networking.firewall.allowedTCPPorts = [ 3306 5432 ];
+ # for adminer, ssl is implemented with mysqli only, which is
+ # currently disabled because it’s not compatible with pam.
+ # Thus we need to generate two users for each 'remote': one remote
+ # with SSL, and one localhost without SSL.
+ # User identified by LDAP:
+ # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
+ # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
services.mysql = rec {
enable = cfg.mariadb.enable;
package = pkgs.mariadb;
+ extraOptions = ''
+ ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+ ssl_key = /var/lib/acme/mysql/key.pem
+ ssl_cert = /var/lib/acme/mysql/fullchain.pem
+ '';
};
security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
'';
};
+ security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
+ user = "mysql";
+ group = "mysql";
+ plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+ domain = "db-1.immae.eu";
+ postRun = ''
+ systemctl restart mysql.service
+ '';
+ };
+
system.activationScripts.postgresql = ''
install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
'';
authentication = ''
local all postgres ident
local all all md5
- hostssl all all samehost md5
- hostssl all all 178.33.252.96/32 md5
- hostssl all all 188.165.209.148/32 md5
hostssl all all all pam
hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
- pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
+ pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
+ pkgs.writeText "mysql.conf" ''
host ${myconfig.env.ldap.host}
base ${myconfig.env.ldap.base}
- binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
- bindpw ${myconfig.env.databases.mysql.pam_password}
+ binddn ${dn}
+ bindpw ${password}
+ pam_filter ${filter}
+ ssl start_tls
+ '';
+ pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
+ pkgs.writeText "postgresql.conf" ''
+ host ${myconfig.env.ldap.host}
+ base ${myconfig.env.ldap.base}
+ binddn ${dn}
+ bindpw ${password}
+ pam_filter ${filter}
ssl start_tls
- pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
'';
pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
host ${myconfig.env.ldap.host}
base ${myconfig.env.ldap.base}
binddn ${myconfig.env.ldap.host_dn}
bindpw ${myconfig.env.ldap.password}
- ssl start_tls
pam_login_attribute cn
+ ssl start_tls
'';
in [
{
{
name = "postgresql";
text = ''
- auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
- account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+ auth required ${pam_ldap} config=${pam_ldap_postgresql}
+ account required ${pam_ldap} config=${pam_ldap_postgresql}
'';
}
{
env[SPIP_LDAP_SEARCH_DN] = "${config.ldap.dn}"
env[SPIP_LDAP_SEARCH_PW] = "${config.ldap.password}"
env[SPIP_LDAP_SEARCH] = "${config.ldap.search}"
- env[SPIP_MYSQL_HOST] = "db-1.immae.eu"
+ env[SPIP_MYSQL_HOST] = "${config.mysql.host}"
+ env[SPIP_MYSQL_PORT] = "${config.mysql.port}"
env[SPIP_MYSQL_DB] = "${config.mysql.name}"
env[SPIP_MYSQL_USER] = "${config.mysql.user}"
env[SPIP_MYSQL_PASSWORD] = "${config.mysql.password}"
if (!defined("_ECRIRE_INC_VERSION")) return;
define('_MYSQL_SET_SQL_MODE',true);
$GLOBALS['spip_connect_version'] = 0.7;
-spip_connect_db(getenv("SPIP_MYSQL_HOST"),'',getenv("SPIP_MYSQL_USER"),getenv("SPIP_MYSQL_PASSWORD"),getenv("SPIP_MYSQL_DB"),'mysql', 'spip','ldap.php');
+spip_connect_db(
+ getenv("SPIP_MYSQL_HOST"),
+ getenv("SPIP_MYSQL_PORT"),
+ getenv("SPIP_MYSQL_USER"),
+ getenv("SPIP_MYSQL_PASSWORD"),
+ getenv("SPIP_MYSQL_DB"),
+ 'mysql',
+ 'spip',
+ 'ldap.php'
+);
?>
if (!defined("_ECRIRE_INC_VERSION")) return;
define('_MYSQL_SET_SQL_MODE',true);
$GLOBALS['spip_connect_version'] = 0.7;
-spip_connect_db(getenv("SPIP_MYSQL_HOST"),'',getenv("SPIP_MYSQL_USER"),getenv("SPIP_MYSQL_PASSWORD"),getenv("SPIP_MYSQL_DB"),'mysql', 'spip','ldap.php');
