Move database credentials to secure location

[perso/Immae/Config/Nix.git] / nixops / modules / databases / openldap.nix

diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix
index 165a02908f6288544aff053171104f3845b5bb0c..7ed4bc090782dcdc4298d362c11ae8891d6bdc2f 100644 (file)
--- a/nixops/modules/databases/openldap.nix
+++ b/nixops/modules/databases/openldap.nix
@@ -29,7 +29,7 @@ let
       database        hdb
       suffix          "${myconfig.env.ldap.base}"
       rootdn          "${myconfig.env.ldap.root_dn}"
-      rootpw          ${myconfig.env.ldap.root_pw}
+      include         /run/keys/ldap/ldap-password
       directory       /var/lib/openldap
       overlay         memberof
 
@@ -41,7 +41,7 @@ let
       #TLSCipherSuite        DEFAULT
 
       sasl-host kerberos.immae.eu
-      ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"}
+      include /run/keys/ldap/ldap-access
       '';
 in {
   options.services.myDatabases = {
@@ -56,6 +56,23 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    deployment.keys = {
+      ldap-password = {
+        destDir = "/run/keys/ldap";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = "rootpw          ${myconfig.env.ldap.root_pw}";
+      };
+      ldap-access = {
+        destDir = "/run/keys/ldap";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+      };
+    };
+    users.users.openldap.extraGroups = [ "keys" ];
     networking.firewall.allowedTCPPorts = [ 636 389 ];
 
     services.cron = {