bicep: use mysql on bicep as production server

2023-09-07 18:20:15 +02:00 · 2023-09-07 18:20:15 +02:00 · b52753987d
parent 3beb76e411
commit b52753987d
3 changed files with 32 additions and 4 deletions
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@ -1,5 +1,12 @@
-{ pkgs, config, ... }:
+{ pkgs, lib, config, values, ... }:
 {
+  sops.secrets."mysql/password" = {
+    owner = "mysql";
+    group = "mysql";
+  };
+
+  users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
+
  services.mysql = {
    enable = true;
    dataDir = "/data/mysql";
@ -8,15 +15,23 @@
      mysqld = {
        # PVV allows a lot of connections at the same time
        max_connect_errors = 10000;
+	bind-address = values.services.mysql.ipv4;
+	skip-networking = 0;
+
+	# This was needed in order to be able to use all of the old users
+	# during migration from knakelibrak to bicep in Sep. 2023
+	secure_auth = 0;
      };
    };

    # Note: This user also has MAX_USER_CONNECTIONS set to 3, and
    #       a password which can be found in /secrets/ildkule/ildkule.yaml
+    #       We have also changed both the host and auth plugin of this user
+    #       to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
    ensureUsers = [{
      name = "prometheus_mysqld_exporter";
      ensurePermissions = {
-	"*.*" = "PROCESS, REPLICATION CLIENT, SELECT";
+        "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
      };
    }];
  };
@ -27,4 +42,12 @@
  };

  networking.firewall.allowedTCPPorts = [ 3306 ];
+
+  systemd.services.mysql.serviceConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      values.ipv4-space
+      values.ipv6-space
+    ];
+  };
 }
--- a/secrets/bicep/bicep.yaml
+++ b/secrets/bicep/bicep.yaml
@ -1,5 +1,7 @@
 calendar-bot:
    matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
+mysql:
+    password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -33,8 +35,8 @@ sops:
            QmVlRnJhSk4xYWFVbGVxdlFxSDlXSGMKJvjMDaX4Aa98gT+GPjGaKKdnG67jNG3C
            nLsbxU4vNpFvjF4WI5vdvIQe5UGzoCYQZp3oHFnGq+Jp/hJ1HFF0GQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-27T00:13:50Z"
-    mac: ENC[AES256_GCM,data:u2TPEbDSlOR9SFVpGebiYMWKDtw3PYsljhMYB+No1YE4fXHWlGs4VjNfGZ43eiVmI9TM7f24flaAZ4tjFfjz14+kFg1kQ5VRkvanJP3h1TTAEPmZO3j28YlRiDOMZ387emDpyPox2jsIHBtQZnX+7DDw65KOWjG5uskOMHGRVEY=,iv:WpP9nYzCKzmynXvLCbbz5Aoy/cT/h8iklUZy6B00Tus=,tag:SnusNV0W6zfown4vWHIVhA==,type:str]
+    lastmodified: "2023-09-05T23:28:56Z"
+    mac: ENC[AES256_GCM,data:pCWTkmCQgBOqhejK2sCLQ3H8bRXmXlToQxYmOG0IWDo2eGiZOLuIkZ1/1grYgfxAGiD4ysJod0nJuvo+eAsMeYAy6QJVtrOqO2d9V2NEdzLckXyYvwyJyZoFbNC5EW9471V0m4jLRSh5821ckNo/wtWFR11wfO15tI3MqtD1rtA=,iv:QDnckPl0LegaH0b7V4WAtmVXaL4LN+k3uKHQI2dkW7E=,tag:mScUQBR0ZHl1pi/YztrvFg==,type:str]
    pgp:
        - created_at: "2023-08-27T00:12:42Z"
          enc: |
--- a/values.nix
+++ b/values.nix
@ -3,6 +3,9 @@ let
  pvv-ipv4 = suffix: "129.241.210.${toString suffix}";
  pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
 in rec {
+  ipv4-space = pvv-ipv4 "128/25";
+  ipv6-space = pvv-ipv4 "/64";
+
  services = {
    matrix = {
      inherit (hosts.bicep) ipv4 ipv6;