nixos/hosts/web-arm/modules/mysql.nix

{ pkgs, config, ... }:

let
  mysqlCreateDatabase = pkgs.writeShellScriptBin "mysql-create-database" ''
    #!/usr/bin/env bash
    if [ $# -lt 2 ]
    then
      echo "Usage: $0 <database> <host>"
      exit 1
    fi

    if ! [ $EUID -eq 0 ]
    then
      echo "Must be root!" >&2
      exit 1
    fi

    DB="$1"
    HOST="$2"
    PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)"

    cat <<EOF | mysql --host localhost --user root
    create database $DB;
    grant usage on $DB.* to '$DB'@'$HOST' identified by '$PASSWORD';
    grant all privileges on $DB.* to '$DB'@'$HOST';
    EOF

    echo
    echo "Password for user $DB is:"
    echo
    echo $PASSWORD
    echo
  '';
  mysqlDeleteDatabase = pkgs.writeShellScriptBin "mysql-delete-database" ''
    #!/usr/bin/env bash
    if [ $# -lt 1 ]
    then
      echo "Usage: $0 <database>"
      exit 1
    fi

    if ! [ $EUID -eq 0 ]
    then
      echo "Must be root!" >&2
      exit 1
    fi

    DB="$1"
    PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)"

    cat <<EOF | mysql --host localhost --user root
    drop database $DB;
    drop user '$DB';
    EOF

    echo
    echo "Dropped database $DB!"
    echo
  '';
in {
  environment.systemPackages = [
    mysqlCreateDatabase
    mysqlDeleteDatabase
  ];

  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
    settings = {
      mysqld = {
        max_allowed_packet = "64M";
        transaction_isolation = "READ-COMMITTED";
        binlog_format = "ROW";
        bind-address = "127.0.0.1,10.42.98.10";
      };
    };
  };

  # Allow MySQL access from WireGuard peers
  networking.firewall.interfaces."wg_cloonar".allowedTCPPorts = [ 3306 ];

  # Read-only MySQL user for openclaw-vm (via WireGuard)
  sops.secrets.openclaw-mysql-password = {};

  systemd.services.openclaw-mysql-init = {
    description = "Create openclaw MySQL user with read-only access to support_cloonar_dev";
    after = [ "mysql.service" ];
    requires = [ "mysql.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };
    script = ''
      password=$(cat ${config.sops.secrets.openclaw-mysql-password.path})
      ${config.services.mysql.package}/bin/mysql -e \
        "CREATE USER IF NOT EXISTS 'openclaw'@'10.42.98.%' IDENTIFIED BY '$password';"
      ${config.services.mysql.package}/bin/mysql -e \
        "ALTER USER 'openclaw'@'10.42.98.%' IDENTIFIED BY '$password';"
      ${config.services.mysql.package}/bin/mysql -e \
        "GRANT SELECT ON support_cloonar_dev.* TO 'openclaw'@'10.42.98.%';"
      ${config.services.mysql.package}/bin/mysql -e \
        "FLUSH PRIVILEGES;"
    '';
  };

  services.mysqlBackup.enable = true;
  services.mysqlBackup.databases = [ "mysql" ];
}