From 4ff905632320a55e0c69500891642d98a00245e2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 14 Mar 2019 07:52:23 +0100 Subject: [PATCH] Move databases configurations to separate files --- nixops/modules/databases/default.nix | 202 +----------------------- nixops/modules/databases/mysql.nix | 78 +++++++++ nixops/modules/databases/postgresql.nix | 121 ++++++++++++++ nixops/modules/databases/redis.nix | 37 +++++ 4 files changed, 239 insertions(+), 199 deletions(-) create mode 100644 nixops/modules/databases/mysql.nix create mode 100644 nixops/modules/databases/postgresql.nix create mode 100644 nixops/modules/databases/redis.nix diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix index 3200181..01a130c 100644 --- a/nixops/modules/databases/default.nix +++ b/nixops/modules/databases/default.nix @@ -3,208 +3,12 @@ let cfg = config.services.myDatabases; in { imports = [ + ./mysql.nix ./openldap.nix + ./postgresql.nix + ./redis.nix ]; options.services.myDatabases = { enable = lib.mkEnableOption "my databases service"; - postgresql = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable postgresql database"; - type = lib.types.bool; - }; - }; - - mariadb = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable mariadb database"; - type = lib.types.bool; - }; - }; - - redis = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable redis database"; - type = lib.types.bool; - }; - }; - }; - - config = lib.mkIf cfg.enable { - nixpkgs.config.packageOverrides = oldpkgs: rec { - postgresql = postgresql111; - postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec { - passthru = old.passthru // { psqlSchema = "11.0"; }; - name = "postgresql-11.1"; - src = pkgs.fetchurl { - url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; - sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; - }; - configureFlags = old.configureFlags ++ [ "--with-pam" ]; - buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ]; - patches = old.patches ++ [ - ./postgresql_run_socket_path.patch - ]; - }); - mariadb = mariadbPAM; - mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { - cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; - buildInputs = old.buildInputs ++ [ pkgs.pam ]; - }); - }; - - networking.firewall.allowedTCPPorts = [ 3306 5432 ]; - - # for adminer, ssl is implemented with mysqli only, which is - # currently disabled because it’s not compatible with pam. - # Thus we need to generate two users for each 'remote': one remote - # with SSL, and one localhost without SSL. - # User identified by LDAP: - # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; - # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; - services.mysql = rec { - enable = cfg.mariadb.enable; - package = pkgs.mariadb; - extraOptions = '' - ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ssl_key = /var/lib/acme/mysql/key.pem - ssl_cert = /var/lib/acme/mysql/fullchain.pem - ''; - }; - - security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { - user = "postgres"; - group = "postgres"; - plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; - domain = "db-1.immae.eu"; - postRun = '' - systemctl reload postgresql.service - ''; - }; - - security.acme.certs."mysql" = config.services.myCertificates.certConfig // { - user = "mysql"; - group = "mysql"; - plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; - domain = "db-1.immae.eu"; - postRun = '' - systemctl restart mysql.service - ''; - }; - - system.activationScripts.postgresql = '' - install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} - ''; - - services.postgresql = rec { - enable = cfg.postgresql.enable; - package = pkgs.postgresql; - enableTCPIP = true; - extraConfig = '' - max_connections = 100 - wal_level = logical - shared_buffers = 512MB - work_mem = 10MB - max_wal_size = 1GB - min_wal_size = 80MB - log_timezone = 'Europe/Paris' - datestyle = 'iso, mdy' - timezone = 'Europe/Paris' - lc_messages = 'en_US.UTF-8' - lc_monetary = 'en_US.UTF-8' - lc_numeric = 'en_US.UTF-8' - lc_time = 'en_US.UTF-8' - default_text_search_config = 'pg_catalog.english' - ssl = on - ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem' - ssl_key_file = '/var/lib/acme/postgresql/key.pem' - ''; - authentication = '' - local all postgres ident - local all all md5 - hostssl all all 188.165.209.148/32 md5 - hostssl all all 178.33.252.96/32 md5 - hostssl all all all pam - hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication - hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication - ''; - }; - - security.pam.services = let - pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; - pam_ldap_mysql = with myconfig.env.databases.mysql.pam; - pkgs.writeText "mysql.conf" '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${dn} - bindpw ${password} - pam_filter ${filter} - ssl start_tls - ''; - pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; - pkgs.writeText "postgresql.conf" '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${dn} - bindpw ${password} - pam_filter ${filter} - ssl start_tls - ''; - pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${myconfig.env.ldap.host_dn} - bindpw ${myconfig.env.ldap.password} - pam_login_attribute cn - ssl start_tls - ''; - in [ - { - name = "mysql"; - text = '' - # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ - auth required ${pam_ldap} config=${pam_ldap_mysql} - account required ${pam_ldap} config=${pam_ldap_mysql} - ''; - } - { - name = "postgresql"; - text = '' - auth required ${pam_ldap} config=${pam_ldap_postgresql} - account required ${pam_ldap} config=${pam_ldap_postgresql} - ''; - } - { - name = "postgresql_replication"; - text = '' - auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} - account required ${pam_ldap} config=${pam_ldap_postgresql_replication} - ''; - } - ]; - - ids.uids.redis = myconfig.env.users.redis.uid; - ids.gids.redis = myconfig.env.users.redis.gid; - users.users.redis.uid = config.ids.uids.redis; - users.groups.redis.gid = config.ids.gids.redis; - services.redis = rec { - enable = config.services.myDatabases.redis.enable; - bind = "127.0.0.1"; - unixSocket = myconfig.env.databases.redis.socket; - extraConfig = '' - unixsocketperm 777 - maxclients 1024 - ''; - }; - system.activationScripts.redis = '' - mkdir -p $(dirname ${myconfig.env.databases.redis.socket}) - chown redis $(dirname ${myconfig.env.databases.redis.socket}) - ''; - }; } diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix new file mode 100644 index 0000000..acf4750 --- /dev/null +++ b/nixops/modules/databases/mysql.nix @@ -0,0 +1,78 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +let + cfg = config.services.myDatabases; +in { + options.services.myDatabases = { + mariadb = { + enable = lib.mkOption { + default = cfg.enable; + example = true; + description = "Whether to enable mariadb database"; + type = lib.types.bool; + }; + }; + }; + + config = lib.mkIf cfg.enable { + nixpkgs.config.packageOverrides = oldpkgs: rec { + mariadb = mariadbPAM; + mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { + cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; + buildInputs = old.buildInputs ++ [ pkgs.pam ]; + }); + }; + + networking.firewall.allowedTCPPorts = [ 3306 ]; + + # for adminer, ssl is implemented with mysqli only, which is + # currently disabled because it’s not compatible with pam. + # Thus we need to generate two users for each 'remote': one remote + # with SSL, and one localhost without SSL. + # User identified by LDAP: + # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; + # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; + services.mysql = rec { + enable = cfg.mariadb.enable; + package = pkgs.mariadb; + extraOptions = '' + ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ssl_key = /var/lib/acme/mysql/key.pem + ssl_cert = /var/lib/acme/mysql/fullchain.pem + ''; + }; + + security.acme.certs."mysql" = config.services.myCertificates.certConfig // { + user = "mysql"; + group = "mysql"; + plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; + domain = "db-1.immae.eu"; + postRun = '' + systemctl restart mysql.service + ''; + }; + + security.pam.services = let + pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; + pam_ldap_mysql = with myconfig.env.databases.mysql.pam; + pkgs.writeText "mysql.conf" '' + host ${myconfig.env.ldap.host} + base ${myconfig.env.ldap.base} + binddn ${dn} + bindpw ${password} + pam_filter ${filter} + ssl start_tls + ''; + in [ + { + name = "mysql"; + text = '' + # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ + auth required ${pam_ldap} config=${pam_ldap_mysql} + account required ${pam_ldap} config=${pam_ldap_mysql} + ''; + } + ]; + + }; +} + diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix new file mode 100644 index 0000000..2e658f8 --- /dev/null +++ b/nixops/modules/databases/postgresql.nix @@ -0,0 +1,121 