'';
};
- deployment.keys = {
- mysqldump = {
- destDir = "/run/keys/mysql";
+ mySecrets.keys = [
+ {
+ dest = "mysql/mysqldump";
permissions = "0400";
user = "root";
group = "root";
user = root
password = ${myconfig.env.databases.mysql.systemUsers.root}
'';
- };
- mysql-pam = {
- destDir = "/run/keys/mysql";
+ }
+ {
+ dest = "mysql/pam";
permissions = "0400";
user = "mysql";
group = "mysql";
pam_filter ${filter}
ssl start_tls
'';
- };
- };
+ }
+ ];
services.cron = {
enable = true;
systemCronJobs = [
''
- 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
+ 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
''
];
};
name = "mysql";
text = ''
# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
- auth required ${pam_ldap} config=/run/keys/mysql/mysql-pam
- account required ${pam_ldap} config=/run/keys/mysql/mysql-pam
+ auth required ${pam_ldap} config=/var/secrets/mysql/pam
+ account required ${pam_ldap} config=/var/secrets/mysql/pam
'';
}
];
database hdb
suffix "${myconfig.env.ldap.base}"
rootdn "${myconfig.env.ldap.root_dn}"
- include /run/keys/ldap/ldap-password
+ include /var/secrets/ldap/password
directory /var/lib/openldap
overlay memberof
#TLSCipherSuite DEFAULT
sasl-host kerberos.immae.eu
- include /run/keys/ldap/ldap-access
+ include /var/secrets/ldap/access
'';
in {
options.services.myDatabases = {
};
config = lib.mkIf cfg.enable {
- deployment.keys = {
- ldap-password = {
- destDir = "/run/keys/ldap";
+ mySecrets.keys = [
+ {
+ dest = "ldap/password";
permissions = "0400";
user = "openldap";
group = "openldap";
text = "rootpw ${myconfig.env.ldap.root_pw}";
- };
- ldap-access = {
- destDir = "/run/keys/ldap";
+ }
+ {
+ dest = "ldap/access ";
permissions = "0400";
user = "openldap";
group = "openldap";
text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
- };
- };
+ }
+ ];
users.users.openldap.extraGroups = [ "keys" ];
networking.firewall.allowedTCPPorts = [ 636 389 ];
'';
};
- deployment.keys = {
- postgresql-pam = {
- destDir = "/run/keys/postgresql";
+ mySecrets.keys = [
+ {
+ dest = "postgresql/pam";
permissions = "0400";
group = "postgres";
user = "postgres";
pam_filter ${filter}
ssl start_tls
'';
- };
- postgresql-pam_replication = {
- destDir = "/run/keys/postgresql";
+ }
+ {
+ dest = "postgresql/pam_replication";
permissions = "0400";
group = "postgres";
user = "postgres";
pam_login_attribute cn
ssl start_tls
'';
- };
- };
+ }
+ ];
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
{
name = "postgresql";
text = ''
- auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
- account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
+ auth required ${pam_ldap} config=/var/secrets/postgresql/pam
+ account required ${pam_ldap} config=/var/secrets/postgresql/pam
'';
}
{
name = "postgresql_replication";
text = ''
- auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
- account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
+ auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
+ account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
'';
}
];