networking.firewall.allowedTCPPorts = [ 3306 5432 ];
+ # for adminer, ssl is implemented with mysqli only, which is
+ # currently disabled because it’s not compatible with pam.
+ # Thus we need to generate two users for each 'remote': one remote
+ # with SSL, and one localhost without SSL.
+ # User identified by LDAP:
+ # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
+ # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
services.mysql = rec {
enable = cfg.mariadb.enable;
package = pkgs.mariadb;
+ extraOptions = ''
+ ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+ ssl_key = /var/lib/acme/mysql/key.pem
+ ssl_cert = /var/lib/acme/mysql/fullchain.pem
+ '';
};
security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
'';
};
+ security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
+ user = "mysql";
+ group = "mysql";
+ plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+ domain = "db-1.immae.eu";
+ postRun = ''
+ systemctl restart mysql.service
+ '';
+ };
+
system.activationScripts.postgresql = ''
install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
'';
authentication = ''
local all postgres ident
local all all md5
- hostssl all all samehost md5
- hostssl all all 178.33.252.96/32 md5
- hostssl all all 188.165.209.148/32 md5
hostssl all all all pam
hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
- pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
+ pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
+ pkgs.writeText "mysql.conf" ''
host ${myconfig.env.ldap.host}
base ${myconfig.env.ldap.base}
- binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
- bindpw ${myconfig.env.databases.mysql.pam_password}
+ binddn ${dn}
+ bindpw ${password}
+ pam_filter ${filter}
+ ssl start_tls
+ '';
+ pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
+ pkgs.writeText "postgresql.conf" ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
+ binddn ${dn}
+ bindpw ${password}
+ pam_filter ${filter}
ssl start_tls
- pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
'';
pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
host ${myconfig.env.ldap.host}
base ${myconfig.env.ldap.base}
binddn ${myconfig.env.ldap.host_dn}
bindpw ${myconfig.env.ldap.password}
- ssl start_tls
pam_login_attribute cn
+ ssl start_tls
'';
in [
{
{
name = "postgresql";
text = ''
- auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
- account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+ auth required ${pam_ldap} config=${pam_ldap_postgresql}
+ account required ${pam_ldap} config=${pam_ldap_postgresql}
'';
}
{