config = {
ids.uids = {
peertube = 394;
+ redis = 395;
nullmailer = 396;
mediagoblin = 397;
diaspora = 398;
};
ids.gids = {
peertube = 394;
+ redis = 395;
nullmailer = 396;
mediagoblin = 397;
diaspora = 398;
--- /dev/null
+{ lib, config, ... }:
+let
+ cfg = config.myServices.databases;
+in
+{
+ options.myServices = {
+ databases.enable = lib.mkEnableOption "my databases service";
+ databasesCerts = lib.mkOption {
+ description = "Default databases configurations for certificates as accepted by acme";
+ };
+ };
+ config.myServices.databases = lib.mkIf cfg.enable {
+ mariadb.enable = true;
+ openldap.enable = true;
+ postgresql.enable = true;
+ redis.enable = true;
+ };
+}
{ lib, pkgs, config, myconfig, ... }:
let
- cfg = config.services.myDatabases;
+ cfg = config.myServices.databases.mariadb;
in {
- options.services.myDatabases = {
+ options.myServices.databases = {
mariadb = {
enable = lib.mkOption {
default = cfg.enable;
description = "Whether to enable mariadb database";
type = lib.types.bool;
};
+ dataDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/var/lib/mysql";
+ description = ''
+ The directory where Mariadb stores its data.
+ '';
+ };
+ # Output variables
+ socketsDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/run/mysqld";
+ description = ''
+ The directory where Mariadb puts sockets.
+ '';
+ };
+ sockets = lib.mkOption {
+ type = lib.types.attrsOf lib.types.path;
+ default = {
+ mysqld = "${cfg.socketsDir}/mysqld.sock";
+ };
+ readOnly = true;
+ description = ''
+ Mariadb sockets
+ '';
+ };
};
};
# User identified by LDAP:
# CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
# CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
- services.mysql = rec {
- enable = cfg.mariadb.enable;
+ services.mysql = {
+ enable = true;
package = pkgs.mariadb;
+ dataDir = cfg.dataDir;
extraOptions = ''
ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
ssl_key = /var/lib/acme/mysql/key.pem
};
users.users.mysql.extraGroups = [ "keys" ];
- security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
+ security.acme.certs."mysql" = config.myServices.databasesCerts // {
user = "mysql";
group = "mysql";
plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
enable = true;
systemCronJobs = [
''
- 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
+ 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
''
];
};
name = "mysql";
text = ''
# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
- auth required ${pam_ldap} config=/var/secrets/mysql/pam
- account required ${pam_ldap} config=/var/secrets/mysql/pam
+ auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam
+ account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
'';
}
];
--- /dev/null
+{ lib, pkgs, config, myconfig, ... }:
+let
+ cfg = config.myServices.databases.openldap;
+ ldapConfig = let
+ kerberosSchema = pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
+ sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
+ };
+ puppetSchema = pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
+ sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
+ };
+ in ''
+ include ${pkgs.openldap}/etc/schema/core.schema
+ include ${pkgs.openldap}/etc/schema/cosine.schema
+ include ${pkgs.openldap}/etc/schema/inetorgperson.schema
+ include ${pkgs.openldap}/etc/schema/nis.schema
+ include ${puppetSchema}
+ include ${kerberosSchema}
+ include ${./immae.schema}
+
+ pidfile ${cfg.pids.pid}
+ argsfile ${cfg.pids.args}
+
+ moduleload back_hdb
+ backend hdb
+
+ moduleload memberof
+ database hdb
+ suffix "${myconfig.env.ldap.base}"
+ rootdn "${myconfig.env.ldap.root_dn}"
+ include ${config.secrets.location}/ldap/password
+ directory ${cfg.dataDir}
+ overlay memberof
+
+ TLSCertificateFile /var/lib/acme/ldap/cert.pem
+ TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
+ TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
+ TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
+ #This makes openldap crash
+ #TLSCipherSuite DEFAULT
+
+ sasl-host kerberos.immae.eu
+ include ${config.secrets.location}/ldap/access
+ '';
+in
+{
+ options.myServices.databases = {
+ openldap = {
+ enable = lib.mkOption {
+ default = cfg.enable;
+ example = true;
+ description = "Whether to enable ldap";
+ type = lib.types.bool;
+ };
+ dataDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/var/lib/openldap";
+ description = ''
+ The directory where Openldap stores its data.
+ '';
+ };
+ socketsDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/run/slapd";
+ description = ''
+ The directory where Openldap puts sockets and pid files.
