type = lib.types.bool;
};
};
+
+ ldap = {
+ enable = lib.mkOption {
+ default = cfg.enable;
+ example = true;
+ description = "Whether to enable ldap";
+ type = lib.types.bool;
+ };
+ };
};
config = lib.mkIf cfg.enable {
});
};
- networking.firewall.allowedTCPPorts = [ 3306 5432 ];
+ networking.firewall.allowedTCPPorts = [ 3306 5432 636 389 ];
+ # for adminer, ssl is implemented with mysqli only, which is
+ # currently disabled because it’s not compatible with pam.
+ # Thus we need to generate two users for each 'remote': one remote
+ # with SSL, and one localhost without SSL.
+ # User identified by LDAP:
+ # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
+ # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
services.mysql = rec {
enable = cfg.mariadb.enable;
package = pkgs.mariadb;
+ extraOptions = ''
+ ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+ ssl_key = /var/lib/acme/mysql/key.pem
+ ssl_cert = /var/lib/acme/mysql/fullchain.pem
+ '';
};
security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
'';
};
+ security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
+ user = "mysql";
+ group = "mysql";
+ plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+ domain = "db-1.immae.eu";
+ postRun = ''
+ systemctl restart mysql.service
+ '';
+ };
+
+ security.acme.certs."ldap" = config.services.myCertificates.certConfig // {
+ user = "openldap";
+ group = "openldap";
+ plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+ domain = "ldap.immae.eu";
+ postRun = ''
+ systemctl restart openldap.service
+ '';
+ };
+
system.activationScripts.postgresql = ''
install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
'';
extraConfig = ''
max_connections = 100
wal_level = logical
- shared_buffers = 128MB
+ shared_buffers = 512MB
+ work_mem = 10MB
max_wal_size = 1GB
min_wal_size = 80MB
log_timezone = 'Europe/Paris'
authentication = ''
local all postgres ident
local all all md5
- hostssl all all samehost md5
- hostssl all all 178.33.252.96/32 md5
- hostssl all all 188.165.209.148/32 md5
- hostssl all all all pam
+ hostssl all all 188.165.209.148/32 md5
+ hostssl all all 178.33.252.96/32 md5
+ hostssl all all all pam
hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
'';
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
- pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
+ pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
+ pkgs.writeText "mysql.conf" ''
host ${myconfig.env.ldap.host}
base ${myconfig.env.ldap.base}
- binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
- bindpw ${myconfig.env.databases.mysql.pam_password}
+ binddn ${dn}
+ bindpw ${password}
+ pam_filter ${filter}
+ ssl start_tls
+ '';
+ pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
+ pkgs.writeText "postgresql.conf" ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
+ binddn ${dn}
+ bindpw ${password}
+ pam_filter ${filter}
ssl start_tls
- pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
'';
pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
host ${myconfig.env.ldap.host}
base ${myconfig.env.ldap.base}
binddn ${myconfig.env.ldap.host_dn}
bindpw ${myconfig.env.ldap.password}
- ssl start_tls
pam_login_attribute cn
+ ssl start_tls
'';
in [
{
{
name = "postgresql";
text = ''
- auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
- account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+ auth required ${pam_ldap} config=${pam_ldap_postgresql}
+ account required ${pam_ldap} config=${pam_ldap_postgresql}
'';
}
{
}
];
+ ids.uids.redis = myconfig.env.users.redis.uid;
+ ids.gids.redis = myconfig.env.users.redis.gid;
+ users.users.redis.uid = config.ids.uids.redis;
+ users.groups.redis.gid = config.ids.gids.redis;
services.redis = rec {
enable = config.services.myDatabases.redis.enable;
bind = "127.0.0.1";
mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
chown redis $(dirname ${myconfig.env.databases.redis.socket})
'';
+
+ services.openldap = let
+ kerberosSchema = pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
+ sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
+ };
+ puppetSchema = pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
+ sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
+ };
+ in {
+ enable = config.services.myDatabases.ldap.enable;
+ dataDir = "/var/lib/openldap";
+ urlList = [ "ldap://" "ldaps://" ];
+ extraConfig = ''
+ include ${pkgs.openldap}/etc/schema/core.schema
+ include ${pkgs.openldap}/etc/schema/cosine.schema
+ include ${pkgs.openldap}/etc/schema/inetorgperson.schema
+ include ${pkgs.openldap}/etc/schema/nis.schema
+ include ${puppetSchema}
+ include ${kerberosSchema}
+ include ${./immae.schema}
+
+ pidfile /run/slapd/slapd.pid
+ argsfile /run/slapd/slapd.args
+
+ moduleload back_hdb
+ backend hdb
+
+ moduleload memberof
+ database hdb
+ suffix "${myconfig.env.ldap.base}"
+ rootdn "${myconfig.env.ldap.root_dn}"
+ rootpw ${myconfig.env.ldap.root_pw}
+ directory /var/lib/openldap
+ overlay memberof
+
+ TLSCertificateFile /var/lib/acme/ldap/cert.pem
+ TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
+ TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
+ TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
+ #This makes openldap crash
+ #TLSCipherSuite DEFAULT
+
+ sasl-host kerberos.immae.eu
+ ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
+ '';
+ };
};
}
projects / perso / Immae / Config / Nix.git / blobdiff