{ lib, pkgs, config, myconfig, mylibs, ... }: let cfg = config.services.myDatabases; in { options.services.myDatabases = { enable = lib.mkEnableOption "my databases service"; postgresql = { enable = lib.mkOption { default = cfg.enable; example = true; description = "Whether to enable postgresql database"; type = lib.types.bool; }; }; mariadb = { enable = lib.mkOption { default = cfg.enable; example = true; description = "Whether to enable mariadb database"; type = lib.types.bool; }; }; redis = { enable = lib.mkOption { default = cfg.enable; example = true; description = "Whether to enable redis database"; type = lib.types.bool; }; }; ldap = { enable = lib.mkOption { default = cfg.enable; example = true; description = "Whether to enable ldap"; type = lib.types.bool; }; }; }; config = lib.mkIf cfg.enable { nixpkgs.config.packageOverrides = oldpkgs: rec { postgresql = postgresql111; postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec { passthru = old.passthru // { psqlSchema = "11.0"; }; name = "postgresql-11.1"; src = pkgs.fetchurl { url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; }; configureFlags = old.configureFlags ++ [ "--with-pam" ]; buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ]; patches = old.patches ++ [ ./postgresql_run_socket_path.patch ]; }); mariadb = mariadbPAM; mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; buildInputs = old.buildInputs ++ [ pkgs.pam ]; }); }; networking.firewall.allowedTCPPorts = [ 3306 5432 636 389 ]; # for adminer, ssl is implemented with mysqli only, which is # currently disabled because it’s not compatible with pam. # Thus we need to generate two users for each 'remote': one remote # with SSL, and one localhost without SSL. # User identified by LDAP: # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; services.mysql = rec { enable = cfg.mariadb.enable; package = pkgs.mariadb; extraOptions = '' ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ssl_key = /var/lib/acme/mysql/key.pem ssl_cert = /var/lib/acme/mysql/fullchain.pem ''; }; security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { user = "postgres"; group = "postgres"; plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; domain = "db-1.immae.eu"; postRun = '' systemctl reload postgresql.service ''; }; security.acme.certs."mysql" = config.services.myCertificates.certConfig // { user = "mysql"; group = "mysql"; plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; domain = "db-1.immae.eu"; postRun = '' systemctl restart mysql.service ''; }; security.acme.certs."ldap" = config.services.myCertificates.certConfig // { user = "openldap"; group = "openldap"; plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; domain = "ldap.immae.eu"; postRun = '' systemctl restart openldap.service ''; }; system.activationScripts.postgresql = '' install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} ''; services.postgresql = rec { enable = cfg.postgresql.enable; package = pkgs.postgresql; enableTCPIP = true; extraConfig = '' max_connections = 100 wal_level = logical shared_buffers = 512MB work_mem = 10MB max_wal_size = 1GB min_wal_size = 80MB log_timezone = 'Europe/Paris' datestyle = 'iso, mdy' timezone = 'Europe/Paris' lc_messages = 'en_US.UTF-8' lc_monetary = 'en_US.UTF-8' lc_numeric = 'en_US.UTF-8' lc_time = 'en_US.UTF-8' default_text_search_config = 'pg_catalog.english' ssl = on ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem' ssl_key_file = '/var/lib/acme/postgresql/key.pem' ''; authentication = '' local all postgres ident local all all md5 hostssl all all 188.165.209.148/32 md5 hostssl all all 178.33.252.96/32 md5 hostssl all all all pam hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication ''; }; security.pam.services = let pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; pam_ldap_mysql = with myconfig.env.databases.mysql.pam; pkgs.writeText "mysql.conf" '' host ${myconfig.env.ldap.host} base ${myconfig.env.ldap.base} binddn ${dn} bindpw ${password} pam_filter ${filter} ssl start_tls ''; pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; pkgs.writeText "postgresql.conf" '' host ${myconfig.env.ldap.host} base ${myconfig.env.ldap.base} binddn ${dn} bindpw ${password} pam_filter ${filter} ssl start_tls ''; pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' host ${myconfig.env.ldap.host} base ${myconfig.env.ldap.base} binddn ${myconfig.env.ldap.host_dn} bindpw ${myconfig.env.ldap.password} pam_login_attribute cn ssl start_tls ''; in [ { name = "mysql"; text = '' # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ auth required ${pam_ldap} config=${pam_ldap_mysql} account required ${pam_ldap} config=${pam_ldap_mysql} ''; } { name = "postgresql"; text = '' auth required ${pam_ldap} config=${pam_ldap_postgresql} account required ${pam_ldap} config=${pam_ldap_postgresql} ''; } { name = "postgresql_replication"; text = '' auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} account required ${pam_ldap} config=${pam_ldap_postgresql_replication} ''; } ]; ids.uids.redis = myconfig.env.users.redis.uid; ids.gids.redis = myconfig.env.users.redis.gid; users.users.redis.uid = config.ids.uids.redis; users.groups.redis.gid = config.ids.gids.redis; services.redis = rec { enable = config.services.myDatabases.redis.enable; bind = "127.0.0.1"; unixSocket = myconfig.env.databases.redis.socket; extraConfig = '' unixsocketperm 777 maxclients 1024 ''; }; system.activationScripts.redis = '' mkdir -p $(dirname ${myconfig.env.databases.redis.socket}) chown redis $(dirname ${myconfig.env.databases.redis.socket}) ''; services.openldap = let kerberosSchema = pkgs.fetchurl { url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; }; puppetSchema = pkgs.fetchurl { url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; }; in { enable = config.services.myDatabases.ldap.enable; dataDir = "/var/lib/openldap"; urlList = [ "ldap://" "ldaps://" ]; extraConfig = '' include ${pkgs.openldap}/etc/schema/core.schema include ${pkgs.openldap}/etc/schema/cosine.schema include ${pkgs.openldap}/etc/schema/inetorgperson.schema include ${pkgs.openldap}/etc/schema/nis.schema include ${puppetSchema} include ${kerberosSchema} include ${./immae.schema} pidfile /run/slapd/slapd.pid argsfile /run/slapd/slapd.args moduleload back_hdb backend hdb moduleload memberof database hdb suffix "${myconfig.env.ldap.base}" rootdn "${myconfig.env.ldap.root_dn}" rootpw ${myconfig.env.ldap.root_pw} directory /var/lib/openldap overlay memberof TLSCertificateFile /var/lib/acme/ldap/cert.pem TLSCertificateKeyFile /var/lib/acme/ldap/key.pem TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ #This makes openldap crash #TLSCipherSuite DEFAULT sasl-host kerberos.immae.eu ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"} ''; }; }; }