+ '';
+ };
+ # Output variables
+ pids = lib.mkOption {
+ type = lib.types.attrsOf lib.types.path;
+ default = {
+ pid = "${cfg.socketsDir}/slapd.pid";
+ args = "${cfg.socketsDir}/slapd.args";
+ };
+ readOnly = true;
+ description = ''
+ Slapd pid files
+ '';
+ };
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ secrets.keys = [
+ {
+ dest = "ldap/password";
+ permissions = "0400";
+ user = "openldap";
+ group = "openldap";
+ text = "rootpw ${myconfig.env.ldap.root_pw}";
+ }
+ {
+ dest = "ldap/access ";
+ permissions = "0400";
+ user = "openldap";
+ group = "openldap";
+ text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+ }
+ ];
+ users.users.openldap.extraGroups = [ "keys" ];
+ networking.firewall.allowedTCPPorts = [ 636 389 ];
+
+ services.cron = {
+ systemCronJobs = [
+ ''
+ 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
+ ''
+ ];
+ };
+
+ security.acme.certs."ldap" = config.myServices.databasesCerts // {
+ user = "openldap";
+ group = "openldap";
+ plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+ domain = "ldap.immae.eu";
+ postRun = ''
+ systemctl restart openldap.service
+ '';
+ };
+
+ services.openldap = {
+ enable = true;
+ dataDir = cfg.dataDir;
+ urlList = [ "ldap://" "ldaps://" ];
+ extraConfig = ldapConfig;
+ };
+ };
+}
{ lib, pkgs, config, myconfig, ... }:
let
- cfg = config.services.myDatabases;
+ cfg = config.myServices.databases.postgresql;
in {
- options.services.myDatabases = {
+ options.myServices.databases = {
postgresql = {
enable = lib.mkOption {
default = cfg.enable;
description = "Whether to enable postgresql database";
type = lib.types.bool;
};
+ # Output variables
+ socketsDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/run/postgresql";
+ description = ''
+ The directory where Postgresql puts sockets.
+ '';
+ readOnly = true;
+ };
+ systemdRuntimeDirectory = lib.mkOption {
+ type = lib.types.str;
+ # Use ReadWritePaths= instead if socketsDir is outside of /run
+ default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+ lib.strings.removePrefix "/run/" cfg.socketsDir;
+ description = ''
+ Adjusted Postgresql sockets directory for systemd
+ '';
+ readOnly = true;
+ };
};
};
networking.firewall.allowedTCPPorts = [ 5432 ];
- security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
+ security.acme.certs."postgresql" = config.myServices.databasesCerts // {
user = "postgres";
group = "postgres";
plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
'';
};
- systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys";
- systemd.services.postgresql.serviceConfig.RuntimeDirectory = "postgresql";
+ systemd.services.postgresql.serviceConfig = {
+ SupplementaryGroups = "keys";
+ RuntimeDirectory = cfg.systemdRuntimeDirectory;
+ };
services.postgresql = rec {
- enable = cfg.postgresql.enable;
+ enable = true;
package = pkgs.postgresql;
enableTCPIP = true;
extraConfig = ''
{
name = "postgresql";
text = ''
- auth required ${pam_ldap} config=/var/secrets/postgresql/pam
- account required ${pam_ldap} config=/var/secrets/postgresql/pam
+ auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
+ account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
'';
}
{
name = "postgresql_replication";
text = ''
- auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
- account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
+ auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
+ account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
'';
}
];
--- /dev/null
+{ lib, config, myconfig, ... }:
+let
+ cfg = config.myServices.databases.redis;
+in {
+ options.myServices.databases.redis = {
+ enable = lib.mkOption {
+ default = cfg.enable;
+ example = true;
+ description = "Whether to enable redis database";
+ type = lib.types.bool;
+ };
+ socketsDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/run/redis";
+ description = ''
+ The directory where Redis puts sockets.
+ '';
+ };
+ # Output variables
+ systemdRuntimeDirectory = lib.mkOption {
+ type = lib.types.str;
+ # Use ReadWritePaths= instead if socketsDir is outside of /run
+ default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+ lib.strings.removePrefix "/run/" cfg.socketsDir;
+ description = ''
+ Adjusted redis sockets directory for systemd
+ '';
+ readOnly = true;
+ };
+ sockets = lib.mkOption {
+ type = lib.types.attrsOf lib.types.path;
+ default = {
+ redis = "${cfg.socketsDir}/redis.sock";
+ };
+ readOnly = true;
+ description = ''
+ Redis sockets
+ '';
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ users.users.redis.uid = config.ids.uids.redis;
+ users.groups.redis.gid = config.ids.gids.redis;
+ services.redis = rec {
+ enable = true;
+ bind = "127.0.0.1";
+ unixSocket = cfg.sockets.redis;
+ extraConfig = ''
+ unixsocketperm 777
+ maxclients 1024
+ '';
+ };
+ systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
+ };
+}
+
httpdInte = import ../websites/httpd-service-builder.nix { httpdName = "Inte"; withUsers = false; };
