X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fdatabases%2Fdefault.nix;h=01a130cf996dab83fa96d3b6cd9ec9cc9131151b;hb=4ff905632320a55e0c69500891642d98a00245e2;hp=1940b62b7f71bd6682e69b3529c9a74bc4b386f6;hpb=1bb448839addbb1d66ee81141d21d08b1e925faf;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix index 1940b62..01a130c 100644 --- a/nixops/modules/databases/default.nix +++ b/nixops/modules/databases/default.nix @@ -2,272 +2,13 @@ let cfg = config.services.myDatabases; in { + imports = [ + ./mysql.nix + ./openldap.nix + ./postgresql.nix + ./redis.nix + ]; options.services.myDatabases = { enable = lib.mkEnableOption "my databases service"; - postgresql = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable postgresql database"; - type = lib.types.bool; - }; - }; - - mariadb = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable mariadb database"; - type = lib.types.bool; - }; - }; - - redis = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable redis database"; - type = lib.types.bool; - }; - }; - - ldap = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable ldap"; - type = lib.types.bool; - }; - }; - }; - - config = lib.mkIf cfg.enable { - nixpkgs.config.packageOverrides = oldpkgs: rec { - postgresql = postgresql111; - postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec { - passthru = old.passthru // { psqlSchema = "11.0"; }; - name = "postgresql-11.1"; - src = pkgs.fetchurl { - url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; - sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; - }; - configureFlags = old.configureFlags ++ [ "--with-pam" ]; - buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ]; - patches = old.patches ++ [ - ./postgresql_run_socket_path.patch - ]; - }); - mariadb = mariadbPAM; - mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { - cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; - buildInputs = old.buildInputs ++ [ pkgs.pam ]; - }); - }; - - networking.firewall.allowedTCPPorts = [ 3306 5432 636 389 ]; - - # for adminer, ssl is implemented with mysqli only, which is - # currently disabled because it’s not compatible with pam. - # Thus we need to generate two users for each 'remote': one remote - # with SSL, and one localhost without SSL. - # User identified by LDAP: - # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; - # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; - services.mysql = rec { - enable = cfg.mariadb.enable; - package = pkgs.mariadb; - extraOptions = '' - ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ssl_key = /var/lib/acme/mysql/key.pem - ssl_cert = /var/lib/acme/mysql/fullchain.pem - ''; - }; - - security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { - user = "postgres"; - group = "postgres"; - plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; - domain = "db-1.immae.eu"; - postRun = '' - systemctl reload postgresql.service - ''; - }; - - security.acme.certs."mysql" = config.services.myCertificates.certConfig // { - user = "mysql"; - group = "mysql"; - plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; - domain = "db-1.immae.eu"; - postRun = '' - systemctl restart mysql.service - ''; - }; - - security.acme.certs."ldap" = config.services.myCertificates.certConfig // { - user = "openldap"; - group = "openldap"; - plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; - domain = "ldap.immae.eu"; - postRun = '' - systemctl restart openldap.service - ''; - }; - - system.activationScripts.postgresql = '' - install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} - ''; - - services.postgresql = rec { - enable = cfg.postgresql.enable; - package = pkgs.postgresql; - enableTCPIP = true; - extraConfig = '' - max_connections = 100 - wal_level = logical - shared_buffers = 512MB - work_mem = 10MB - max_wal_size = 1GB - min_wal_size = 80MB - log_timezone = 'Europe/Paris' - datestyle = 'iso, mdy' - timezone = 'Europe/Paris' - lc_messages = 'en_US.UTF-8' - lc_monetary = 'en_US.UTF-8' - lc_numeric = 'en_US.UTF-8' - lc_time = 'en_US.UTF-8' - default_text_search_config = 'pg_catalog.english' - ssl = on - ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem' - ssl_key_file = '/var/lib/acme/postgresql/key.pem' - ''; - authentication = '' - local all postgres ident - local all all md5 - hostssl all all 188.165.209.148/32 md5 - hostssl all all 178.33.252.96/32 md5 - hostssl all all all pam - hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication - hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication - ''; - }; - - security.pam.services = let - pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; - pam_ldap_mysql = with myconfig.env.databases.mysql.pam; - pkgs.writeText "mysql.conf" '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${dn} - bindpw ${password} - pam_filter ${filter} - ssl start_tls - ''; - pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; - pkgs.writeText "postgresql.conf" '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${dn} - bindpw ${password} - pam_filter ${filter} - ssl start_tls - ''; - pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${myconfig.env.ldap.host_dn} - bindpw ${myconfig.env.ldap.password} - pam_login_attribute cn - ssl start_tls - ''; - in [ - { - name = "mysql"; - text = '' - # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ - auth required ${pam_ldap} config=${pam_ldap_mysql} - account required ${pam_ldap} config=${pam_ldap_mysql} - ''; - } - { - name = "postgresql"; - text = '' - auth required ${pam_ldap} config=${pam_ldap_postgresql} - account required ${pam_ldap} config=${pam_ldap_postgresql} - ''; - } - { - name = "postgresql_replication"; - text = '' - auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} - account required ${pam_ldap} config=${pam_ldap_postgresql_replication} - ''; - } - ]; - - ids.uids.redis = myconfig.env.users.redis.uid; - ids.gids.redis = myconfig.env.users.redis.gid; - users.users.redis.uid = config.ids.uids.redis; - users.groups.redis.gid = config.ids.gids.redis; - services.redis = rec { - enable = config.services.myDatabases.redis.enable; - bind = "127.0.0.1"; - unixSocket = myconfig.env.databases.redis.socket; - extraConfig = '' - unixsocketperm 777 - maxclients 1024 - ''; - }; - system.activationScripts.redis = '' - mkdir -p $(dirname ${myconfig.env.databases.redis.socket}) - chown redis $(dirname ${myconfig.env.databases.redis.socket}) - ''; - - services.openldap = let - kerberosSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; - sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; - }; - puppetSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; - sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; - }; - in { - enable = config.services.myDatabases.ldap.enable; - dataDir = "/var/lib/openldap"; - urlList = [ "ldap://" "ldaps://" ]; - extraConfig = '' - include ${pkgs.openldap}/etc/schema/core.schema - include ${pkgs.openldap}/etc/schema/cosine.schema - include ${pkgs.openldap}/etc/schema/inetorgperson.schema - include ${pkgs.openldap}/etc/schema/nis.schema - include ${puppetSchema} - include ${kerberosSchema} - include ${./immae.schema} - - pidfile /run/slapd/slapd.pid - argsfile /run/slapd/slapd.args - - moduleload back_hdb - backend hdb - - moduleload memberof - database hdb - suffix "${myconfig.env.ldap.base}" - rootdn "${myconfig.env.ldap.root_dn}" - rootpw ${myconfig.env.ldap.root_pw} - directory /var/lib/openldap - overlay memberof - - TLSCertificateFile /var/lib/acme/ldap/cert.pem - TLSCertificateKeyFile /var/lib/acme/ldap/key.pem - TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem - TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ - #This makes openldap crash - #TLSCipherSuite DEFAULT - - sasl-host kerberos.immae.eu - ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"} - ''; - }; }; }