From 182ae57f53731be220075bc87aff4d47a35563b8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 17 May 2019 00:49:27 +0200 Subject: [PATCH] Move databases configs to modules --- modules/myids.nix | 2 + modules/private/databases/default.nix | 18 +++ .../private/databases/mariadb.nix | 42 ++++-- .../private/databases/openldap/default.nix | 130 ++++++++++++++++++ .../private/databases/openldap}/immae.schema | 0 .../private}/databases/postgresql.nix | 41 ++++-- modules/private/databases/redis.nix | 57 ++++++++ modules/private/default.nix | 6 + nixops/eldiron.nix | 3 +- nixops/modules/certificates.nix | 1 + nixops/modules/databases/default.nix | 14 -- nixops/modules/databases/openldap.nix | 104 -------------- nixops/modules/databases/redis.nix | 35 ----- 13 files changed, 280 insertions(+), 173 deletions(-) create mode 100644 modules/private/databases/default.nix rename nixops/modules/databases/mysql.nix => modules/private/databases/mariadb.nix (66%) create mode 100644 modules/private/databases/openldap/default.nix rename {nixops/modules/databases => modules/private/databases/openldap}/immae.schema (100%) rename {nixops/modules => modules/private}/databases/postgresql.nix (68%) create mode 100644 modules/private/databases/redis.nix delete mode 100644 nixops/modules/databases/default.nix delete mode 100644 nixops/modules/databases/openldap.nix delete mode 100644 nixops/modules/databases/redis.nix diff --git a/modules/myids.nix b/modules/myids.nix index 17270af..4fb2626 100644 --- a/modules/myids.nix +++ b/modules/myids.nix @@ -4,6 +4,7 @@ config = { ids.uids = { peertube = 394; + redis = 395; nullmailer = 396; mediagoblin = 397; diaspora = 398; @@ -11,6 +12,7 @@ }; ids.gids = { peertube = 394; + redis = 395; nullmailer = 396; mediagoblin = 397; diaspora = 398; diff --git a/modules/private/databases/default.nix b/modules/private/databases/default.nix new file mode 100644 index 0000000..78d91dc --- /dev/null +++ b/modules/private/databases/default.nix @@ -0,0 +1,18 @@ +{ lib, config, ... }: +let + cfg = config.myServices.databases; +in +{ + options.myServices = { + databases.enable = lib.mkEnableOption "my databases service"; + databasesCerts = lib.mkOption { + description = "Default databases configurations for certificates as accepted by acme"; + }; + }; + config.myServices.databases = lib.mkIf cfg.enable { + mariadb.enable = true; + openldap.enable = true; + postgresql.enable = true; + redis.enable = true; + }; +} diff --git a/nixops/modules/databases/mysql.nix b/modules/private/databases/mariadb.nix similarity index 66% rename from nixops/modules/databases/mysql.nix rename to modules/private/databases/mariadb.nix index 6739aaa..21f4359 100644 --- a/nixops/modules/databases/mysql.nix +++ b/modules/private/databases/mariadb.nix @@ -1,8 +1,8 @@ { lib, pkgs, config, myconfig, ... }: let - cfg = config.services.myDatabases; + cfg = config.myServices.databases.mariadb; in { - options.services.myDatabases = { + options.myServices.databases = { mariadb = { enable = lib.mkOption { default = cfg.enable; @@ -10,6 +10,31 @@ in { description = "Whether to enable mariadb database"; type = lib.types.bool; }; + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/mysql"; + description = '' + The directory where Mariadb stores its data. + ''; + }; + # Output variables + socketsDir = lib.mkOption { + type = lib.types.path; + default = "/run/mysqld"; + description = '' + The directory where Mariadb puts sockets. + ''; + }; + sockets = lib.mkOption { + type = lib.types.attrsOf lib.types.path; + default = { + mysqld = "${cfg.socketsDir}/mysqld.sock"; + }; + readOnly = true; + description = '' + Mariadb sockets + ''; + }; }; }; @@ -23,9 +48,10 @@ in { # User identified by LDAP: # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; - services.mysql = rec { - enable = cfg.mariadb.enable; + services.mysql = { + enable = true; package = pkgs.mariadb; + dataDir = cfg.dataDir; extraOptions = '' ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt ssl_key = /var/lib/acme/mysql/key.pem @@ -34,7 +60,7 @@ in { }; users.users.mysql.extraGroups = [ "keys" ]; - security.acme.certs."mysql" = config.services.myCertificates.certConfig // { + security.acme.certs."mysql" = config.myServices.databasesCerts // { user = "mysql"; group = "mysql"; plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; @@ -76,7 +102,7 @@ in { enable = true; systemCronJobs = [ '' - 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql + 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql '' ]; }; @@ -88,8 +114,8 @@ in { name = "mysql"; text = '' # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ - auth required ${pam_ldap} config=/var/secrets/mysql/pam - account required ${pam_ldap} config=/var/secrets/mysql/pam + auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam + account required ${pam_ldap} config=${config.secrets.location}/mysql/pam ''; } ]; diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix new file mode 100644 index 0000000..850f3ff --- /dev/null +++ b/modules/private/databases/openldap/default.nix @@ -0,0 +1,130 @@ +{ lib, pkgs, config, myconfig, ... }: +let + cfg = config.myServices.databases.openldap; + ldapConfig = let + kerberosSchema = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; + sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; + }; + puppetSchema = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; + sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; + }; + in '' + include ${pkgs.openldap}/etc/schema/core.schema + include ${pkgs.openldap}/etc/schema/cosine.schema + include ${pkgs.openldap}/etc/schema/inetorgperson.schema + include ${pkgs.openldap}/etc/schema/nis.schema + include ${puppetSchema} + include ${kerberosSchema} + include ${./immae.schema} + + pidfile ${cfg.pids.pid} + argsfile ${cfg.pids.args} + + moduleload back_hdb + backend hdb + + moduleload memberof + database hdb + suffix "${myconfig.env.ldap.base}" + rootdn "${myconfig.env.ldap.root_dn}" + include ${config.secrets.location}/ldap/password + directory ${cfg.dataDir} + overlay memberof + + TLSCertificateFile /var/lib/acme/ldap/cert.pem + TLSCertificateKeyFile /var/lib/acme/ldap/key.pem + TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem + TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ + #This makes openldap crash + #TLSCipherSuite DEFAULT + + sasl-host kerberos.immae.eu + include ${config.secrets.location}/ldap/access + ''; +in +{ + options.myServices.databases = { + openldap = { + enable = lib.mkOption { + default = cfg.enable; + example = true; + description = "Whether to enable ldap"; + type = lib.types.bool; + }; + dataDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/openldap"; + description = '' + The directory where Openldap stores its data. + ''; + }; + socketsDir = lib.mkOption { + type = lib.types.path; + default = "/run/slapd"; + description = '' + The directory where Openldap puts sockets and pid files. + ''; + }; + # Output variables + pids = lib.mkOption { + type = lib.types.attrsOf lib.types.path; + default = { + pid = "${cfg.socketsDir}/slapd.pid"; + args = "${cfg.socketsDir}/slapd.args"; + }; + readOnly = true; + description = '' + Slapd pid files + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + secrets.keys = [ + { + dest = "ldap/password"; + permissions = "0400"; + user = "openldap"; + group = "openldap"; + text = "rootpw ${myconfig.env.ldap.root_pw}"; + } + { + dest = "ldap/access "; + permissions = "0400"; + user = "openldap"; + group = "openldap"; + text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; + } + ]; + users.users.openldap.extraGroups = [ "keys" ]; + networking.firewall.allowedTCPPorts = [ 636 389 ]; + + services.cron = { + systemCronJobs = [ + '' + 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$" + '' + ]; + }; + + security.acme.certs."ldap" = config.myServices.databasesCerts // { + user = "openldap"; + group = "openldap"; + plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; + domain = "ldap.immae.eu"; + postRun = '' + systemctl restart openldap.service + ''; + }; + + services.openldap = { + enable = true; + dataDir = cfg.dataDir; + urlList = [ "ldap://" "ldaps://" ]; + extraConfig = ldapConfig; + }; + }; +} diff --git a/nixops/modules/databases/immae.schema b/modules/private/databases/openldap/immae.schema similarity index 100% rename from nixops/modules/databases/immae.schema rename to modules/private/databases/openldap/immae.schema diff --git a/nixops/modules/databases/postgresql.nix b/modules/private/databases/postgresql.nix similarity index 68% rename from nixops/modules/databases/postgresql.nix rename to modules/private/databases/postgresql.nix index de0820f..26242a8 100644 --- a/nixops/modules/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix @@ -1,8 +1,8 @@ { lib, pkgs, config, myconfig, ... }: let - cfg = config.services.myDatabases; + cfg = config.myServices.databases.postgresql; in { - options.services.myDatabases = { + options.myServices.databases = { postgresql = { enable = lib.mkOption { default = cfg.enable; @@ -10,6 +10,25 @@ in { description = "Whether to enable postgresql database"; type = lib.types.bool; }; + # Output variables + socketsDir = lib.mkOption { + type = lib.types.path; + default = "/run/postgresql"; + description = '' + The directory where Postgresql puts sockets. + ''; + readOnly = true; + }; + systemdRuntimeDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if socketsDir is outside of /run + default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; + lib.strings.removePrefix "/run/" cfg.socketsDir; + description = '' + Adjusted Postgresql sockets directory for systemd + ''; + readOnly = true; + }; }; }; @@ -20,7 +39,7 @@ in { networking.firewall.allowedTCPPorts = [ 5432 ]; - security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { + security.acme.certs."postgresql" = config.myServices.databasesCerts // { user = "postgres"; group = "postgres"; plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; @@ -30,10 +49,12 @@ in { ''; }; - systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys"; - systemd.services.postgresql.serviceConfig.RuntimeDirectory = "postgresql"; + systemd.services.postgresql.serviceConfig = { + SupplementaryGroups = "keys"; + RuntimeDirectory = cfg.systemdRuntimeDirectory; + }; services.postgresql = rec { - enable = cfg.postgresql.enable; + enable = true; package = pkgs.postgresql; enableTCPIP = true; extraConfig = '' @@ -103,15 +124,15 @@ in { { name = "postgresql"; text = '' - auth required ${pam_ldap} config=/var/secrets/postgresql/pam - account required ${pam_ldap} config=/var/secrets/postgresql/pam + auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam + account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam ''; } { name = "postgresql_replication"; text = '' - auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication - account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication + auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication + account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication ''; } ]; diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix new file mode 100644 index 0000000..a1c2c75 --- /dev/null +++ b/modules/private/databases/redis.nix @@ -0,0 +1,57 @@ +{ lib, config, myconfig, ... }: +let + cfg = config.myServices.databases.redis; +in { + options.myServices.databases.redis = { + enable = lib.mkOption { + default = cfg.enable; + example = true; + description = "Whether to enable redis database"; + type = lib.types.bool; + }; + socketsDir = lib.mkOption { + type = lib.types.path; + default = "/run/redis"; + description = '' + The directory where Redis puts sockets. + ''; + }; + # Output variables + systemdRuntimeDirectory = lib.mkOption { + type = lib.types.str; + # Use ReadWritePaths= instead if socketsDir is outside of /run + default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; + lib.strings.removePrefix "/run/" cfg.socketsDir; + description = '' + Adjusted redis sockets directory for systemd + ''; + readOnly = true; + }; + sockets = lib.mkOption { + type = lib.types.attrsOf lib.types.path; + default = { + redis = "${cfg.socketsDir}/redis.sock"; + }; + readOnly = true; + description = '' + Redis sockets + ''; + }; + }; + + config = lib.mkIf cfg.enable { + users.users.redis.uid = config.ids.uids.redis; + users.groups.redis.gid = config.ids.gids.redis; + services.redis = rec { + enable = true; + bind = "127.0.0.1"; + unixSocket = cfg.sockets.redis; + extraConfig = '' + unixsocketperm 777 + maxclients 1024 + ''; + }; + systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory; + }; +} + diff --git a/modules/private/default.nix b/modules/private/default.nix index 394a85b..a7a23c2 100644 --- a/modules/private/default.nix +++ b/modules/private/default.nix @@ -3,4 +3,10 @@ httpdInte = import ../websites/httpd-service-builder.nix { httpdName = "Inte"; withUsers = false; }; httpdProd = import ../websites/httpd-service-builder.nix { httpdName = "Prod"; withUsers = false; }; httpdTools = import ../websites/httpd-service-builder.nix { httpdName = "Tools"; withUsers = true; }; + + databases = ./databases; + mariadb = ./databases/mariadb.nix; + openldap = ./databases/openldap; + postgresql = ./databases/postgresql.nix; + redis = ./databases/redis.nix; } diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix index 35ce181..37f901e 100644 --- a/nixops/eldiron.nix +++ b/nixops/eldiron.nix @@ -35,7 +35,6 @@ ./modules/ssh ./modules/certificates.nix ./modules/gitolite - ./modules/databases ./modules/mpd.nix ./modules/websites ./modules/mail.nix @@ -46,8 +45,8 @@ ./modules/buildbot ./modules/dns.nix ] ++ (builtins.attrValues (import ../modules)); + myServices.databases.enable = true; services.myGitolite.enable = true; - services.myDatabases.enable = true; services.pure-ftpd.enable = true; services.irc.enable = true; services.pub.enable = true; diff --git a/nixops/modules/certificates.nix b/nixops/modules/certificates.nix index d648ff7..9a9974e 100644 --- a/nixops/modules/certificates.nix +++ b/nixops/modules/certificates.nix @@ -16,6 +16,7 @@ config = { services.websitesCerts = config.services.myCertificates.certConfig; + myServices.databasesCerts = config.services.myCertificates.certConfig; security.acme.preliminarySelfsigned = true; diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix deleted file mode 100644 index be549b1..0000000 --- a/nixops/modules/databases/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ lib, pkgs, config, myconfig, ... }: -let - cfg = config.services.myDatabases; -in { - imports = [ - ./mysql.nix - ./openldap.nix - ./postgresql.nix - ./redis.nix - ]; - options.services.myDatabases = { - enable = lib.mkEnableOption "my databases service"; - }; -} diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix deleted file mode 100644 index ff97fb3..0000000 --- a/nixops/modules/databases/openldap.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ lib, pkgs, config, myconfig, ... }: -let - cfg = config.services.myDatabases; - ldapConfig = let - kerberosSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; - sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; - }; - puppetSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; - sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; - }; - in '' - include ${pkgs.openldap}/etc/schema/core.schema - include ${pkgs.openldap}/etc/schema/cosine.schema - include ${pkgs.openldap}/etc/schema/inetorgperson.schema - include ${pkgs.openldap}/etc/schema/nis.schema - include ${puppetSchema} - include ${kerberosSchema} - include ${./immae.schema} - - pidfile /run/slapd/slapd.pid - argsfile /run/slapd/slapd.args - - moduleload back_hdb - backend hdb - - moduleload memberof - database hdb - suffix "${myconfig.env.ldap.base}" - rootdn "${myconfig.env.ldap.root_dn}" - include /var/secrets/ldap/password - directory /var/lib/openldap - overlay memberof - - TLSCertificateFile /var/lib/acme/ldap/cert.pem - TLSCertificateKeyFile /var/lib/acme/ldap/key.pem - TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem - TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ - #This makes openldap crash - #TLSCipherSuite DEFAULT - - sasl-host kerberos.immae.eu - include /var/secrets/ldap/access - ''; -in { - options.services.myDatabases = { - ldap = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable ldap"; - type = lib.types.bool; - }; - }; - }; - - config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "ldap/password"; - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = "rootpw ${myconfig.env.ldap.root_pw}"; - } - { - dest = "ldap/access "; - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; - } - ]; - users.users.openldap.extraGroups = [ "keys" ]; - networking.firewall.allowedTCPPorts = [ 636 389 ]; - - services.cron = { - systemCronJobs = [ - '' - 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l /var/lib/openldap/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$" - '' - ]; - }; - - security.acme.certs."ldap" = config.services.myCertificates.certConfig // { - user = "openldap"; - group = "openldap"; - plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; - domain = "ldap.immae.eu"; - postRun = '' - systemctl restart openldap.service - ''; - }; - - services.openldap = { - enable = config.services.myDatabases.ldap.enable; - dataDir = "/var/lib/openldap"; - urlList = [ "ldap://" "ldaps://" ]; - extraConfig = ldapConfig; - }; - }; -} - diff --git a/nixops/modules/databases/redis.nix b/nixops/modules/databases/redis.nix deleted file mode 100644 index 75c69a6..0000000 --- a/nixops/modules/databases/redis.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ lib, pkgs, config, myconfig, ... }: -let - cfg = config.services.myDatabases; -in { - options.services.myDatabases = { - redis = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable redis database"; - type = lib.types.bool; - }; - }; - }; - - config = lib.mkIf cfg.enable { - ids.uids.redis = myconfig.env.users.redis.uid; - ids.gids.redis = myconfig.env.users.redis.gid; - users.users.redis.uid = config.ids.uids.redis; - users.groups.redis.gid = config.ids.gids.redis; - services.redis = rec { - enable = config.services.myDatabases.redis.enable; - bind = "127.0.0.1"; - unixSocket = myconfig.env.databases.redis.socket; - extraConfig = '' - unixsocketperm 777 - maxclients 1024 - ''; - }; - systemd.services.redis.serviceConfig.RuntimeDirectory = - assert myconfig.env.databases.redis.socket == "/run/redis/redis.sock"; - "redis"; - }; -} - -- 2.41.0