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +let + cfg = config.services.myDatabases; +in { + options.services.myDatabases = { + postgresql = { + enable = lib.mkOption { + default = cfg.enable; + example = true; + description = "Whether to enable postgresql database"; + type = lib.types.bool; + }; + }; + }; + + config = lib.mkIf cfg.enable { + nixpkgs.config.packageOverrides = oldpkgs: rec { + postgresql = postgresql111; + postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec { + passthru = old.passthru // { psqlSchema = "11.0"; }; + name = "postgresql-11.1"; + src = pkgs.fetchurl { + url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; + sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; + }; + configureFlags = old.configureFlags ++ [ "--with-pam" ]; + buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ]; + patches = old.patches ++ [ + ./postgresql_run_socket_path.patch + ]; + }); + }; + + networking.firewall.allowedTCPPorts = [ 5432 ]; + + security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { + user = "postgres"; + group = "postgres"; + plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; + domain = "db-1.immae.eu"; + postRun = '' + systemctl reload postgresql.service + ''; + }; + + system.activationScripts.postgresql = '' + install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} + ''; + + services.postgresql = rec { + enable = cfg.postgresql.enable; + package = pkgs.postgresql; + enableTCPIP = true; + extraConfig = '' + max_connections = 100 + wal_level = logical + shared_buffers = 512MB + work_mem = 10MB + max_wal_size = 1GB + min_wal_size = 80MB + log_timezone = 'Europe/Paris' + datestyle = 'iso, mdy' + timezone = 'Europe/Paris' + lc_messages = 'en_US.UTF-8' + lc_monetary = 'en_US.UTF-8' + lc_numeric = 'en_US.UTF-8' + lc_time = 'en_US.UTF-8' + default_text_search_config = 'pg_catalog.english' + ssl = on + ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem' + ssl_key_file = '/var/lib/acme/postgresql/key.pem' + ''; + authentication = '' + local all postgres ident + local all all md5 + hostssl all all 188.165.209.148/32 md5 + hostssl all all 178.33.252.96/32 md5 + hostssl all all all pam + hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication + hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication + ''; + }; + + security.pam.services = let + pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; + pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; + pkgs.writeText "postgresql.conf" '' + host ${myconfig.env.ldap.host} + base ${myconfig.env.ldap.base} + binddn ${dn} + bindpw ${password} + pam_filter ${filter} + ssl start_tls + ''; + pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' + host ${myconfig.env.ldap.host} + base ${myconfig.env.ldap.base} + binddn ${myconfig.env.ldap.host_dn} + bindpw ${myconfig.env.ldap.password} + pam_login_attribute cn + ssl start_tls + ''; + in [ + { + name = "postgresql"; + text = '' + auth required ${pam_ldap} config=${pam_ldap_postgresql} + account required ${pam_ldap} config=${pam_ldap_postgresql} + ''; + } + { + name = "postgresql_replication"; + text = '' + auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} + account required ${pam_ldap} config=${pam_ldap_postgresql_replication} + ''; + } + ]; + }; +} + diff --git a/nixops/modules/databases/redis.nix b/nixops/modules/databases/redis.nix new file mode 100644 index 0000000..7379685 --- /dev/null +++ b/nixops/modules/databases/redis.nix @@ -0,0 +1,37 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +let + cfg = config.services.myDatabases; +in { + options.services.myDatabases = { + redis = { + enable = lib.mkOption { + default = cfg.enable; + example = true; + description = "Whether to enable redis database"; + type = lib.types.bool; + }; + }; + }; + + config = lib.mkIf cfg.enable { + ids.uids.redis = myconfig.env.users.redis.uid; + ids.gids.redis = myconfig.env.users.redis.gid; + users.users.redis.uid = config.ids.uids.redis; + users.groups.redis.gid = config.ids.gids.redis; + services.redis = rec { + enable = config.services.myDatabases.redis.enable; + bind = "127.0.0.1"; + unixSocket = myconfig.env.databases.redis.socket; + extraConfig = '' + unixsocketperm 777 + maxclients 1024 + ''; + }; + system.activationScripts.redis = '' + mkdir -p $(dirname ${myconfig.env.databases.redis.socket}) + chown redis $(dirname ${myconfig.env.databases.redis.socket}) + ''; + + }; +} + -- 2.41.0