From: Ismaƫl Bouya Date: Sun, 8 Dec 2019 15:22:56 +0000 (+0100) Subject: Add openldap replication X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=16b80abd57bb215d0e72f3983f997a007743b8fb;p=perso%2FImmae%2FConfig%2FNix.git Add openldap replication --- diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index 9f72b29..22f6f7b 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix @@ -2,22 +2,9 @@ let cfg = config.myServices.databases.openldap; ldapConfig = let - kerberosSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; - sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; - }; - puppetSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; - sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; - }; + eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {}; in '' - include ${pkgs.openldap}/etc/schema/core.schema - include ${pkgs.openldap}/etc/schema/cosine.schema - include ${pkgs.openldap}/etc/schema/inetorgperson.schema - include ${pkgs.openldap}/etc/schema/nis.schema - include ${puppetSchema} - include ${kerberosSchema} - include ${./immae.schema} + ${eldiron_schemas} pidfile ${cfg.pids.pid} argsfile ${cfg.pids.args} @@ -33,6 +20,10 @@ let directory ${cfg.dataDir} overlay memberof + moduleload syncprov + overlay syncprov + syncprov-checkpoint 100 10 + TLSCertificateFile ${config.security.acme.directory}/ldap/cert.pem TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem TLSCACertificateFile ${config.security.acme.directory}/ldap/fullchain.pem @@ -126,14 +117,6 @@ in users.users.openldap.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 636 389 ]; - services.cron = { - systemCronJobs = [ - '' - 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$" - '' - ]; - }; - security.acme.certs."ldap" = config.myServices.databasesCerts // { user = "openldap"; group = "openldap"; diff --git a/modules/private/databases/openldap/eldiron_schemas.nix b/modules/private/databases/openldap/eldiron_schemas.nix new file mode 100644 index 0000000..7a29988 --- /dev/null +++ b/modules/private/databases/openldap/eldiron_schemas.nix @@ -0,0 +1,21 @@ +{ fetchurl, openldap }: +let + kerberosSchema = fetchurl { + url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; + sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; + }; + puppetSchema = fetchurl { + url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; + sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; + }; + schemas = [ + "${openldap}/etc/schema/core.schema" + "${openldap}/etc/schema/cosine.schema" + "${openldap}/etc/schema/inetorgperson.schema" + "${openldap}/etc/schema/nis.schema" + puppetSchema + kerberosSchema + ./immae.schema + ]; +in + builtins.concatStringsSep "\n" (map (v: "include ${v}") schemas) diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix new file mode 100644 index 0000000..c0c16e6 --- /dev/null +++ b/modules/private/databases/openldap_replication.nix @@ -0,0 +1,164 @@ +{ pkgs, config, myconfig, lib, ... }: +let + cfg = config.myServices.databasesReplication.openldap; + eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; + ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' + ${eldiron_schemas} + pidfile /run/slapd_${name}/slapd.pid + argsfile /run/slapd_${name}/slapd.args + + moduleload back_hdb + backend hdb + database hdb + + suffix "${hcfg.base}" + rootdn "cn=root,${hcfg.base}" + directory ${cfg.base}/${name}/openldap + + index objectClass eq + index uid pres,eq + index entryUUID eq + + include ${config.secrets.location}/openldap_replication/${name}/replication_config + ''; +in +{ + options.myServices.databasesReplication.openldap = { + enable = lib.mkEnableOption "Enable openldap replication"; + base = lib.mkOption { + type = lib.types.path; + description = '' + Base path to put the replications + ''; + }; + hosts = lib.mkOption { + default = {}; + description = '' + Hosts to backup + ''; + type = lib.types.attrsOf (lib.types.submodule { + options = { + package = lib.mkOption { + type = lib.types.package; + default = pkgs.openldap; + description = '' + Openldap package for this host + ''; + }; + url = lib.mkOption { + type = lib.types.str; + description = '' + Host to connect to + ''; + }; + base = lib.mkOption { + type = lib.types.str; + description = '' + Base DN to replicate + ''; + }; + dn = lib.mkOption { + type = lib.types.str; + description = '' + DN to use + ''; + }; + password = lib.mkOption { + type = lib.types.str; + description = '' + Password to use + ''; + }; + }; + }); + }; + }; + + config = lib.mkIf cfg.enable { + users.users.openldap = { + description = "Openldap database user"; + group = "openldap"; + uid = config.ids.uids.openldap; + extraGroups = [ "keys" ]; + }; + users.groups.openldap.gid = config.ids.gids.openldap; + + secrets.keys = lib.flatten (lib.mapAttrsToList (name: hcfg: [ + { + dest = "openldap_replication/${name}/replication_config"; + user = "openldap"; + group = "openldap"; + permissions = "0400"; + text = '' + syncrepl rid=000 + provider=${hcfg.url} + type=refreshAndPersist + searchbase="${hcfg.base}" + retry="5 10 300 +" + attrs="*,+" + schemachecking=off + bindmethod=simple + binddn="${hcfg.dn}" + credentials="${hcfg.password}" + ''; + } + { + dest = "openldap_replication/${name}/replication_password"; + user = "openldap"; + group = "openldap"; + permissions = "0400"; + text = hcfg.password; + } + ]) cfg.hosts); + + services.cron = { + enable = true; + systemCronJobs = lib.flatten (lib.mapAttrsToList (name: hcfg: + let + dataDir = "${cfg.base}/${name}/openldap"; + backupDir = "${cfg.base}/${name}/openldap_backup"; + backup_script = pkgs.writeScript "backup_openldap_${name}" '' + #!${pkgs.stdenv.shell} + + ${hcfg.package}/bin/slapcat -b "${hcfg.base}" -f ${ldapConfig hcfg name} -l ${backupDir}/$(${pkgs.coreutils}/bin/date -Iseconds).ldif + ''; + u = pkgs.callPackage ./utils.nix {}; + cleanup_script = pkgs.writeScript "cleanup_openldap_${name}" (u.exponentialDumps "ldif" backupDir); + in [ + "0 22,4,10,16 * * * root ${backup_script}" + "0 3 * * * root ${cleanup_script}" + ]) cfg.hosts); + }; + + system.activationScripts = lib.attrsets.mapAttrs' (name: hcfg: + lib.attrsets.nameValuePair "openldap_replication_${name}" { + deps = [ "users" "groups" ]; + text = '' + install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap + install -m 0700 -o openldap -g openldap -d ${cfg.base}/${name}/openldap_backup + ''; + }) cfg.hosts; + + systemd.services = lib.attrsets.mapAttrs' (name: hcfg: + let + dataDir = "${cfg.base}/${name}/openldap"; + in + lib.attrsets.nameValuePair "openldap_backup_${name}" { + description = "Openldap replication for ${name}"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + unitConfig.RequiresMountsFor = dataDir; + + preStart = '' + mkdir -p /run/slapd_${name} + chown -R "openldap:openldap" /run/slapd_${name} + ''; + + serviceConfig = { + ExecStart = "${hcfg.package}/libexec/slapd -d 0 -u openldap -g openldap -f ${ldapConfig hcfg name}"; + }; + }) cfg.hosts; + }; +} + + diff --git