Add cron backup for LDAP

[perso/Immae/Config/Nix.git] / nixops / modules / databases / default.nix
diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix

index 1940b62b7f71bd6682e69b3529c9a74bc4b386f6..32001810475af4b5e71f8276b11dc972ccd67283 100644 (file)
--- a/nixops/modules/databases/default.nix
+++ b/nixops/modules/databases/default.nix
@@ -2,6 +2,9 @@
  let
      cfg = config.services.myDatabases;
  in {
+  imports = [
+    ./openldap.nix
+  ];
    options.services.myDatabases = {
      enable = lib.mkEnableOption "my databases service";
      postgresql = {
@@ -30,15 +33,6 @@ in {
          type = lib.types.bool;
        };
      };
-
-    ldap = {
-      enable = lib.mkOption {
-        default = cfg.enable;
-        example = true;
-        description = "Whether to enable ldap";
-        type = lib.types.bool;
-      };
-    };
    };
  
    config = lib.mkIf cfg.enable {
@@ -64,7 +58,7 @@ in {
        });
      };
  
-    networking.firewall.allowedTCPPorts = [ 3306 5432 636 389 ];
+    networking.firewall.allowedTCPPorts = [ 3306 5432 ];
  
      # for adminer, ssl is implemented with mysqli only, which is
      # currently disabled because it’s not compatible with pam.
@@ -103,16 +97,6 @@ in {
        '';
      };
  
-    security.acme.certs."ldap" = config.services.myCertificates.certConfig // {
-      user = "openldap";
-      group = "openldap";
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
-      domain = "ldap.immae.eu";
-      postRun = ''
-        systemctl restart openldap.service
-      '';
-    };
-
      system.activationScripts.postgresql = ''
        install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
        '';
@@ -222,52 +206,5 @@ in {
        chown redis $(dirname ${myconfig.env.databases.redis.socket})
      '';
  
-    services.openldap = let
-      kerberosSchema = pkgs.fetchurl {
-        url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
-        sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
-      };
-      puppetSchema = pkgs.fetchurl {
-        url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
-        sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
-      };
-    in {
-      enable = config.services.myDatabases.ldap.enable;
-      dataDir = "/var/lib/openldap";
-      urlList = [ "ldap://" "ldaps://" ];
-      extraConfig = ''
-        include         ${pkgs.openldap}/etc/schema/core.schema
-        include         ${pkgs.openldap}/etc/schema/cosine.schema
-        include         ${pkgs.openldap}/etc/schema/inetorgperson.schema
-        include         ${pkgs.openldap}/etc/schema/nis.schema
-        include         ${puppetSchema}
-        include         ${kerberosSchema}
-        include         ${./immae.schema}
-
-        pidfile         /run/slapd/slapd.pid
-        argsfile        /run/slapd/slapd.args
-
-        moduleload      back_hdb
-        backend         hdb
-
-        moduleload      memberof
-        database        hdb
-        suffix          "${myconfig.env.ldap.base}"
-        rootdn          "${myconfig.env.ldap.root_dn}"
-        rootpw          ${myconfig.env.ldap.root_pw}
-        directory       /var/lib/openldap
-        overlay         memberof
-
-        TLSCertificateFile    /var/lib/acme/ldap/cert.pem
-        TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
-        TLSCACertificateFile  /var/lib/acme/ldap/fullchain.pem
-        TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
-        #This makes openldap crash
-        #TLSCipherSuite        DEFAULT
-
-        sasl-host kerberos.immae.eu
-        ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
-        '';
-    };
    };
  }