aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-05-17 00:49:27 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-05-17 01:31:05 +0200
commit182ae57f53731be220075bc87aff4d47a35563b8 (patch)
tree79b523057406db394668bbfd720660d6a1e24094
parent6c97d2d715620a1cdc3b8a785174590ec0dafb98 (diff)
downloadNix-182ae57f53731be220075bc87aff4d47a35563b8.tar.gz
Nix-182ae57f53731be220075bc87aff4d47a35563b8.tar.zst
Nix-182ae57f53731be220075bc87aff4d47a35563b8.zip
Move databases configs to modules
-rw-r--r--modules/myids.nix2
-rw-r--r--modules/private/databases/default.nix18
-rw-r--r--modules/private/databases/mariadb.nix (renamed from nixops/modules/databases/mysql.nix)42
-rw-r--r--modules/private/databases/openldap/default.nix130
-rw-r--r--modules/private/databases/openldap/immae.schema (renamed from nixops/modules/databases/immae.schema)0
-rw-r--r--modules/private/databases/postgresql.nix (renamed from nixops/modules/databases/postgresql.nix)41
-rw-r--r--modules/private/databases/redis.nix57
-rw-r--r--modules/private/default.nix6
-rw-r--r--nixops/eldiron.nix3
-rw-r--r--nixops/modules/certificates.nix1
-rw-r--r--nixops/modules/databases/default.nix14
-rw-r--r--nixops/modules/databases/openldap.nix104
-rw-r--r--nixops/modules/databases/redis.nix35
13 files changed, 280 insertions, 173 deletions
diff --git a/modules/myids.nix b/modules/myids.nix
index 17270af..4fb2626 100644
--- a/modules/myids.nix
+++ b/modules/myids.nix
@@ -4,6 +4,7 @@
4 config = { 4 config = {
5 ids.uids = { 5 ids.uids = {
6 peertube = 394; 6 peertube = 394;
7 redis = 395;
7 nullmailer = 396; 8 nullmailer = 396;
8 mediagoblin = 397; 9 mediagoblin = 397;
9 diaspora = 398; 10 diaspora = 398;
@@ -11,6 +12,7 @@
11 }; 12 };
12 ids.gids = { 13 ids.gids = {
13 peertube = 394; 14 peertube = 394;
15 redis = 395;
14 nullmailer = 396; 16 nullmailer = 396;
15 mediagoblin = 397; 17 mediagoblin = 397;
16 diaspora = 398; 18 diaspora = 398;
diff --git a/modules/private/databases/default.nix b/modules/private/databases/default.nix
new file mode 100644
index 0000000..78d91dc
--- /dev/null
+++ b/modules/private/databases/default.nix
@@ -0,0 +1,18 @@
1{ lib, config, ... }:
2let
3 cfg = config.myServices.databases;
4in
5{
6 options.myServices = {
7 databases.enable = lib.mkEnableOption "my databases service";
8 databasesCerts = lib.mkOption {
9 description = "Default databases configurations for certificates as accepted by acme";
10 };
11 };
12 config.myServices.databases = lib.mkIf cfg.enable {
13 mariadb.enable = true;
14 openldap.enable = true;
15 postgresql.enable = true;
16 redis.enable = true;
17 };
18}
diff --git a/nixops/modules/databases/mysql.nix b/modules/private/databases/mariadb.nix
index 6739aaa..21f4359 100644
--- a/nixops/modules/databases/mysql.nix
+++ b/modules/private/databases/mariadb.nix
@@ -1,8 +1,8 @@
1{ lib, pkgs, config, myconfig, ... }: 1{ lib, pkgs, config, myconfig, ... }:
2let 2let
3 cfg = config.services.myDatabases; 3 cfg = config.myServices.databases.mariadb;
4in { 4in {
5 options.services.myDatabases = { 5 options.myServices.databases = {
6 mariadb = { 6 mariadb = {
7 enable = lib.mkOption { 7 enable = lib.mkOption {
8 default = cfg.enable; 8 default = cfg.enable;
@@ -10,6 +10,31 @@ in {
10 description = "Whether to enable mariadb database"; 10 description = "Whether to enable mariadb database";
11 type = lib.types.bool; 11 type = lib.types.bool;
12 }; 12 };
13 dataDir = lib.mkOption {
14 type = lib.types.path;
15 default = "/var/lib/mysql";
16 description = ''
