nixops/modules/databases/default.nix

   1 { lib, pkgs, config, myconfig, mylibs, ... }:
   2 let
   3     cfg = config.services.myDatabases;
   4 in {
   5   imports = [
   6     ./openldap.nix
   7   ];
   8   options.services.myDatabases = {
   9     enable = lib.mkEnableOption "my databases service";
  10     postgresql = {
  11       enable = lib.mkOption {
  12         default = cfg.enable;
  13         example = true;
  14         description = "Whether to enable postgresql database";
  15         type = lib.types.bool;
  16       };
  17     };
  18
  19     mariadb = {
  20       enable = lib.mkOption {
  21         default = cfg.enable;
  22         example = true;
  23         description = "Whether to enable mariadb database";
  24         type = lib.types.bool;
  25       };
  26     };
  27
  28     redis = {
  29       enable = lib.mkOption {
  30         default = cfg.enable;
  31         example = true;
  32         description = "Whether to enable redis database";
  33         type = lib.types.bool;
  34       };
  35     };
  36   };
  37
  38   config = lib.mkIf cfg.enable {
  39     nixpkgs.config.packageOverrides = oldpkgs: rec {
  40       postgresql = postgresql111;
  41       postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
  42         passthru = old.passthru // { psqlSchema = "11.0"; };
  43         name = "postgresql-11.1";
  44         src = pkgs.fetchurl {
  45           url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
  46           sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
  47         };
  48         configureFlags = old.configureFlags ++ [ "--with-pam" ];
  49         buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
  50         patches = old.patches ++ [
  51           ./postgresql_run_socket_path.patch
  52         ];
  53       });
  54       mariadb = mariadbPAM;
  55       mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
  56         cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
  57         buildInputs = old.buildInputs ++ [ pkgs.pam ];
  58       });
  59     };
  60
  61     networking.firewall.allowedTCPPorts = [ 3306 5432 ];
  62
  63     # for adminer, ssl is implemented with mysqli only, which is
  64     # currently disabled because it’s not compatible with pam.
  65     # Thus we need to generate two users for each 'remote': one remote
  66     # with SSL, and one localhost without SSL.
  67     # User identified by LDAP:
  68     # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
  69     # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
  70     services.mysql = rec {
  71       enable = cfg.mariadb.enable;
  72       package = pkgs.mariadb;
  73       extraOptions = ''
  74         ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
  75         ssl_key = /var/lib/acme/mysql/key.pem
  76         ssl_cert = /var/lib/acme/mysql/fullchain.pem
  77         '';
  78     };
  79
  80     security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
  81       user = "postgres";
  82       group = "postgres";
  83       plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
  84       domain = "db-1.immae.eu";
  85       postRun = ''
  86         systemctl reload postgresql.service
  87       '';
  88     };
  89
  90     security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
  91       user = "mysql";
  92       group = "mysql";
  93       plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
  94       domain = "db-1.immae.eu";
  95       postRun = ''
  96         systemctl restart mysql.service
  97       '';
  98     };
  99
 100     system.activationScripts.postgresql = ''
 101       install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
 102       '';
 103
 104     services.postgresql = rec {
 105       enable = cfg.postgresql.enable;
 106       package = pkgs.postgresql;
 107       enableTCPIP = true;
 108       extraConfig = ''
 109         max_connections = 100
 110         wal_level = logical
 111         shared_buffers = 512MB
 112         work_mem = 10MB
 113         max_wal_size = 1GB
 114         min_wal_size = 80MB
 115         log_timezone = 'Europe/Paris'
 116         datestyle = 'iso, mdy'
 117         timezone = 'Europe/Paris'
 118         lc_messages = 'en_US.UTF-8'
 119         lc_monetary = 'en_US.UTF-8'
 120         lc_numeric = 'en_US.UTF-8'
 121         lc_time = 'en_US.UTF-8'
 122         default_text_search_config = 'pg_catalog.english'
 123         ssl = on
 124         ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
 125         ssl_key_file = '/var/lib/acme/postgresql/key.pem'
 126         '';
 127       authentication = ''
 128         local   all     postgres                                ident
 129         local   all     all                                     md5
 130         hostssl all     all     188.165.209.148/32              md5
 131         hostssl all     all     178.33.252.96/32                md5
 132         hostssl all     all     all                             pam
 133         hostssl replication     backup-1        2001:41d0:302:1100::9:e5a9/128  pam pamservice=postgresql_replication
 134         hostssl replication     backup-1        54.37.151.137/32                pam pamservice=postgresql_replication
 135       '';
 136     };
 137
 138     security.pam.services = let
 139       pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
 140       pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
 141         pkgs.writeText "mysql.conf" ''
 142         host ${myconfig.env.ldap.host}
 143         base ${myconfig.env.ldap.base}
 144         binddn ${dn}
 145         bindpw ${password}
 146         pam_filter ${filter}
 147         ssl start_tls
 148         '';
 149       pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
 150         pkgs.writeText "postgresql.conf" ''
 151         host ${myconfig.env.ldap.host}
 152         base ${myconfig.env.ldap.base}
 153         binddn ${dn}
 154         bindpw ${password}
 155         pam_filter ${filter}
 156         ssl start_tls
 157         '';
 158       pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
 159         host ${myconfig.env.ldap.host}
 160         base ${myconfig.env.ldap.base}
 161         binddn ${myconfig.env.ldap.host_dn}
 162         bindpw ${myconfig.env.ldap.password}
 163         pam_login_attribute cn
 164         ssl start_tls
 165         '';
 166     in [
 167       {
 168         name = "mysql";
 169         text = ''
 170           # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
 171           auth    required ${pam_ldap} config=${pam_ldap_mysql}
 172           account required ${pam_ldap} config=${pam_ldap_mysql}
 173           '';
 174       }
 175       {
 176         name = "postgresql";
 177         text = ''
 178           auth    required ${pam_ldap} config=${pam_ldap_postgresql}
 179           account required ${pam_ldap} config=${pam_ldap_postgresql}
 180           '';
 181       }
 182       {
 183         name = "postgresql_replication";
 184         text = ''
 185           auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
 186           account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
 187           '';
 188       }
 189     ];
 190
 191     ids.uids.redis = myconfig.env.users.redis.uid;
 192     ids.gids.redis = myconfig.env.users.redis.gid;
 193     users.users.redis.uid = config.ids.uids.redis;
 194     users.groups.redis.gid = config.ids.gids.redis;
 195     services.redis = rec {
 196       enable = config.services.myDatabases.redis.enable;
 197       bind = "127.0.0.1";
 198       unixSocket = myconfig.env.databases.redis.socket;
 199       extraConfig = ''
 200         unixsocketperm 777
 201         maxclients 1024
 202         '';
 203     };
 204     system.activationScripts.redis = ''
 205       mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
 206       chown redis $(dirname ${myconfig.env.databases.redis.socket})
 207     '';
 208
 209   };
 210 }