cfg = config.services.myDatabases;
in {
imports = [
+ ./mysql.nix
./openldap.nix
+ ./postgresql.nix
+ ./redis.nix
];
options.services.myDatabases = {
enable = lib.mkEnableOption "my databases service";
- postgresql = {
- enable = lib.mkOption {
- default = cfg.enable;
- example = true;
- description = "Whether to enable postgresql database";
- type = lib.types.bool;
- };
- };
-
- mariadb = {
- enable = lib.mkOption {
- default = cfg.enable;
- example = true;
- description = "Whether to enable mariadb database";
- type = lib.types.bool;
- };
- };
-
- redis = {
- enable = lib.mkOption {
- default = cfg.enable;
- example = true;
- description = "Whether to enable redis database";
- type = lib.types.bool;
- };
- };
- };
-
- config = lib.mkIf cfg.enable {
- nixpkgs.config.packageOverrides = oldpkgs: rec {
- postgresql = postgresql111;
- postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
- passthru = old.passthru // { psqlSchema = "11.0"; };
- name = "postgresql-11.1";
- src = pkgs.fetchurl {
- url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
- sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
- };
- configureFlags = old.configureFlags ++ [ "--with-pam" ];
- buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
- patches = old.patches ++ [
- ./postgresql_run_socket_path.patch
- ];
- });
- mariadb = mariadbPAM;
- mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
- cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
- buildInputs = old.buildInputs ++ [ pkgs.pam ];
- });
- };
-
- networking.firewall.allowedTCPPorts = [ 3306 5432 ];
-
- # for adminer, ssl is implemented with mysqli only, which is
- # currently disabled because it’s not compatible with pam.
- # Thus we need to generate two users for each 'remote': one remote
- # with SSL, and one localhost without SSL.
- # User identified by LDAP:
- # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
- # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
- services.mysql = rec {
- enable = cfg.mariadb.enable;
- package = pkgs.mariadb;
- extraOptions = ''
- ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
- ssl_key = /var/lib/acme/mysql/key.pem
- ssl_cert = /var/lib/acme/mysql/fullchain.pem
- '';
- };
-
- security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
- user = "postgres";
- group = "postgres";
- plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
- domain = "db-1.immae.eu";
- postRun = ''
- systemctl reload postgresql.service
- '';
- };
-
- security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
- user = "mysql";
- group = "mysql";
- plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
- domain = "db-1.immae.eu";
- postRun = ''
- systemctl restart mysql.service
- '';
- };
-
- system.activationScripts.postgresql = ''
- install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
- '';
-
- services.postgresql = rec {
- enable = cfg.postgresql.enable;
- package = pkgs.postgresql;
- enableTCPIP = true;
- extraConfig = ''
- max_connections = 100
- wal_level = logical
- shared_buffers = 512MB
- work_mem = 10MB
- max_wal_size = 1GB
- min_wal_size = 80MB
- log_timezone = 'Europe/Paris'
- datestyle = 'iso, mdy'
- timezone = 'Europe/Paris'
- lc_messages = 'en_US.UTF-8'
- lc_monetary = 'en_US.UTF-8'
- lc_numeric = 'en_US.UTF-8'
- lc_time = 'en_US.UTF-8'
- default_text_search_config = 'pg_catalog.english'
- ssl = on
- ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
- ssl_key_file = '/var/lib/acme/postgresql/key.pem'
- '';
- authentication = ''
- local all postgres ident
- local all all md5
- hostssl all all 188.165.209.148/32 md5
- hostssl all all 178.33.252.96/32 md5
- hostssl all all all pam
- hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
- hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
- '';
- };
-
- security.pam.services = let
- pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
- pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
- pkgs.writeText "mysql.conf" ''
- host ${myconfig.env.ldap.host}
- base ${myconfig.env.ldap.base}