httpdProd = import ../websites/httpd-service-builder.nix { httpdName = "Prod"; withUsers = false; };
httpdTools = import ../websites/httpd-service-builder.nix { httpdName = "Tools"; withUsers = true; };
+
+ databases = ./databases;
+ mariadb = ./databases/mariadb.nix;
+ openldap = ./databases/openldap;
+ postgresql = ./databases/postgresql.nix;
+ redis = ./databases/redis.nix;
}
./modules/ssh
./modules/certificates.nix
./modules/gitolite
- ./modules/databases
./modules/mpd.nix
./modules/websites
./modules/mail.nix
./modules/buildbot
./modules/dns.nix
] ++ (builtins.attrValues (import ../modules));
+ myServices.databases.enable = true;
services.myGitolite.enable = true;
- services.myDatabases.enable = true;
services.pure-ftpd.enable = true;
services.irc.enable = true;
services.pub.enable = true;
config = {
services.websitesCerts = config.services.myCertificates.certConfig;
+ myServices.databasesCerts = config.services.myCertificates.certConfig;
security.acme.preliminarySelfsigned = true;
+++ /dev/null
-{ lib, pkgs, config, myconfig, ... }:
-let
- cfg = config.services.myDatabases;
-in {
- imports = [
- ./mysql.nix
- ./openldap.nix
- ./postgresql.nix
- ./redis.nix
- ];
- options.services.myDatabases = {
- enable = lib.mkEnableOption "my databases service";
- };
-}
+++ /dev/null
-{ lib, pkgs, config, myconfig, ... }:
-let
- cfg = config.services.myDatabases;
- ldapConfig = let
- kerberosSchema = pkgs.fetchurl {
- url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
- sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
- };
- puppetSchema = pkgs.fetchurl {
- url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
- sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
- };
- in ''
- include ${pkgs.openldap}/etc/schema/core.schema
- include ${pkgs.openldap}/etc/schema/cosine.schema
- include ${pkgs.openldap}/etc/schema/inetorgperson.schema
- include ${pkgs.openldap}/etc/schema/nis.schema
- include ${puppetSchema}
- include ${kerberosSchema}
- include ${./immae.schema}
-
- pidfile /run/slapd/slapd.pid
- argsfile /run/slapd/slapd.args
-
- moduleload back_hdb
- backend hdb
-
- moduleload memberof
- database hdb
- suffix "${myconfig.env.ldap.base}"
- rootdn "${myconfig.env.ldap.root_dn}"
- include /var/secrets/ldap/password
- directory /var/lib/openldap
- overlay memberof
-
- TLSCertificateFile /var/lib/acme/ldap/cert.pem
- TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
- TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
- TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
- #This makes openldap crash
- #TLSCipherSuite DEFAULT
-
- sasl-host kerberos.immae.eu
- include /var/secrets/ldap/access
- '';
-in {
- options.services.myDatabases = {
- ldap = {
- enable = lib.mkOption {
- default = cfg.enable;
- example = true;
- description = "Whether to enable ldap";
- type = lib.types.bool;
- };
- };
- };
-
- config = lib.mkIf cfg.enable {
- secrets.keys = [
- {
- dest = "ldap/password";
- permissions = "0400";
- user = "openldap";
- group = "openldap";
- text = "rootpw ${myconfig.env.ldap.root_pw}";
- }
- {
- dest = "ldap/access ";
- permissions = "0400";
- user = "openldap";
- group = "openldap";
- text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
- }
- ];
- users.users.openldap.extraGroups = [ "keys" ];
- networking.firewall.allowedTCPPorts = [ 636 389 ];
-
- services.cron = {
- systemCronJobs = [
- ''
- 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l /var/lib/openldap/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
- ''
- ];
- };
-
- security.acme.certs."ldap" = config.services.myCertificates.certConfig // {
- user = "openldap";
- group = "openldap";
- plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
- domain = "ldap.immae.eu";
- postRun = ''
- systemctl restart openldap.service
- '';
- };
-
- services.openldap = {
- enable = config.services.myDatabases.ldap.enable;
- dataDir = "/var/lib/openldap";
- urlList = [ "ldap://" "ldaps://" ];
- extraConfig = ldapConfig;
- };
- };
-}
-
+++ /dev/null
-{ lib, pkgs, config, myconfig, ... }:
-let
- cfg = config.services.myDatabases;
-in {
- options.services.myDatabases = {
- redis = {
- enable = lib.mkOption {
- default = cfg.enable;
- example = true;
- description = "Whether to enable redis database";
- type = lib.types.bool;
- };
- };
- };
-
- config = lib.mkIf cfg.enable {
- ids.uids.redis = myconfig.env.users.redis.uid;
- ids.gids.redis = myconfig.env.users.redis.gid;
- users.users.redis.uid = config.ids.uids.redis;
- users.groups.redis.gid = config.ids.gids.redis;
- services.redis = rec {
- enable = config.services.myDatabases.redis.enable;
- bind = "127.0.0.1";
- unixSocket = myconfig.env.databases.redis.socket;
- extraConfig = ''
- unixsocketperm 777
- maxclients 1024
- '';
- };
- systemd.services.redis.serviceConfig.RuntimeDirectory =
- assert myconfig.env.databases.redis.socket == "/run/redis/redis.sock";
- "redis";
- };
-}
-
projects / perso / Immae / Config / Nix.git / commitdiff