17 The directory where Mariadb stores its data.
18 '';
19 };
20 # Output variables
21 socketsDir = lib.mkOption {
22 type = lib.types.path;
23 default = "/run/mysqld";
24 description = ''
25 The directory where Mariadb puts sockets.
26 '';
27 };
28 sockets = lib.mkOption {
29 type = lib.types.attrsOf lib.types.path;
30 default = {
31 mysqld = "${cfg.socketsDir}/mysqld.sock";
32 };
33 readOnly = true;
34 description = ''
35 Mariadb sockets
36 '';
37 };
13 }; 38 };
14 }; 39 };
15 40
@@ -23,9 +48,10 @@ in {
23 # User identified by LDAP: 48 # User identified by LDAP:
24 # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; 49 # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
25 # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; 50 # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
26 services.mysql = rec { 51 services.mysql = {
27 enable = cfg.mariadb.enable; 52 enable = true;
28 package = pkgs.mariadb; 53 package = pkgs.mariadb;
54 dataDir = cfg.dataDir;
29 extraOptions = '' 55 extraOptions = ''
30 ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt 56 ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
31 ssl_key = /var/lib/acme/mysql/key.pem 57 ssl_key = /var/lib/acme/mysql/key.pem
@@ -34,7 +60,7 @@ in {
34 }; 60 };
35 61
36 users.users.mysql.extraGroups = [ "keys" ]; 62 users.users.mysql.extraGroups = [ "keys" ];
37 security.acme.certs."mysql" = config.services.myCertificates.certConfig // { 63 security.acme.certs."mysql" = config.myServices.databasesCerts // {
38 user = "mysql"; 64 user = "mysql";
39 group = "mysql"; 65 group = "mysql";
40 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; 66 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
@@ -76,7 +102,7 @@ in {
76 enable = true; 102 enable = true;
77 systemCronJobs = [ 103 systemCronJobs = [
78 '' 104 ''
79 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql 105 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
80 '' 106 ''
81 ]; 107 ];
82 }; 108 };
@@ -88,8 +114,8 @@ in {
88 name = "mysql"; 114 name = "mysql";
89 text = '' 115 text = ''
90 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ 116 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
91 auth required ${pam_ldap} config=/var/secrets/mysql/pam 117 auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam
92 account required ${pam_ldap} config=/var/secrets/mysql/pam 118 account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
93 ''; 119 '';
94 } 120 }
95 ]; 121 ];
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
new file mode 100644
index 0000000..850f3ff
--- /dev/null
+++ b/modules/private/databases/openldap/default.nix
@@ -0,0 +1,130 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 cfg = config.myServices.databases.openldap;
4 ldapConfig = let
5 kerberosSchema = pkgs.fetchurl {
6 url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
7 sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
8 };
9 puppetSchema = pkgs.fetchurl {
10 url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
11 sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
12 };
13 in ''
14 include ${pkgs.openldap}/etc/schema/core.schema
15 include ${pkgs.openldap}/etc/schema/cosine.schema
16 include ${pkgs.openldap}/etc/schema/inetorgperson.schema
17 include ${pkgs.openldap}/etc/schema/nis.schema
18 include ${puppetSchema}
19 include ${kerberosSchema}
20 include ${./immae.schema}
21
22 pidfile ${cfg.pids.pid}
23 argsfile ${cfg.pids.args}
24
25 moduleload back_hdb
26 backend hdb
27
28 moduleload memberof
29 database hdb
30 suffix "${myconfig.env.ldap.base}"
31 rootdn "${myconfig.env.ldap.root_dn}"
32 include ${config.secrets.location}/ldap/password
33 directory ${cfg.dataDir}
34 overlay memberof
35
36 TLSCertificateFile /var/lib/acme/ldap/cert.pem
37 TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
38 TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
39 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
40 #This makes openldap crash
41 #TLSCipherSuite DEFAULT
42
43 sasl-host kerberos.immae.eu
44 include ${config.secrets.location}/ldap/access
45 '';
46in
47{
48 options.myServices.databases = {
49 openldap = {
50 enable = lib.mkOption {
51 default = cfg.enable;
52 example = true;
53 description = "Whether to enable ldap";
54 type = lib.types.bool;
55 };
56 dataDir = lib.mkOption {
57 type = lib.types.path;
58 default = "/var/lib/openldap";
59 description = ''
