X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fdatabases%2Fpostgresql.nix;fp=nixops%2Fmodules%2Fdatabases%2Fpostgresql.nix;h=7e2f4e665fc861a3570b15b9e38f95e4b3c095c7;hb=e1da84b06c408ea5d4d093de39efdda71ad6dc95;hp=673ced872b23d0dc2a51248d1e613ac06f2dc2cf;hpb=cd85801d01ddadbe00f26f4f257621ee1cd81e4b;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix
index 673ced8..7e2f4e6 100644
--- a/nixops/modules/databases/postgresql.nix
+++ b/nixops/modules/databases/postgresql.nix
@@ -42,6 +42,7 @@ in {
       install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
       '';
 
+    systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys";
     services.postgresql = rec {
       enable = cfg.postgresql.enable;
       package = pkgs.postgresql;
@@ -76,38 +77,52 @@ in {
       '';
     };
 
-    security.pam.services = let
-      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-      pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
-        pkgs.writeText "postgresql.conf" ''
-        host ${myconfig.env.ldap.host}
-        base ${myconfig.env.ldap.base}
-        binddn ${dn}
-        bindpw ${password}
-        pam_filter ${filter}
-        ssl start_tls
+    deployment.keys = {
+      postgresql-pam = {
+        destDir = "/run/keys/postgresql";
+        permissions = "0400";
+        group = "postgres";
+        user = "postgres";
+        text =  with myconfig.env.databases.postgresql.pam; ''
+          host ${myconfig.env.ldap.host}
+          base ${myconfig.env.ldap.base}
+          binddn ${dn}
+          bindpw ${password}
+          pam_filter ${filter}
+          ssl start_tls
         '';
-      pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
-        host ${myconfig.env.ldap.host}
-        base ${myconfig.env.ldap.base}
-        binddn ${myconfig.env.ldap.host_dn}
-        bindpw ${myconfig.env.ldap.password}
-        pam_login_attribute cn
-        ssl start_tls
+      };
+      postgresql-pam_replication = {
+        destDir = "/run/keys/postgresql";
+        permissions = "0400";
+        group = "postgres";
+        user = "postgres";
+        text = ''
+          host ${myconfig.env.ldap.host}
+          base ${myconfig.env.ldap.base}
+          binddn ${myconfig.env.ldap.host_dn}
+          bindpw ${myconfig.env.ldap.password}
+          pam_login_attribute cn
+          ssl start_tls
         '';
+      };
+    };
+
+    security.pam.services = let
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
     in [
       {
         name = "postgresql";
         text = ''
-          auth    required ${pam_ldap} config=${pam_ldap_postgresql}
-          account required ${pam_ldap} config=${pam_ldap_postgresql}
+          auth    required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
+          account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
           '';
       }
       {
         name = "postgresql_replication";
         text = ''
-          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
+          account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
           '';
       }
     ];