bicep: use mysql on bicep as production server
This commit is contained in:
parent
3beb76e411
commit
b52753987d
|
@ -1,5 +1,12 @@
|
||||||
{ pkgs, config, ... }:
|
{ pkgs, lib, config, values, ... }:
|
||||||
{
|
{
|
||||||
|
sops.secrets."mysql/password" = {
|
||||||
|
owner = "mysql";
|
||||||
|
group = "mysql";
|
||||||
|
};
|
||||||
|
|
||||||
|
users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
|
||||||
|
|
||||||
services.mysql = {
|
services.mysql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dataDir = "/data/mysql";
|
dataDir = "/data/mysql";
|
||||||
|
@ -8,15 +15,23 @@
|
||||||
mysqld = {
|
mysqld = {
|
||||||
# PVV allows a lot of connections at the same time
|
# PVV allows a lot of connections at the same time
|
||||||
max_connect_errors = 10000;
|
max_connect_errors = 10000;
|
||||||
|
bind-address = values.services.mysql.ipv4;
|
||||||
|
skip-networking = 0;
|
||||||
|
|
||||||
|
# This was needed in order to be able to use all of the old users
|
||||||
|
# during migration from knakelibrak to bicep in Sep. 2023
|
||||||
|
secure_auth = 0;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and
|
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and
|
||||||
# a password which can be found in /secrets/ildkule/ildkule.yaml
|
# a password which can be found in /secrets/ildkule/ildkule.yaml
|
||||||
|
# We have also changed both the host and auth plugin of this user
|
||||||
|
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
|
||||||
ensureUsers = [{
|
ensureUsers = [{
|
||||||
name = "prometheus_mysqld_exporter";
|
name = "prometheus_mysqld_exporter";
|
||||||
ensurePermissions = {
|
ensurePermissions = {
|
||||||
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT";
|
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
|
||||||
};
|
};
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
@ -27,4 +42,12 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 3306 ];
|
networking.firewall.allowedTCPPorts = [ 3306 ];
|
||||||
|
|
||||||
|
systemd.services.mysql.serviceConfig = {
|
||||||
|
IPAddressDeny = "any";
|
||||||
|
IPAddressAllow = [
|
||||||
|
values.ipv4-space
|
||||||
|
values.ipv6-space
|
||||||
|
];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
calendar-bot:
|
calendar-bot:
|
||||||
matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
|
matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
|
||||||
|
mysql:
|
||||||
|
password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -33,8 +35,8 @@ sops:
|
||||||
QmVlRnJhSk4xYWFVbGVxdlFxSDlXSGMKJvjMDaX4Aa98gT+GPjGaKKdnG67jNG3C
|
QmVlRnJhSk4xYWFVbGVxdlFxSDlXSGMKJvjMDaX4Aa98gT+GPjGaKKdnG67jNG3C
|
||||||
nLsbxU4vNpFvjF4WI5vdvIQe5UGzoCYQZp3oHFnGq+Jp/hJ1HFF0GQ==
|
nLsbxU4vNpFvjF4WI5vdvIQe5UGzoCYQZp3oHFnGq+Jp/hJ1HFF0GQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-08-27T00:13:50Z"
|
lastmodified: "2023-09-05T23:28:56Z"
|
||||||
mac: ENC[AES256_GCM,data:u2TPEbDSlOR9SFVpGebiYMWKDtw3PYsljhMYB+No1YE4fXHWlGs4VjNfGZ43eiVmI9TM7f24flaAZ4tjFfjz14+kFg1kQ5VRkvanJP3h1TTAEPmZO3j28YlRiDOMZ387emDpyPox2jsIHBtQZnX+7DDw65KOWjG5uskOMHGRVEY=,iv:WpP9nYzCKzmynXvLCbbz5Aoy/cT/h8iklUZy6B00Tus=,tag:SnusNV0W6zfown4vWHIVhA==,type:str]
|
mac: ENC[AES256_GCM,data:pCWTkmCQgBOqhejK2sCLQ3H8bRXmXlToQxYmOG0IWDo2eGiZOLuIkZ1/1grYgfxAGiD4ysJod0nJuvo+eAsMeYAy6QJVtrOqO2d9V2NEdzLckXyYvwyJyZoFbNC5EW9471V0m4jLRSh5821ckNo/wtWFR11wfO15tI3MqtD1rtA=,iv:QDnckPl0LegaH0b7V4WAtmVXaL4LN+k3uKHQI2dkW7E=,tag:mScUQBR0ZHl1pi/YztrvFg==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-08-27T00:12:42Z"
|
- created_at: "2023-08-27T00:12:42Z"
|
||||||
enc: |
|
enc: |
|
||||||
|
|
|
@ -3,6 +3,9 @@ let
|
||||||
pvv-ipv4 = suffix: "129.241.210.${toString suffix}";
|
pvv-ipv4 = suffix: "129.241.210.${toString suffix}";
|
||||||
pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
|
pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
|
||||||
in rec {
|
in rec {
|
||||||
|
ipv4-space = pvv-ipv4 "128/25";
|
||||||
|
ipv6-space = pvv-ipv4 "/64";
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
matrix = {
|
matrix = {
|
||||||
inherit (hosts.bicep) ipv4 ipv6;
|
inherit (hosts.bicep) ipv4 ipv6;
|
||||||
|
|
Loading…
Reference in New Issue