60 The directory where Openldap stores its data.
61 '';
62 };
63 socketsDir = lib.mkOption {
64 type = lib.types.path;
65 default = "/run/slapd";
66 description = ''
67 The directory where Openldap puts sockets and pid files.
68 '';
69 };
70 # Output variables
71 pids = lib.mkOption {
72 type = lib.types.attrsOf lib.types.path;
73 default = {
74 pid = "${cfg.socketsDir}/slapd.pid";
75 args = "${cfg.socketsDir}/slapd.args";
76 };
77 readOnly = true;
78 description = ''
79 Slapd pid files
80 '';
81 };
82 };
83 };
84
85 config = lib.mkIf cfg.enable {
86 secrets.keys = [
87 {
88 dest = "ldap/password";
89 permissions = "0400";
90 user = "openldap";
91 group = "openldap";
92 text = "rootpw ${myconfig.env.ldap.root_pw}";
93 }
94 {
95 dest = "ldap/access ";
96 permissions = "0400";
97 user = "openldap";
98 group = "openldap";
99 text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
100 }
101 ];
102 users.users.openldap.extraGroups = [ "keys" ];
103 networking.firewall.allowedTCPPorts = [ 636 389 ];
104
105 services.cron = {
106 systemCronJobs = [
107 ''
108 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
109 ''
110 ];
111 };
112
113 security.acme.certs."ldap" = config.myServices.databasesCerts // {
114 user = "openldap";
115 group = "openldap";
116 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
117 domain = "ldap.immae.eu";
118 postRun = ''
119 systemctl restart openldap.service
120 '';
121 };
122
123 services.openldap = {
124 enable = true;
125 dataDir = cfg.dataDir;
126 urlList = [ "ldap://" "ldaps://" ];
127 extraConfig = ldapConfig;
128 };
129 };
130}
diff --git a/nixops/modules/databases/immae.schema b/modules/private/databases/openldap/immae.schema
index f5ee5d5..f5ee5d5 100644
--- a/nixops/modules/databases/immae.schema
+++ b/modules/private/databases/openldap/immae.schema
diff --git a/nixops/modules/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index de0820f..26242a8 100644
--- a/nixops/modules/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -1,8 +1,8 @@
1{ lib, pkgs, config, myconfig, ... }: 1{ lib, pkgs, config, myconfig, ... }:
2let 2let
3 cfg = config.services.myDatabases; 3 cfg = config.myServices.databases.postgresql;
4in { 4in {
5 options.services.myDatabases = { 5 options.myServices.databases = {
6 postgresql = { 6 postgresql = {
7 enable = lib.mkOption { 7 enable = lib.mkOption {
8 default = cfg.enable; 8 default = cfg.enable;
@@ -10,6 +10,25 @@ in {
10 description = "Whether to enable postgresql database"; 10 description = "Whether to enable postgresql database";
11 type = lib.types.bool; 11 type = lib.types.bool;
12 }; 12 };
13 # Output variables
14 socketsDir = lib.mkOption {
15 type = lib.types.path;
16 default = "/run/postgresql";
17 description = ''
