorts = [ 3306 ];
+  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];

-  systemd.services.mysql.serviceConfig = {
-    IPAddressDeny = "any";
-    IPAddressAllow = [
-      values.ipv4-space
-      values.ipv6-space
-      values.hosts.ildkule.ipv4
-      values.hosts.ildkule.ipv6
+  systemd.tmpfiles.settings."10-mysql".${dataDir}.d = lib.mkIf cfg.enable {
+    inherit (cfg) user group;
+    mode = "0700";
+  };
+
+  systemd.services.mysql = lib.mkIf cfg.enable {
+    after = [
+      "systemd-tmpfiles-setup.service"
+      "systemd-tmpfiles-resetup.service"
    ];
+
+    serviceConfig = {
+      BindPaths = [ "${dataDir}:${cfg.dataDir}" ];
+
+      IPAddressDeny = "any";
+      IPAddressAllow = [
+        values.ipv4-space
+        values.ipv6-space
+        values.hosts.ildkule.ipv4
+        values.hosts.ildkule.ipv6
+      ];
+    };
  };
 }