diff options
Diffstat (limited to 'nixos/modules/services/databases/foundationdb.nix')
-rw-r--r-- | nixos/modules/services/databases/foundationdb.nix | 61 |
1 files changed, 54 insertions, 7 deletions
diff --git a/nixos/modules/services/databases/foundationdb.nix b/nixos/modules/services/databases/foundationdb.nix index 22acddc8ca91..443cc6d5e456 100644 --- a/nixos/modules/services/databases/foundationdb.nix +++ b/nixos/modules/services/databases/foundationdb.nix @@ -35,6 +35,13 @@ let memory = ${cfg.memory} storage_memory = ${cfg.storageMemory} + ${optionalString (cfg.tls != null) '' + tls_plugin = ${pkgs.foundationdb}/libexec/plugins/FDBLibTLS.so + tls_certificate_file = ${cfg.tls.certificate} + tls_key_file = ${cfg.tls.key} + tls_verify_peers = ${cfg.tls.allowedPeers} + ''} + ${optionalString (cfg.locality.machineId != null) "locality_machineid=${cfg.locality.machineId}"} ${optionalString (cfg.locality.zoneId != null) "locality_zoneid=${cfg.locality.zoneId}"} ${optionalString (cfg.locality.datacenterId != null) "locality_dcid=${cfg.locality.datacenterId}"} @@ -188,6 +195,43 @@ in ''; }; + tls = mkOption { + default = null; + description = '' + FoundationDB Transport Security Layer (TLS) settings. + ''; + + type = types.nullOr (types.submodule ({ + options = { + certificate = mkOption { + type = types.str; + description = '' + Path to the TLS certificate file. This certificate will + be offered to, and may be verified by, clients. + ''; + }; + + key = mkOption { + type = types.str; + description = "Private key file for the certificate."; + }; + + allowedPeers = mkOption { + type = types.str; + default = "Check.Valid=1,Check.Unexpired=1"; + description = '' + "Peer verification string". This may be used to adjust which TLS + client certificates a server will accept, as a form of user + authorization; for example, it may only accept TLS clients who + offer a certificate abiding by some locality or organization name. + + For more information, please see the FoundationDB documentation. + ''; + }; + }; + })); + }; + locality = mkOption { default = { machineId = null; @@ -331,27 +375,30 @@ in touch ${cfg.pidfile} && \ chown -R ${cfg.user}:${cfg.group} ${cfg.pidfile} - for x in "${cfg.logDir}" "${cfg.dataDir}" /etc/foundationdb; do - [ ! -d "$x" ] && mkdir -m 0700 -vp "$x" && chown -R ${cfg.user}:${cfg.group} "$x"; + for x in "${cfg.logDir}" "${cfg.dataDir}"; do + [ ! -d "$x" ] && mkdir -m 0700 -vp "$x"; + chown -R ${cfg.user}:${cfg.group} "$x"; done + [ ! -d /etc/foundationdb ] && \ + mkdir -m 0775 -vp /etc/foundationdb && \ + chown -R ${cfg.user}:${cfg.group} "/etc/foundationdb" + if [ ! -f /etc/foundationdb/fdb.cluster ]; then cf=/etc/foundationdb/fdb.cluster desc=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8) rand=$(tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c8) echo ''${desc}:''${rand}@${initialIpAddr}:${builtins.toString cfg.listenPortStart} > $cf - chmod 0660 $cf && chown -R ${cfg.user}:${cfg.group} $cf + chmod 0664 $cf && chown -R ${cfg.user}:${cfg.group} $cf touch "${cfg.dataDir}/.first_startup" fi ''; - script = '' - exec fdbmonitor --lockfile ${cfg.pidfile} --conffile ${configFile}; - ''; + script = "exec fdbmonitor --lockfile ${cfg.pidfile} --conffile ${configFile}"; postStart = '' if [ -e "${cfg.dataDir}/.first_startup" ]; then - fdbcli --exec "configure new single ssd" + fdbcli --exec "configure new single memory" rm -f "${cfg.dataDir}/.first_startup"; fi ''; |