feat: initial amzebs config

hosts/amzebs-01/modules/mysql.nix

@@ -0,0 +1,29 @@
+{ pkgs, config, ... }:
+{
+
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    settings = {
+      mysqld = {
+        max_allowed_packet = "64M";
+        transaction_isolation = "READ-COMMITTED";
+        binlog_format = "ROW";
+        # Allow remote connections
+        bind-address = "0.0.0.0";
+      };
+    };
+
+    # Create read-only user for remote access on initial MySQL setup
+    initialScript = pkgs.writeShellScript "mysql-init.sql" ''
+      PASSWORD=$(cat ${config.sops.secrets.mysql-readonly-password.path})
+      ${pkgs.mariadb}/bin/mysql -u root <<EOF
+        CREATE USER IF NOT EXISTS 'api_ebs_amz_at_ro'@'%' IDENTIFIED BY '$PASSWORD';
+        GRANT SELECT ON api_ebs_amz_at.* TO 'api_ebs_amz_at_ro'@'%';
+        FLUSH PRIVILEGES;
+      EOF
+    '';
+  };
+
+  services.mysqlBackup.enable = true;
+}