a/modules/private/default.nix b/modules/private/default.nix index 1d0f1a9..29bf2af 100644 --- a/modules/private/default.nix +++ b/modules/private/default.nix @@ -13,6 +13,7 @@ set = { postgresqlReplication = ./databases/postgresql_replication.nix; mariadbReplication = ./databases/mariadb_replication.nix; redisReplication = ./databases/redis_replication.nix; + openldapReplication = ./databases/openldap_replication.nix; websites = ./websites; atenInte = ./websites/aten/integration.nix; diff --git a/modules/private/monitoring/default.nix b/modules/private/monitoring/default.nix index b3f8cbe..e44b127 100644 --- a/modules/private/monitoring/default.nix +++ b/modules/private/monitoring/default.nix @@ -22,6 +22,9 @@ let wrapProgram $out/check_mysql_replication --prefix PATH : ${lib.makeBinPath [ pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.mariadb ]} + wrapProgram $out/check_openldap_replication --prefix PATH : ${lib.makeBinPath [ + pkgs.gnugrep pkgs.gnused pkgs.coreutils pkgs.openldap + ]} ''; toObjects = pkgs.callPackage ./to_objects.nix {}; commonConfig = { @@ -42,7 +45,7 @@ let let specific_file = ./. + "/objects_" + name + ".nix"; in - lib.attrsets.optionalAttrs (builtins.pathExists specific_file) (pkgs.callPackage specific_file {}); + lib.attrsets.optionalAttrs (builtins.pathExists specific_file) (pkgs.callPackage specific_file { inherit config; }); in { options = { @@ -72,34 +75,38 @@ in } { commands = [ - { command = "${myplugins}/check_postgres_replication *"; options = [ "NOPASSWD" ]; } { command = "${myplugins}/check_last_file_date /backup2/*"; options = [ "NOPASSWD" ]; } ]; users = [ "naemon" ]; + runAs = "ALL"; + } + { + commands = [ + { command = "${myplugins}/check_postgres_replication *"; options = [ "NOPASSWD" ]; } + ]; + users = [ "naemon" ]; runAs = "postgres"; } { commands = [ { command = "${myplugins}/check_mysql_replication *"; options = [ "NOPASSWD" ]; } - { command = "${myplugins}/check_last_file_date /backup2/*"; options = [ "NOPASSWD" ]; } ]; users = [ "naemon" ]; runAs = "mysql"; } { commands = [ - { command = "${myplugins}/check_redis_replication *"; options = [ "NOPASSWD" ]; } - { command = "${myplugins}/check_last_file_date /backup2/*"; options = [ "NOPASSWD" ]; } + { command = "${myplugins}/check_openldap_replication *"; options = [ "NOPASSWD" ]; } ]; users = [ "naemon" ]; - runAs = "redis"; + runAs = "openldap"; } { commands = [ - { command = "${myplugins}/check_last_file_date /backup2/*"; options = [ "NOPASSWD" ]; } + { command = "${myplugins}/check_redis_replication *"; options = [ "NOPASSWD" ]; } ]; users = [ "naemon" ]; - runAs = "backup"; + runAs = "redis"; } ]; environment.etc."mdadm.conf" = { diff --git a/modules/private/monitoring/objects_backup-2.nix b/modules/private/monitoring/objects_backup-2.nix index c302e45..2b80eee 100644 --- a/modules/private/monitoring/objects_backup-2.nix +++ b/modules/private/monitoring/objects_backup-2.nix @@ -1,4 +1,4 @@ -{ ... }: +{ config, pkgs, ... }: { service = [ { @@ -46,5 +46,36 @@ use = "local-service"; check_command = ["check_last_file_date" "/backup2/eldiron/mysql_backup" "7" "mysql"]; } + { + service_description = "Openldap replication for eldiron is up to date"; + use = "local-service"; + check_command = let + name = "eldiron"; + hcfg = config.myServices.databasesReplication.openldap.hosts.eldiron; + base = config.myServices.databasesReplication.openldap.base; + eldiron_schemas = pkgs.callPackage ../databases/openldap/eldiron_schemas.nix {}; + ldapConfig = pkgs.writeText "slapd.conf" '' + ${eldiron_schemas} + moduleload back_hdb + backend hdb + database hdb + + suffix "${hcfg.base}" + directory ${base}/${name}/openldap + ''; + in [ + "check_openldap_replication" + hcfg.url + hcfg.dn + "${config.secrets.location}/openldap_replication/eldiron/replication_password" + hcfg.base + ldapConfig + ]; + } + { + service_description = "Last openldap dump in /backup2/eldiron/openldap_backup is not too old"; + use = "local-service"; + check_command = ["check_last_file_date" "/backup2/eldiron/openldap_backup" "7" "openldap"]; + } ]; } diff --git a/modules/private/monitoring/objects_common.nix b/modules/private/monitoring/objects_common.nix index 1ab9fc3..66fb812 100644 --- a/modules/private/monitoring/objects_common.nix +++ b/modules/private/monitoring/objects_common.nix @@ -76,6 +76,7 @@ check_ntp = "$USER1$/check_ntp_time -t 30 -q -H 0.arch.pool.ntp.org"; check_mysql_replication = "${sudo} -u mysql $USER2$/check_mysql_replication \"$ARG1$\" \"$ARG2$\""; check_postgresql_replication = "${sudo} -u postgres $USER2$/check_postgres_replication \"$ARG1$\" \"$ARG2$\" \"$ARG3$\""; + check_openldap_replication = "${sudo} -u openldap $USER2$/check_openldap_replication \"$ARG1$\" \"$ARG2$\" \"$ARG3$\" \"$ARG4$\" \"$ARG5$\""; check_redis_replication = "${sudo} -u redis $USER2$/check_redis_replication \"$ARG1$\""; check_mailq = "$USER1$/check_mailq -s -w 1 -c 2"; diff --git a/modules/private/monitoring/plugins/check_openldap_replication b/modules/private/monitoring/plugins/check_openldap_replication new file mode 100755 index 0000000..b511ff2 --- /dev/null +++ b/modules/private/monitoring/plugins/check_openldap_replication @@ -0,0 +1,54 @@ +#!/bin/bash + +STATE_OK=0 +STATE_WARNING=1 +STATE_CRITICAL=2 +STATE_UNKNOWN=3 + +distant_host="$1" +replication_dn="$2" +replication_pw="$3" +base="$4" +config="$5" + +to_date() { + i="$1" + i=$(echo "$i" | grep contextCSN | cut -d":" -f2 | sed -e "s/\s//g") + i=$(echo "$i" | cut -d"#" -f1) + i=$(echo "$i" | cut -d"." -f1) + echo "$i" +} + +# ldap +remote_ldap=$(ldapsearch -H $distant_host -D "$replication_dn" -y "$replication_pw" -b "$base" -s base -LLL contextCSN ) +exit_code_remote=$? +remote_ldap=$(to_date "$remote_ldap") + +# slapcat +local_ldap=$(slapcat -b "$base" -f "$config" -a "(entryDN=$base)") +exit_code_local=$? +local_ldap=$(to_date "$local_ldap") + +offset=$(($remote_ldap - $local_ldap)) + +if [[ $exit_code_remote -ne 0 || $exit_code_local -ne 0 ]]; then + echo "UNKNOWN - Impossible to run ldap command" + exit $STATE_UNKNOWN +elif [[ -z "$offset" ]]; then + echo "UNKNOWN - No replication found" + exit $STATE_UNKNOWN +else + output="Replication lag for openldap is ${offset}s" + LC_ALL=C lag=$(printf "%.*f" 0 $lag) + + if [[ $offset -lt 5 ]]; then + echo "OK - $output" + exit $STATE_OK + elif [[ $offset -lt 10 ]]; then + echo "WARNING - $output" + exit $STATE_WARNING + else + echo "CRITICAL - $output" + exit $STATE_CRITICAL + fi +fi diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix index 3d51fa3..1b7f136 100644 --- a/modules/private/system/backup-2.nix +++ b/modules/private/system/backup-2.nix @@ -87,6 +87,18 @@ }; }; }; + openldap = { + enable = true; + base = "/backup2"; + hosts = { + eldiron = { + url = "ldaps://${myconfig.env.ldap.host}:636"; + dn = myconfig.env.ldap.replication_dn; + password = myconfig.env.ldap.replication_pw; + base = myconfig.env.ldap.base; + }; + }; + }; }; # This value determines the NixOS release with which your system is