feat: init

modules/wiki-replica/mysql.nix

@@ -0,0 +1,106 @@
+{ config, pkgs, lib, ... }:
+{
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    dataDir = "/var/lib/mysql";
+
+    settings.mysqld = {
+      bind-address = "127.0.0.1";
+
+      # InnoDB (smaller for replica)
+      innodb_buffer_pool_size = "128M";
+      innodb_log_file_size = "64M";
+      innodb_flush_log_at_trx_commit = 2;
+      innodb_file_per_table = 1;
+
+      # GTID replication (replica)
+      server-id = 2;
+      read_only = 1;
+      relay_log = "relay-bin";
+      log_slave_updates = 1;
+      gtid_strict_mode = 1;
+
+      # Performance
+      max_connections = 50;
+      table_open_cache = 200;
+
+      # Character set
+      character-set-server = "binary";
+      collation-server = "binary";
+    };
+
+    # Do NOT use ensureDatabases or ensureUsers on the replica —
+    # they require writes, but read_only=1 blocks writes.
+    # The database, tables, and users arrive via replication from the primary.
+  };
+
+  # Node exporter (scraped by primary over Tailscale)
+  # Includes textfile collector for failover metrics
+  services.prometheus.exporters.node = {
+    enable = true;
+    port = 9100;
+    enabledCollectors = [
+      "cpu"
+      "diskstats"
+      "filesystem"
+      "loadavg"
+      "meminfo"
+      "netdev"
+      "stat"
+      "time"
+      "vmstat"
+      "systemd"
+      "textfile"
+    ];
+    extraFlags = [
+      "--collector.textfile.directory=/var/lib/prometheus-node-exporter/textfile"
+    ];
+  };
+
+  # mysqld exporter (scraped by primary over Tailscale for replication metrics)
+  # Key metrics: mysql_slave_status_seconds_behind_master,
+  # mysql_slave_status_slave_io_running, mysql_slave_status_slave_sql_running,
+  # mysql_global_status_queries (read-only query volume)
+  services.prometheus.exporters.mysqld = {
+    enable = true;
+    port = 9104;
+    runAsLocalSuperUser = true;
+  };
+
+  # Memcached exporter (scraped by primary over Tailscale)
+  # Key metrics: hit ratio, evictions, memory usage
+  services.prometheus.exporters.memcached = {
+    enable = true;
+    port = 9150;
+    extraFlags = [ "--memcached.address=localhost:11211" ];
+  };
+
+  # Helper script to initialize replication (run once after provisioning)
+  environment.systemPackages = [
+    (pkgs.writeShellScriptBin "init-replication" ''
+      set -euo pipefail
+      REPL_PASS=$(cat ${config.age.secrets.mysql-replication.path})
+      echo "Configuring GTID-based replication from wiki (primary)..."
+      ${pkgs.mariadb}/bin/mysql -u root <<SQL
+        SET GLOBAL read_only = 0;
+        STOP SLAVE;
+        CHANGE MASTER TO
+          MASTER_HOST='wiki',
+          MASTER_USER='repl',
+          MASTER_PASSWORD='$REPL_PASS',
+          MASTER_USE_GTID=slave_pos;
+        START SLAVE;
+        SET GLOBAL read_only = 1;
+        SHOW SLAVE STATUS\G
+      SQL
+      echo "Replication initialized. Check SHOW SLAVE STATUS for errors."
+    '')
+  ];
+
+  age.secrets.mysql-replication = {
+    file = ../../secrets/mysql-replication.age;
+    owner = "mysql";
+    group = "mysql";
+  };
+}