X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fdatabases%2Fdefault.nix;h=1940b62b7f71bd6682e69b3529c9a74bc4b386f6;hb=1bb448839addbb1d66ee81141d21d08b1e925faf;hp=94d8d75ededd5c134c58fd75c56a2d2a585b56f6;hpb=01f21083a897b86bf148f1d2bb9c8edca4d3786a;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix
index 94d8d75..1940b62 100644
--- a/nixops/modules/databases/default.nix
+++ b/nixops/modules/databases/default.nix
@@ -30,6 +30,15 @@ in {
         type = lib.types.bool;
       };
     };
+
+    ldap = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable ldap";
+        type = lib.types.bool;
+      };
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -55,11 +64,23 @@ in {
       });
     };
 
-    networking.firewall.allowedTCPPorts = [ 3306 5432 ];
+    networking.firewall.allowedTCPPorts = [ 3306 5432 636 389 ];
 
+    # for adminer, ssl is implemented with mysqli only, which is
+    # currently disabled because it’s not compatible with pam.
+    # Thus we need to generate two users for each 'remote': one remote
+    # with SSL, and one localhost without SSL.
+    # User identified by LDAP:
+    # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
+    # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
     services.mysql = rec {
       enable = cfg.mariadb.enable;
       package = pkgs.mariadb;
+      extraOptions = ''
+        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+        ssl_key = /var/lib/acme/mysql/key.pem
+        ssl_cert = /var/lib/acme/mysql/fullchain.pem
+        '';
     };
 
     security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
@@ -72,6 +93,26 @@ in {
       '';
     };
 
+    security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
+      user = "mysql";
+      group = "mysql";
+      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+      domain = "db-1.immae.eu";
+      postRun = ''
+        systemctl restart mysql.service
+      '';
+    };
+
+    security.acme.certs."ldap" = config.services.myCertificates.certConfig // {
+      user = "openldap";
+      group = "openldap";
+      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+      domain = "ldap.immae.eu";
+      postRun = ''
+        systemctl restart openldap.service
+      '';
+    };
+
     system.activationScripts.postgresql = ''
       install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
       '';
@@ -83,7 +124,8 @@ in {
       extraConfig = ''
         max_connections = 100
         wal_level = logical
-        shared_buffers = 128MB
+        shared_buffers = 512MB
+        work_mem = 10MB
         max_wal_size = 1GB
         min_wal_size = 80MB
         log_timezone = 'Europe/Paris'
@@ -101,10 +143,9 @@ in {
       authentication = ''
         local	all	postgres				ident
         local	all	all					md5
-        hostssl	all	all		samehost		md5
-        hostssl	all	all		178.33.252.96/32	md5
-        hostssl	all	all		188.165.209.148/32	md5
-        hostssl	all	all		all			pam
+        hostssl	all	all	188.165.209.148/32		md5
+        hostssl	all	all	178.33.252.96/32		md5
+        hostssl	all	all	all				pam
         hostssl	replication	backup-1	2001:41d0:302:1100::9:e5a9/128	pam pamservice=postgresql_replication
         hostssl	replication	backup-1	54.37.151.137/32		pam pamservice=postgresql_replication
       '';
@@ -112,21 +153,31 @@ in {
 
     security.pam.services = let
       pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-      pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
+      pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
+        pkgs.writeText "mysql.conf" ''
         host ${myconfig.env.ldap.host}
         base ${myconfig.env.ldap.base}
-        binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
-        bindpw ${myconfig.env.databases.mysql.pam_password}
+        binddn ${dn}
+        bindpw ${password}
+        pam_filter ${filter}
+        ssl start_tls
+        '';
+      pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
+        pkgs.writeText "postgresql.conf" ''
+        host ${myconfig.env.ldap.host}
+        base ${myconfig.env.ldap.base}
+        binddn ${dn}
+        bindpw ${password}
+        pam_filter ${filter}
         ssl start_tls
-        pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
         '';
       pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
         host ${myconfig.env.ldap.host}
         base ${myconfig.env.ldap.base}
         binddn ${myconfig.env.ldap.host_dn}
         bindpw ${myconfig.env.ldap.password}
-        ssl start_tls
         pam_login_attribute cn
+        ssl start_tls
         '';
     in [
       {
@@ -140,8 +191,8 @@ in {
       {
         name = "postgresql";
         text = ''
-          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql}
+          account required ${pam_ldap} config=${pam_ldap_postgresql}
           '';
       }
       {
@@ -153,6 +204,10 @@ in {
       }
     ];
 
+    ids.uids.redis = myconfig.env.users.redis.uid;
+    ids.gids.redis = myconfig.env.users.redis.gid;
+    users.users.redis.uid = config.ids.uids.redis;
+    users.groups.redis.gid = config.ids.gids.redis;
     services.redis = rec {
       enable = config.services.myDatabases.redis.enable;
       bind = "127.0.0.1";
@@ -166,5 +221,53 @@ in {
       mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
       chown redis $(dirname ${myconfig.env.databases.redis.socket})
     '';
+
+    services.openldap = let
+      kerberosSchema = pkgs.fetchurl {
+        url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
+        sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
+      };
+      puppetSchema = pkgs.fetchurl {
+        url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
+        sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
+      };
+    in {
+      enable = config.services.myDatabases.ldap.enable;
+      dataDir = "/var/lib/openldap";
+      urlList = [ "ldap://" "ldaps://" ];
+      extraConfig = ''
+        include         ${pkgs.openldap}/etc/schema/core.schema
+        include         ${pkgs.openldap}/etc/schema/cosine.schema
+        include         ${pkgs.openldap}/etc/schema/inetorgperson.schema
+        include         ${pkgs.openldap}/etc/schema/nis.schema
+        include         ${puppetSchema}
+        include         ${kerberosSchema}
+        include         ${./immae.schema}
+
+        pidfile         /run/slapd/slapd.pid
+        argsfile        /run/slapd/slapd.args
+
+        moduleload      back_hdb
+        backend         hdb
+
+        moduleload      memberof
+        database        hdb
+        suffix          "${myconfig.env.ldap.base}"
+        rootdn          "${myconfig.env.ldap.root_dn}"
+        rootpw          ${myconfig.env.ldap.root_pw}
+        directory       /var/lib/openldap
+        overlay         memberof
+
+        TLSCertificateFile    /var/lib/acme/ldap/cert.pem
+        TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
+        TLSCACertificateFile  /var/lib/acme/ldap/fullchain.pem
+        TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
+        #This makes openldap crash
+        #TLSCipherSuite        DEFAULT
+
+        sasl-host kerberos.immae.eu
+        ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
+        '';
+    };
   };
 }