- binddn ${dn}
- bindpw ${password}
- pam_filter ${filter}
- ssl start_tls
- '';
- pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
- pkgs.writeText "postgresql.conf" ''
- host ${myconfig.env.ldap.host}
- base ${myconfig.env.ldap.base}
- binddn ${dn}
- bindpw ${password}
- pam_filter ${filter}
- ssl start_tls
- '';
- pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
- host ${myconfig.env.ldap.host}
- base ${myconfig.env.ldap.base}
- binddn ${myconfig.env.ldap.host_dn}
- bindpw ${myconfig.env.ldap.password}
- pam_login_attribute cn
- ssl start_tls
- '';
- in [
- {
- name = "mysql";
- text = ''
- # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
- auth required ${pam_ldap} config=${pam_ldap_mysql}
- account required ${pam_ldap} config=${pam_ldap_mysql}
- '';
- }
- {
- name = "postgresql";
- text = ''
- auth required ${pam_ldap} config=${pam_ldap_postgresql}
- account required ${pam_ldap} config=${pam_ldap_postgresql}
- '';
- }
- {
- name = "postgresql_replication";
- text = ''
- auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
- account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
- '';
- }
- ];
-
- ids.uids.redis = myconfig.env.users.redis.uid;
- ids.gids.redis = myconfig.env.users.redis.gid;
- users.users.redis.uid = config.ids.uids.redis;
- users.groups.redis.gid = config.ids.gids.redis;
- services.redis = rec {
- enable = config.services.myDatabases.redis.enable;
- bind = "127.0.0.1";
- unixSocket = myconfig.env.databases.redis.socket;
- extraConfig = ''
- unixsocketperm 777
- maxclients 1024
- '';
- };
- system.activationScripts.redis = ''
- mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
- chown redis $(dirname ${myconfig.env.databases.redis.socket})
- '';
-
};
}
--- /dev/null
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+ cfg = config.services.myDatabases;
+in {
+ options.services.myDatabases = {
+ mariadb = {
+ enable = lib.mkOption {
+ default = cfg.enable;
+ example = true;
+ description = "Whether to enable mariadb database";
+ type = lib.types.bool;
+ };
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ nixpkgs.config.packageOverrides = oldpkgs: rec {
+ mariadb = mariadbPAM;
+ mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
+ cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
+ buildInputs = old.buildInputs ++ [ pkgs.pam ];
+ });
+ };
+
+ networking.firewall.allowedTCPPorts = [ 3306 ];
+
+ # for adminer, ssl is implemented with mysqli only, which is
+ # currently disabled because it’s not compatible with pam.
+ # Thus we need to generate two users for each 'remote': one remote
+ # with SSL, and one localhost without SSL.
+ # User identified by LDAP:
+ # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
+ # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
+ services.mysql = rec {
+ enable = cfg.mariadb.enable;
+ package = pkgs.mariadb;
+ extraOptions = ''
+ ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+ ssl_key = /var/lib/acme/mysql/key.pem
+ ssl_cert = /var/lib/acme/mysql/fullchain.pem
+ '';
+ };
+
+ security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
+ user = "mysql";
+ group = "mysql";
+ plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+ domain = "db-1.immae.eu";
+ postRun = ''
+ systemctl restart mysql.service
+ '';
+ };
+
+ security.pam.services = let
+ pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+ pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
+ pkgs.writeText "mysql.conf" ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
+ binddn ${dn}
+ bindpw ${password}
+ pam_filter ${filter}
+ ssl start_tls
+ '';
+ in [
+ {
+ name = "mysql";
+ text = ''
+ # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
+ auth required ${pam_ldap} config=${pam_ldap_mysql}
+ account required ${pam_ldap} config=${pam_ldap_mysql}
+ '';
+ }
+ ];
+
+ };
+}
+
--- /dev/null
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+ cfg = config.services.myDatabases;
+in {
+ options.services.myDatabases = {
+ postgresql = {
