bicep: use mysql on bicep as production server

hosts/bicep/services/mysql.nix

@@ -1,5 +1,12 @@
-{ pkgs, config, ... }:
+{ pkgs, lib, config, values, ... }:
 {
+  sops.secrets."mysql/password" = {
+    owner = "mysql";
+    group = "mysql";
+  };
+
+  users.mysql.passwordFile = config.sops.secrets."mysql/password".path;
+
   services.mysql = {
     enable = true;
     dataDir = "/data/mysql";
@@ -8,15 +15,23 @@
       mysqld = {
         # PVV allows a lot of connections at the same time
         max_connect_errors = 10000;
+	bind-address = values.services.mysql.ipv4;
+	skip-networking = 0;
+
+	# This was needed in order to be able to use all of the old users
+	# during migration from knakelibrak to bicep in Sep. 2023
+	secure_auth = 0;
       };
     };
 
     # Note: This user also has MAX_USER_CONNECTIONS set to 3, and
     #       a password which can be found in /secrets/ildkule/ildkule.yaml
+    #       We have also changed both the host and auth plugin of this user
+    #       to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
     ensureUsers = [{
       name = "prometheus_mysqld_exporter";
       ensurePermissions = {
-	"*.*" = "PROCESS, REPLICATION CLIENT, SELECT";
+        "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
       };
     }];
   };
@@ -27,4 +42,12 @@
   };
 
   networking.firewall.allowedTCPPorts = [ 3306 ];
+
+  systemd.services.mysql.serviceConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      values.ipv4-space
+      values.ipv6-space
+    ];
+  };
 }