44 lines
1.1 KiB
Nix
44 lines
1.1 KiB
Nix
{ pkgs, config, ... }:
|
|
{
|
|
|
|
services.mysql = {
|
|
enable = true;
|
|
package = pkgs.mariadb;
|
|
settings = {
|
|
mysqld = {
|
|
max_allowed_packet = "64M";
|
|
transaction_isolation = "READ-COMMITTED";
|
|
binlog_format = "ROW";
|
|
# Allow remote connections
|
|
bind-address = "0.0.0.0";
|
|
};
|
|
};
|
|
};
|
|
|
|
# Create read-only user for remote access after MySQL starts
|
|
systemd.services.mysql-setup-readonly-user = {
|
|
description = "Setup MySQL read-only user";
|
|
after = [ "mysql.service" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
User = "root";
|
|
};
|
|
script = ''
|
|
PASSWORD=$(cat ${config.sops.secrets.mysql-readonly-password.path})
|
|
${pkgs.mariadb}/bin/mysql -u root <<EOF
|
|
CREATE USER IF NOT EXISTS 'api_ebs_amz_at_ro'@'%' IDENTIFIED BY '$PASSWORD';
|
|
GRANT SELECT ON api_ebs_amz_at.* TO 'api_ebs_amz_at_ro'@'%';
|
|
FLUSH PRIVILEGES;
|
|
EOF
|
|
'';
|
|
};
|
|
|
|
services.mysqlBackup.enable = true;
|
|
|
|
sops.secrets.mysql-readonly-password = {
|
|
owner = "mysql";
|
|
};
|
|
}
|