blob: 1115a29e314f975072cdb73269f4b50202f43c57 (
plain) (
tree)
|
|
{ lib, pkgs, config, myconfig, mylibs, ... }:
let
cfg = config.services.myDatabases;
in {
options.services.myDatabases = {
enable = lib.mkEnableOption "my databases service";
postgresql = {
enable = lib.mkOption {
default = cfg.enable;
example = true;
description = "Whether to enable postgresql database";
type = lib.types.bool;
};
};
mariadb = {
enable = lib.mkOption {
default = cfg.enable;
example = true;
description = "Whether to enable mariadb database";
type = lib.types.bool;
};
};
redis = {
enable = lib.mkOption {
default = cfg.enable;
example = true;
description = "Whether to enable redis database";
type = lib.types.bool;
};
};
};
config = lib.mkIf cfg.enable {
nixpkgs.config.packageOverrides = oldpkgs: rec {
postgresql = postgresql111;
postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
passthru = old.passthru // { psqlSchema = "11.0"; };
name = "postgresql-11.1";
src = pkgs.fetchurl {
url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
};
configureFlags = old.configureFlags ++ [ "--with-pam" ];
buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
patches = old.patches ++ [
./postgresql_run_socket_path.patch
];
});
mariadb = mariadbPAM;
mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
buildInputs = old.buildInputs ++ [ pkgs.pam ];
});
};
networking.firewall.allowedTCPPorts = [ 3306 5432 ];
# for adminer, ssl is implemented with mysqli only, which is
# currently disabled because it’s not compatible with pam.
# Thus we need to generate two users for each 'remote': one remote
# with SSL, and one localhost without SSL.
# User identified by LDAP:
# CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
# CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
services.mysql = rec {
enable = cfg.mariadb.enable;
package = pkgs.mariadb;
extraOptions = ''
ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
ssl_key = /var/lib/acme/mysql/key.pem
ssl_cert = /var/lib/acme/mysql/fullchain.pem
'';
};
security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
user = "postgres";
group = "postgres";
plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
domain = "db-1.immae.eu";
postRun = ''
systemctl reload postgresql.service
'';
};
security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
user = "mysql";
group = "mysql";
plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
domain = "db-1.immae.eu";
postRun = ''
systemctl restart mysql.service
'';
};
system.activationScripts.postgresql = ''
install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
'';
services.postgresql = rec {
enable = cfg.postgresql.enable;
package = pkgs.postgresql;
enableTCPIP = true;
extraConfig = ''
max_connections = 100
wal_level = logical
shared_buffers = 512MB
work_mem = 10MB
max_wal_size = 1GB
min_wal_size = 80MB
log_timezone = 'Europe/Paris'
datestyle = 'iso, mdy'
timezone = 'Europe/Paris'
lc_messages = 'en_US.UTF-8'
lc_monetary = 'en_US.UTF-8'
lc_numeric = 'en_US.UTF-8'
lc_time = 'en_US.UTF-8'
default_text_search_config = 'pg_catalog.english'
ssl = on
ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
ssl_key_file = '/var/lib/acme/postgresql/key.pem'
'';
authentication = ''
local all postgres ident
local all all md5
hostssl all all 188.165.209.148/32 md5
hostssl all all 178.33.252.96/32 md5
hostssl all all all pam
hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
'';
};
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
pkgs.writeText "mysql.conf" ''
host ${myconfig.env.ldap.host}
base ${myconfig.env.ldap.base}
binddn ${dn}
bindpw ${password}
pam_filter ${filter}
ssl start_tls
'';
pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
pkgs.writeText "postgresql.conf" ''
host ${myconfig.env.ldap.host}
base ${myconfig.env.ldap.base}
binddn ${dn}
bindpw ${password}
pam_filter ${filter}
ssl start_tls
'';
pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
host ${myconfig.env.ldap.host}
base ${myconfig.env.ldap.base}
binddn ${myconfig.env.ldap.host_dn}
bindpw ${myconfig.env.ldap.password}
pam_login_attribute cn
ssl start_tls
'';
in [
{
name = "mysql";
text = ''
# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
auth required ${pam_ldap} config=${pam_ldap_mysql}
account required ${pam_ldap} config=${pam_ldap_mysql}
'';
}
{
name = "postgresql";
text = ''
auth required ${pam_ldap} config=${pam_ldap_postgresql}
account required ${pam_ldap} config=${pam_ldap_postgresql}
'';
}
{
name = "postgresql_replication";
text = ''
auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
'';
}
];
ids.uids.redis = myconfig.env.users.redis.uid;
ids.gids.redis = myconfig.env.users.redis.gid;
users.users.redis.uid = config.ids.uids.redis;
users.groups.redis.gid = config.ids.gids.redis;
services.redis = rec {
enable = config.services.myDatabases.redis.enable;
bind = "127.0.0.1";
unixSocket = myconfig.env.databases.redis.socket;
extraConfig = ''
unixsocketperm 777
maxclients 1024
'';
};
system.activationScripts.redis = ''
mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
chown redis $(dirname ${myconfig.env.databases.redis.socket})
'';
};
}
|
