54 lines
1.4 KiB
Nix
54 lines
1.4 KiB
Nix
{ pkgs, lib, config, values, ... }:
|
|
{
|
|
sops.secrets."mysql/password" = {
|
|
owner = "mysql";
|
|
group = "mysql";
|
|
};
|
|
|
|
users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
|
|
|
|
services.mysql = {
|
|
enable = true;
|
|
dataDir = "/data/mysql";
|
|
package = pkgs.mariadb;
|
|
settings = {
|
|
mysqld = {
|
|
# PVV allows a lot of connections at the same time
|
|
max_connect_errors = 10000;
|
|
bind-address = values.services.mysql.ipv4;
|
|
skip-networking = 0;
|
|
|
|
# This was needed in order to be able to use all of the old users
|
|
# during migration from knakelibrak to bicep in Sep. 2023
|
|
secure_auth = 0;
|
|
};
|
|
};
|
|
|
|
# Note: This user also has MAX_USER_CONNECTIONS set to 3, and
|
|
# a password which can be found in /secrets/ildkule/ildkule.yaml
|
|
# We have also changed both the host and auth plugin of this user
|
|
# to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
|
|
ensureUsers = [{
|
|
name = "prometheus_mysqld_exporter";
|
|
ensurePermissions = {
|
|
"*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
|
|
};
|
|
}];
|
|
};
|
|
|
|
services.mysqlBackup = {
|
|
enable = true;
|
|
location = "/var/lib/mysql/backups";
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 3306 ];
|
|
|
|
systemd.services.mysql.serviceConfig = {
|
|
IPAddressDeny = "any";
|
|
IPAddressAllow = [
|
|
values.ipv4-space
|
|
values.ipv6-space
|
|
];
|
|
};
|
|
}
|