bicep: use mysql on bicep as production server

This commit is contained in:
Oystein Kristoffer Tveit 2023-09-07 18:20:15 +02:00 committed by h7x4
parent 3beb76e411
commit b52753987d
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
3 changed files with 32 additions and 4 deletions

View File

@ -1,5 +1,12 @@
{ pkgs, config, ... }: { pkgs, lib, config, values, ... }:
{ {
sops.secrets."mysql/password" = {
owner = "mysql";
group = "mysql";
};
users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
services.mysql = { services.mysql = {
enable = true; enable = true;
dataDir = "/data/mysql"; dataDir = "/data/mysql";
@ -8,15 +15,23 @@
mysqld = { mysqld = {
# PVV allows a lot of connections at the same time # PVV allows a lot of connections at the same time
max_connect_errors = 10000; max_connect_errors = 10000;
bind-address = values.services.mysql.ipv4;
skip-networking = 0;
# This was needed in order to be able to use all of the old users
# during migration from knakelibrak to bicep in Sep. 2023
secure_auth = 0;
}; };
}; };
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and # Note: This user also has MAX_USER_CONNECTIONS set to 3, and
# a password which can be found in /secrets/ildkule/ildkule.yaml # a password which can be found in /secrets/ildkule/ildkule.yaml
# We have also changed both the host and auth plugin of this user
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
ensureUsers = [{ ensureUsers = [{
name = "prometheus_mysqld_exporter"; name = "prometheus_mysqld_exporter";
ensurePermissions = { ensurePermissions = {
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT"; "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
}; };
}]; }];
}; };
@ -27,4 +42,12 @@
}; };
networking.firewall.allowedTCPPorts = [ 3306 ]; networking.firewall.allowedTCPPorts = [ 3306 ];
systemd.services.mysql.serviceConfig = {
IPAddressDeny = "any";
IPAddressAllow = [
values.ipv4-space
values.ipv6-space
];
};
} }

View File

@ -1,5 +1,7 @@
calendar-bot: calendar-bot:
matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str] matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
mysql:
password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -33,8 +35,8 @@ sops:
QmVlRnJhSk4xYWFVbGVxdlFxSDlXSGMKJvjMDaX4Aa98gT+GPjGaKKdnG67jNG3C QmVlRnJhSk4xYWFVbGVxdlFxSDlXSGMKJvjMDaX4Aa98gT+GPjGaKKdnG67jNG3C
nLsbxU4vNpFvjF4WI5vdvIQe5UGzoCYQZp3oHFnGq+Jp/hJ1HFF0GQ== nLsbxU4vNpFvjF4WI5vdvIQe5UGzoCYQZp3oHFnGq+Jp/hJ1HFF0GQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-27T00:13:50Z" lastmodified: "2023-09-05T23:28:56Z"
mac: ENC[AES256_GCM,data:u2TPEbDSlOR9SFVpGebiYMWKDtw3PYsljhMYB+No1YE4fXHWlGs4VjNfGZ43eiVmI9TM7f24flaAZ4tjFfjz14+kFg1kQ5VRkvanJP3h1TTAEPmZO3j28YlRiDOMZ387emDpyPox2jsIHBtQZnX+7DDw65KOWjG5uskOMHGRVEY=,iv:WpP9nYzCKzmynXvLCbbz5Aoy/cT/h8iklUZy6B00Tus=,tag:SnusNV0W6zfown4vWHIVhA==,type:str] mac: ENC[AES256_GCM,data:pCWTkmCQgBOqhejK2sCLQ3H8bRXmXlToQxYmOG0IWDo2eGiZOLuIkZ1/1grYgfxAGiD4ysJod0nJuvo+eAsMeYAy6QJVtrOqO2d9V2NEdzLckXyYvwyJyZoFbNC5EW9471V0m4jLRSh5821ckNo/wtWFR11wfO15tI3MqtD1rtA=,iv:QDnckPl0LegaH0b7V4WAtmVXaL4LN+k3uKHQI2dkW7E=,tag:mScUQBR0ZHl1pi/YztrvFg==,type:str]
pgp: pgp:
- created_at: "2023-08-27T00:12:42Z" - created_at: "2023-08-27T00:12:42Z"
enc: | enc: |

View File

@ -3,6 +3,9 @@ let
pvv-ipv4 = suffix: "129.241.210.${toString suffix}"; pvv-ipv4 = suffix: "129.241.210.${toString suffix}";
pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}"; pvv-ipv6 = suffix: "2001:700:300:1900::${toString suffix}";
in rec { in rec {
ipv4-space = pvv-ipv4 "128/25";
ipv6-space = pvv-ipv4 "/64";
services = { services = {
matrix = { matrix = {
inherit (hosts.bicep) ipv4 ipv6; inherit (hosts.bicep) ipv4 ipv6;