From b52753987da5f2311fc4dbcca24f0a7393e9c258 Mon Sep 17 00:00:00 2001
From: oysteikt <oysteikt@pvv.ntnu.no>
Date: Thu, 7 Sep 2023 18:20:15 +0200
Subject: [PATCH] bicep: use mysql on bicep as production server

---
 hosts/bicep/services/mysql.nix | 27 +++++++++++++++++++++++++--
 secrets/bicep/bicep.yaml       |  6 ++++--
 values.nix                     |  3 +++
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/hosts/bicep/services/mysql.nix b/hosts/bicep/services/mysql.nix
index 01198b7..7092f43 100644
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -1,5 +1,12 @@
-{ pkgs, config, ... }:
+{ pkgs, lib, config, values, ... }:
 {
+  sops.secrets."mysql/password" = {
+    owner = "mysql";
+    group = "mysql";
+  };
+
+  users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
+
   services.mysql = {
     enable = true;
     dataDir = "/data/mysql";
@@ -8,15 +15,23 @@
       mysqld = {
         # PVV allows a lot of connections at the same time
         max_connect_errors = 10000;
+	bind-address = values.services.mysql.ipv4;
+	skip-networking = 0;
+
+	# This was needed in order to be able to use all of the old users
+	# during migration from knakelibrak to bicep in Sep. 2023
+	secure_auth = 0;
       };
     };
 
     # Note: This user also has MAX_USER_CONNECTIONS set to 3, and
     #       a password which can be found in /secrets/ildkule/ildkule.yaml
+    #       We have also changed both the host and auth plugin of this user
+    #       to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
     ensureUsers = [{
       name = "prometheus_mysqld_exporter";
       ensurePermissions = {
-	"*.*" = "PROCESS, REPLICATION CLIENT, SELECT";
+        "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
       };
     }];
   };
@@ -27,4 +42,12 @@
   };
 
   networking.firewall.allowedTCPPorts = [ 3306 ];
+
+  systemd.services.mysql.serviceConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      values.ipv4-space
+      values.ipv6-space
+    ];
+  };
 }
diff --git a/secrets/bicep/bicep.yaml b/secrets/bicep/bicep.yaml
index 622c2b0..ecc08ef 100644
--- a/secrets/bicep/bicep.yaml
+++ b/secrets/bicep/bicep.yaml
@@ -1,5 +1,7 @@
 calendar-bot:
     matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
+mysql:
+    password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -33,8 +35,8 @@ sops:
             QmVlRnJhSk4xYWFVbGVxdlFxSDlXSGMKJvjMDaX4Aa98gT+GPjGaKKdnG67jNG3C
             nLsbxU4vNpFvjF4WI5vdvIQe5UGzoCYQZp3oHFnGq+Jp/hJ1HFF0GQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-27T00:13:50Z"
-    mac: ENC[AES256_GCM,data:u2TPEbDSlOR9SFVpGebiYMWKDtw3PYsljhMYB+No1YE4fXHWlGs4VjNfGZ43eiVmI9TM7f24flaAZ4tjFfjz14+kFg1kQ5VRkvanJP3h1TTAEPmZO3j28YlRiDOMZ387emDpyPox2jsIHBtQZnX+7DDw65KOWjG5uskOMHGRVEY=,iv:WpP9nYzCKzmynXvLCbbz5Aoy/cT/h8iklUZy6B00Tus=,tag:SnusNV0W6zfown4vWHIVhA==,type:str]
+    lastmodified: "2023-09-05T23:28:56Z"
+    mac: ENC[AES256_GCM,data:pCWTkmCQgBOqhejK2sCLQ3H8bRXmXlToQxYmOG0IWDo2eGiZOLuIkZ1/1grYgfxAGiD4ysJod0nJuvo+eAsMeYAy6QJVtrOqO2d9V2NEdzLckXyYvwyJyZoFbNC5EW9471V0m4jLRSh5821ckNo/wtWFR11wfO15tI3MqtD1rtA=,iv:QDnckPl0LegaH0b7V4WAtmVXaL4LN+k3uKHQI2dkW7E=,tag:mScUQBR0ZHl1pi/YztrvFg==,type:str]
     pgp:
         - created_at: "2023-08-27T00:12:42Z"
           enc: |
diff --git a/values.nix b/values.nix
index f2a847d..de8a716 100644
--- a/values.nix
+++ b/values.nix
@@ -3,6 +3,9 @@ let
   pvv-ipv4 = suffix: "129.241.210.${toString suffix}";
   pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
 in rec {
+  ipv4-space = pvv-ipv4 "128/25";
+  ipv6-space = pvv-ipv4 "/64";
+
   services = {
     matrix = {
       inherit (hosts.bicep) ipv4 ipv6;