1 { lib, pkgs, config, myconfig, mylibs, ... }:
3 cfg = config.services.myDatabases;
5 options.services.myDatabases = {
6 enable = lib.mkEnableOption "my databases service";
8 enable = lib.mkOption {
11 description = "Whether to enable postgresql database";
12 type = lib.types.bool;
17 enable = lib.mkOption {
20 description = "Whether to enable mariadb database";
21 type = lib.types.bool;
26 enable = lib.mkOption {
29 description = "Whether to enable redis database";
30 type = lib.types.bool;
35 enable = lib.mkOption {
38 description = "Whether to enable ldap";
39 type = lib.types.bool;
44 config = lib.mkIf cfg.enable {
45 nixpkgs.config.packageOverrides = oldpkgs: rec {
46 postgresql = postgresql111;
47 postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
48 passthru = old.passthru // { psqlSchema = "11.0"; };
49 name = "postgresql-11.1";
51 url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
52 sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
54 configureFlags = old.configureFlags ++ [ "--with-pam" ];
55 buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
56 patches = old.patches ++ [
57 ./postgresql_run_socket_path.patch
61 mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
62 cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
63 buildInputs = old.buildInputs ++ [ pkgs.pam ];
67 networking.firewall.allowedTCPPorts = [ 3306 5432 636 389 ];
69 # for adminer, ssl is implemented with mysqli only, which is
70 # currently disabled because it’s not compatible with pam.
71 # Thus we need to generate two users for each 'remote': one remote
72 # with SSL, and one localhost without SSL.
73 # User identified by LDAP:
74 # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
75 # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
76 services.mysql = rec {
77 enable = cfg.mariadb.enable;
78 package = pkgs.mariadb;
80 ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
81 ssl_key = /var/lib/acme/mysql/key.pem
82 ssl_cert = /var/lib/acme/mysql/fullchain.pem
86 security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
89 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
90 domain = "db-1.immae.eu";
92 systemctl reload postgresql.service
96 security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
99 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
100 domain = "db-1.immae.eu";
102 systemctl restart mysql.service
106 security.acme.certs."ldap" = config.services.myCertificates.certConfig // {
109 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
110 domain = "ldap.immae.eu";
112 systemctl restart openldap.service
116 system.activationScripts.postgresql = ''
117 install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
120 services.postgresql = rec {
121 enable = cfg.postgresql.enable;
122 package = pkgs.postgresql;
125 max_connections = 100
127 shared_buffers = 512MB
131 log_timezone = 'Europe/Paris'
132 datestyle = 'iso, mdy'
133 timezone = 'Europe/Paris'
134 lc_messages = 'en_US.UTF-8'
135 lc_monetary = 'en_US.UTF-8'
136 lc_numeric = 'en_US.UTF-8'
137 lc_time = 'en_US.UTF-8'
138 default_text_search_config = 'pg_catalog.english'
140 ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
141 ssl_key_file = '/var/lib/acme/postgresql/key.pem'
144 local all postgres ident
146 hostssl all all 188.165.209.148/32 md5
147 hostssl all all 178.33.252.96/32 md5
148 hostssl all all all pam
149 hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
150 hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
154 security.pam.services = let
155 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
156 pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
157 pkgs.writeText "mysql.conf" ''
158 host ${myconfig.env.ldap.host}
159 base ${myconfig.env.ldap.base}
165 pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
166 pkgs.writeText "postgresql.conf" ''
167 host ${myconfig.env.ldap.host}
168 base ${myconfig.env.ldap.base}
174 pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
175 host ${myconfig.env.ldap.host}
176 base ${myconfig.env.ldap.base}
177 binddn ${myconfig.env.ldap.host_dn}
178 bindpw ${myconfig.env.ldap.password}
179 pam_login_attribute cn
186 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
187 auth required ${pam_ldap} config=${pam_ldap_mysql}
188 account required ${pam_ldap} config=${pam_ldap_mysql}
194 auth required ${pam_ldap} config=${pam_ldap_postgresql}
195 account required ${pam_ldap} config=${pam_ldap_postgresql}
199 name = "postgresql_replication";
201 auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
202 account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
207 ids.uids.redis = myconfig.env.users.redis.uid;
208 ids.gids.redis = myconfig.env.users.redis.gid;
209 users.users.redis.uid = config.ids.uids.redis;
210 users.groups.redis.gid = config.ids.gids.redis;
211 services.redis = rec {
212 enable = config.services.myDatabases.redis.enable;
214 unixSocket = myconfig.env.databases.redis.socket;
220 system.activationScripts.redis = ''
221 mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
222 chown redis $(dirname ${myconfig.env.databases.redis.socket})
225 services.openldap = let
226 kerberosSchema = pkgs.fetchurl {
227 url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
228 sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
230 puppetSchema = pkgs.fetchurl {
231 url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
232 sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
235 enable = config.services.myDatabases.ldap.enable;
236 dataDir = "/var/lib/openldap";
237 urlList = [ "ldap://" "ldaps://" ];
239 include ${pkgs.openldap}/etc/schema/core.schema
240 include ${pkgs.openldap}/etc/schema/cosine.schema
241 include ${pkgs.openldap}/etc/schema/inetorgperson.schema
242 include ${pkgs.openldap}/etc/schema/nis.schema
243 include ${puppetSchema}
244 include ${kerberosSchema}
245 include ${./immae.schema}
247 pidfile /run/slapd/slapd.pid
248 argsfile /run/slapd/slapd.args
255 suffix "${myconfig.env.ldap.base}"
256 rootdn "${myconfig.env.ldap.root_dn}"
257 rootpw ${myconfig.env.ldap.root_pw}
258 directory /var/lib/openldap
261 TLSCertificateFile /var/lib/acme/ldap/cert.pem
262 TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
263 TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
264 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
265 #This makes openldap crash
266 #TLSCipherSuite DEFAULT
268 sasl-host kerberos.immae.eu
269 ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}