+ enable = lib.mkOption {
+ default = cfg.enable;
+ example = true;
+ description = "Whether to enable postgresql database";
+ type = lib.types.bool;
+ };
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ nixpkgs.config.packageOverrides = oldpkgs: rec {
+ postgresql = postgresql111;
+ postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
+ passthru = old.passthru // { psqlSchema = "11.0"; };
+ name = "postgresql-11.1";
+ src = pkgs.fetchurl {
+ url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
+ sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
+ };
+ configureFlags = old.configureFlags ++ [ "--with-pam" ];
+ buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
+ patches = old.patches ++ [
+ ./postgresql_run_socket_path.patch
+ ];
+ });
+ };
+
+ networking.firewall.allowedTCPPorts = [ 5432 ];
+
+ security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
+ user = "postgres";
+ group = "postgres";
+ plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+ domain = "db-1.immae.eu";
+ postRun = ''
+ systemctl reload postgresql.service
+ '';
+ };
+
+ system.activationScripts.postgresql = ''
+ install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
+ '';
+
+ services.postgresql = rec {
+ enable = cfg.postgresql.enable;
+ package = pkgs.postgresql;
+ enableTCPIP = true;
+ extraConfig = ''
+ max_connections = 100
+ wal_level = logical
+ shared_buffers = 512MB
+ work_mem = 10MB
+ max_wal_size = 1GB
+ min_wal_size = 80MB
+ log_timezone = 'Europe/Paris'
+ datestyle = 'iso, mdy'
+ timezone = 'Europe/Paris'
+ lc_messages = 'en_US.UTF-8'
+ lc_monetary = 'en_US.UTF-8'
+ lc_numeric = 'en_US.UTF-8'
+ lc_time = 'en_US.UTF-8'
+ default_text_search_config = 'pg_catalog.english'
+ ssl = on
+ ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
+ ssl_key_file = '/var/lib/acme/postgresql/key.pem'
+ '';
+ authentication = ''
+ local all postgres ident
+ local all all md5
+ hostssl all all 188.165.209.148/32 md5
+ hostssl all all 178.33.252.96/32 md5
+ hostssl all all all pam
+ hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
+ hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
+ '';
+ };
+
+ security.pam.services = let
+ pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+ pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
+ pkgs.writeText "postgresql.conf" ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
+ binddn ${dn}
+ bindpw ${password}
+ pam_filter ${filter}
+ ssl start_tls
+ '';
+ pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
+ binddn ${myconfig.env.ldap.host_dn}
+ bindpw ${myconfig.env.ldap.password}
+ pam_login_attribute cn
+ ssl start_tls
+ '';
+ in [
+ {
+ name = "postgresql";
+ text = ''
+ auth required ${pam_ldap} config=${pam_ldap_postgresql}
+ account required ${pam_ldap} config=${pam_ldap_postgresql}
+ '';
+ }
+ {
+ name = "postgresql_replication";
+ text = ''
+ auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+ account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+ '';
+ }
+ ];
+ };
+}
+
--- /dev/null
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+ cfg = config.services.myDatabases;
+in {
+ options.services.myDatabases = {
+ redis = {
+ enable = lib.mkOption {
+ default = cfg.enable;
+ example = true;
+ description = "Whether to enable redis database";
+ type = lib.types.bool;
+ };
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ ids.uids.redis = myconfig.env.users.redis.uid;
+ ids.gids.redis = myconfig.env.users.redis.gid;
+ users.users.redis.uid = config.ids.uids.redis;
+ users.groups.redis.gid = config.ids.gids.redis;
+ services.redis = rec {
+ enable = config.services.myDatabases.redis.enable;
+ bind = "127.0.0.1";
+ unixSocket = myconfig.env.databases.redis.socket;
+ extraConfig = ''
+ unixsocketperm 777
+ maxclients 1024
+ '';
+ };
+ system.activationScripts.redis = ''
+ mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
+ chown redis $(dirname ${myconfig.env.databases.redis.socket})
+ '';
+
+ };
+}
+
projects / perso / Immae / Config / Nix.git / commitdiff
