bicep: use mysql on bicep as production server
This commit is contained in:
parent
3beb76e411
commit
b52753987d
|
@ -1,5 +1,12 @@
|
|||
{ pkgs, config, ... }:
|
||||
{ pkgs, lib, config, values, ... }:
|
||||
{
|
||||
sops.secrets."mysql/password" = {
|
||||
owner = "mysql";
|
||||
group = "mysql";
|
||||
};
|
||||
|
||||
users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
|
||||
|
||||
services.mysql = {
|
||||
enable = true;
|
||||
dataDir = "/data/mysql";
|
||||
|
@ -8,15 +15,23 @@
|
|||
mysqld = {
|
||||
# PVV allows a lot of connections at the same time
|
||||
max_connect_errors = 10000;
|
||||
bind-address = values.services.mysql.ipv4;
|
||||
skip-networking = 0;
|
||||
|
||||
# This was needed in order to be able to use all of the old users
|
||||
# during migration from knakelibrak to bicep in Sep. 2023
|
||||
secure_auth = 0;
|
||||
};
|
||||
};
|
||||
|
||||
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and
|
||||
# a password which can be found in /secrets/ildkule/ildkule.yaml
|
||||
# We have also changed both the host and auth plugin of this user
|
||||
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
|
||||
ensureUsers = [{
|
||||
name = "prometheus_mysqld_exporter";
|
||||
ensurePermissions = {
|
||||
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT";
|
||||
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
|
||||
};
|
||||
}];
|
||||
};
|
||||
|
@ -27,4 +42,12 @@
|
|||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 3306 ];
|
||||
|
||||
systemd.services.mysql.serviceConfig = {
|
||||
IPAddressDeny = "any";
|
||||
IPAddressAllow = [
|
||||
values.ipv4-space
|
||||
values.ipv6-space
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
calendar-bot:
|
||||
matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
|
||||
mysql:
|
||||
password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -33,8 +35,8 @@ sops:
|
|||
QmVlRnJhSk4xYWFVbGVxdlFxSDlXSGMKJvjMDaX4Aa98gT+GPjGaKKdnG67jNG3C
|
||||
nLsbxU4vNpFvjF4WI5vdvIQe5UGzoCYQZp3oHFnGq+Jp/hJ1HFF0GQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-08-27T00:13:50Z"
|
||||
mac: ENC[AES256_GCM,data:u2TPEbDSlOR9SFVpGebiYMWKDtw3PYsljhMYB+No1YE4fXHWlGs4VjNfGZ43eiVmI9TM7f24flaAZ4tjFfjz14+kFg1kQ5VRkvanJP3h1TTAEPmZO3j28YlRiDOMZ387emDpyPox2jsIHBtQZnX+7DDw65KOWjG5uskOMHGRVEY=,iv:WpP9nYzCKzmynXvLCbbz5Aoy/cT/h8iklUZy6B00Tus=,tag:SnusNV0W6zfown4vWHIVhA==,type:str]
|
||||
lastmodified: "2023-09-05T23:28:56Z"
|
||||
mac: ENC[AES256_GCM,data:pCWTkmCQgBOqhejK2sCLQ3H8bRXmXlToQxYmOG0IWDo2eGiZOLuIkZ1/1grYgfxAGiD4ysJod0nJuvo+eAsMeYAy6QJVtrOqO2d9V2NEdzLckXyYvwyJyZoFbNC5EW9471V0m4jLRSh5821ckNo/wtWFR11wfO15tI3MqtD1rtA=,iv:QDnckPl0LegaH0b7V4WAtmVXaL4LN+k3uKHQI2dkW7E=,tag:mScUQBR0ZHl1pi/YztrvFg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-27T00:12:42Z"
|
||||
enc: |
|
||||
|
|
|
@ -3,6 +3,9 @@ let
|
|||
pvv-ipv4 = suffix: "129.241.210.${toString suffix}";
|
||||
pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
|
||||
in rec {
|
||||
ipv4-space = pvv-ipv4 "128/25";
|
||||
ipv6-space = pvv-ipv4 "/64";
|
||||
|
||||
services = {
|
||||
matrix = {
|
||||
inherit (hosts.bicep) ipv4 ipv6;
|
||||
|
|
Loading…
Reference in New Issue