]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - virtual/modules/databases/default.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add SSL for pam ldap connection
[perso/Immae/Config/Nix.git] / virtual / modules / databases / default.nix
diff --git a/virtual/modules/databases/default.nix b/virtual/modules/databases/default.nix
index 430d032ee42d6d57db2104429eb80d1dea72607a..94d8d75ededd5c134c58fd75c56a2d2a585b56f6 100644 (file)
--- a/virtual/modules/databases/default.nix
+++ b/virtual/modules/databases/default.nix
@@ -73,7 +73,7 @@ in {
     };
 
     system.activationScripts.postgresql = ''
-      install -m 0755 -o postgres -g postgres -d /run/postgresql
+      install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
       '';
 
     services.postgresql = rec {
@@ -111,19 +111,21 @@ in {
     };
 
     security.pam.services = let
-      pam_ldap = pkgs.pam_ldap;
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
       pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
-        host ldap.immae.eu
-        base dc=immae,dc=eu
+        host ${myconfig.env.ldap.host}
+        base ${myconfig.env.ldap.base}
         binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
         bindpw ${myconfig.env.databases.mysql.pam_password}
+        ssl start_tls
         pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
         '';
       pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
-        host ldap.immae.eu
-        base dc=immae,dc=eu
-        binddn cn=eldiron,ou=hosts,dc=immae,dc=eu
+        host ${myconfig.env.ldap.host}
+        base ${myconfig.env.ldap.base}
+        binddn ${myconfig.env.ldap.host_dn}
         bindpw ${myconfig.env.ldap.password}
+        ssl start_tls
         pam_login_attribute cn
         '';
     in [
@@ -131,22 +133,22 @@ in {
         name = "mysql";
         text = ''
           # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          auth    required ${pam_ldap} config=${pam_ldap_mysql}
+          account required ${pam_ldap} config=${pam_ldap_mysql}
           '';
       }
       {
         name = "postgresql";
         text = ''
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
           '';
       }
       {
         name = "postgresql_replication";
         text = ''
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_postgresql_replication}
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
           '';
       }
     ];
My infrastructure configuration