+spip_connect_db(
+ getenv("SPIP_MYSQL_HOST"),
+ getenv("SPIP_MYSQL_PORT"),
+ getenv("SPIP_MYSQL_USER"),
+ getenv("SPIP_MYSQL_PASSWORD"),
+ getenv("SPIP_MYSQL_DB"),
+ 'mysql',
+ 'spip',
+ 'ldap.php'
+);
?>
writeText "parameters.yml" ''
# This file is auto-generated during the composer install
parameters:
- database_host: db-1.immae.eu
- database_port: null
+ database_host: ${config.mysql.host}
+ database_port: ${config.mysql.port}
database_name: ${config.mysql.name}
database_user: ${config.mysql.user}
database_password: ${config.mysql.password}
writeText "parameters.yml" ''
# This file is auto-generated during the composer install
parameters:
- database_host: db-1.immae.eu
- database_port: null
+ database_host: ${config.mysql.host}
+ database_port: ${config.mysql.port}
database_name: ${config.mysql.name}
database_user: ${config.mysql.user}
database_password: ${config.mysql.password}
writeText "parameters.yml" ''
# This file is auto-generated during the composer install
parameters:
- database_host: db-1.immae.eu
- database_port: null
+ database_host: ${config.mysql.host}
+ database_port: ${config.mysql.port}
database_name: ${config.mysql.name}
database_user: ${config.mysql.user}
database_password: ${config.mysql.password}
writeText "parameters.yml" ''
# This file is auto-generated during the composer install
parameters:
- database_host: db-1.immae.eu
- database_port: null
+ database_host: ${config.mysql.host}
+ database_port: ${config.mysql.port}
database_name: ${config.mysql.name}
database_user: ${config.mysql.user}
database_password: ${config.mysql.password}
davical = rec {
config = writeText "davical_config.php" ''
<?php
- $c->pg_connect[] = "dbname=davical user=davical_app host=db-1.immae.eu password=${env.postgresql.password}";
+ $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
$c->readonly_webdav_collections = false;
database_config = writeText "database.yml" ''
postgresql: &postgresql
adapter: postgresql
- host: db-1.immae.eu
- port: 5432
- username: "diaspora"
+ host: "${env.postgresql.socket}"
+ port: "${env.postgresql.port}"
+ username: "${env.postgresql.user}"
password: "${env.postgresql.password}"
encoding: unicode
common: &common
database: diaspora_development
production:
<<: *combined
- database: diaspora
+ database: ${env.postgresql.database}
test:
<<: *combined
database: "diaspora_test"
config =
writeText "config_inc.php" ''
<?php
- $g_hostname = 'db-1.immae.eu';
- $g_db_username = 'mantisbt';
+ $g_hostname = '${env.postgresql.socket}';
+ $g_db_username = '${env.postgresql.user}';
$g_db_password = '${env.postgresql.password}';
- $g_database_name = 'mantisbt';
+ $g_database_name = '${env.postgresql.database}';
$g_db_type = 'pgsql';
$g_crypto_master_salt = '${env.master_salt}';
$g_allow_signup = OFF;
define('MYSQL_CHARSET', 'UTF8');
define('DB_TYPE', 'pgsql');
- define('DB_HOST', 'db-1.immae.eu');
- define('DB_USER', 'ttrss');
- define('DB_NAME', 'ttrss');
+ define('DB_HOST', '${env.postgresql.socket}');
+ define('DB_USER', '${env.postgresql.user}');
+ define('DB_NAME', '${env.postgresql.database}');
define('DB_PASS', '${env.postgresql.password}');
- define('DB_PORT', '5432');
+ define('DB_PORT', '${env.postgresql.port}');
define('AUTH_AUTO_CREATE', true);
define('AUTH_AUTO_LOGIN', true);
define( 'YOURLS_DB_USER', '${env.mysql.user}' );
define( 'YOURLS_DB_PASS', '${env.mysql.password}' );
define( 'YOURLS_DB_NAME', '${env.mysql.database}' );
- define( 'YOURLS_DB_HOST', 'db-1.immae.eu' );
+ define( 'YOURLS_DB_HOST', '${env.mysql.host}' );
define( 'YOURLS_DB_PREFIX', 'yourls_' );
- define( 'YOURLS_SITE', 'http://tools.immae.eu/url' );
+ define( 'YOURLS_SITE', 'https://tools.immae.eu/url' );
define( 'YOURLS_HOURS_OFFSET', 0 );
define( 'YOURLS_LANG', ''' );
define( 'YOURLS_UNIQUE_URLS', true );