18 The directory where Postgresql puts sockets.
19 '';
20 readOnly = true;
21 };
22 systemdRuntimeDirectory = lib.mkOption {
23 type = lib.types.str;
24 # Use ReadWritePaths= instead if socketsDir is outside of /run
25 default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
26 lib.strings.removePrefix "/run/" cfg.socketsDir;
27 description = ''
28 Adjusted Postgresql sockets directory for systemd
29 '';
30 readOnly = true;
31 };
13 }; 32 };
14 }; 33 };
15 34
@@ -20,7 +39,7 @@ in {
20 39
21 networking.firewall.allowedTCPPorts = [ 5432 ]; 40 networking.firewall.allowedTCPPorts = [ 5432 ];
22 41
23 security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { 42 security.acme.certs."postgresql" = config.myServices.databasesCerts // {
24 user = "postgres"; 43 user = "postgres";
25 group = "postgres"; 44 group = "postgres";
26 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; 45 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
@@ -30,10 +49,12 @@ in {
30 ''; 49 '';
31 }; 50 };
32 51
33 systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys"; 52 systemd.services.postgresql.serviceConfig = {
34 systemd.services.postgresql.serviceConfig.RuntimeDirectory = "postgresql"; 53 SupplementaryGroups = "keys";
54 RuntimeDirectory = cfg.systemdRuntimeDirectory;
55 };
35 services.postgresql = rec { 56 services.postgresql = rec {
36 enable = cfg.postgresql.enable; 57 enable = true;
37 package = pkgs.postgresql; 58 package = pkgs.postgresql;
38 enableTCPIP = true; 59 enableTCPIP = true;
39 extraConfig = '' 60 extraConfig = ''
@@ -103,15 +124,15 @@ in {
103 { 124 {
104 name = "postgresql"; 125 name = "postgresql";
105 text = '' 126 text = ''
106 auth required ${pam_ldap} config=/var/secrets/postgresql/pam 127 auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
107 account required ${pam_ldap} config=/var/secrets/postgresql/pam 128 account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
108 ''; 129 '';
109 } 130 }
110 { 131 {
111 name = "postgresql_replication"; 132 name = "postgresql_replication";
112 text = '' 133 text = ''
113 auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication 134 auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
114 account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication 135 account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
115 ''; 136 '';
116 } 137 }
117 ]; 138 ];
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
new file mode 100644
index 0000000..a1c2c75
--- /dev/null
+++ b/modules/private/databases/redis.nix
@@ -0,0 +1,57 @@
1{ lib, config, myconfig, ... }:
2let
3 cfg = config.myServices.databases.redis;
4in {
5 options.myServices.databases.redis = {
6 enable = lib.mkOption {
7 default = cfg.enable;
8 example = true;
9 description = "Whether to enable redis database";
10 type = lib.types.bool;
11 };
12 socketsDir = lib.mkOption {
13 type = lib.types.path;
14 default = "/run/redis";
15 description = ''
16 The directory where Redis puts sockets.
17 '';
18 };
19 # Output variables
20 systemdRuntimeDirectory = lib.mkOption {
21 type = lib.types.str;
22 # Use ReadWritePaths= instead if socketsDir is outside of /run
23 default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
24 lib.strings.removePrefix "/run/" cfg.socketsDir;
25 description = ''
26 Adjusted redis sockets directory for systemd
27 '';
28 readOnly = true;
29 };
30 sockets = lib.mkOption {
31 type = lib.types.attrsOf lib.types.path;
32 default = {
33 redis = "${cfg.socketsDir}/redis.sock";
34 };
35 readOnly = true;
36 description = ''
37 Redis sockets
38 '';
39 };
40 };
41
42 config = lib.mkIf cfg.enable {
43 users.users.redis.uid = config.ids.uids.redis;
44 users.groups.redis.gid = config.ids.gids.redis;
45 services.redis = rec {
46 enable = true;
47 bind = "127.0.0.1";
48 unixSocket = cfg.sockets.redis;
49 extraConfig = ''
50 unixsocketperm 777
51 maxclients 1024
52 '';
53 };
54 systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
55 };
56}
57
diff --git a/modules/private/default.nix b/modules/private/default.nix
index 394a85b..a7a23c2 100644
--- a/modules/private/default.nix
+++ b/modules/private/default.nix
@@ -3,4 +3,10 @@
3 httpdInte = import ../websites/httpd-service-builder.nix { httpdName = "Inte"; withUsers = false; }; 3 httpdInte = import ../websites/httpd-service-builder.nix { httpdName = "Inte"; withUsers = false; };
4 httpdProd = import ../websites/httpd-service-builder.nix { httpdName = "Prod"; withUsers = false; }; 4 httpdProd = import ../websites/httpd-service-builder.nix { httpdName = "Prod"; withUsers = false; };
5 httpdTools = import ../websites/httpd-service-builder.nix { httpdName = "Tools"; withUsers = true; }; 5 httpdTools = import ../websites/httpd-service-builder.nix { httpdName = "Tools"; withUsers = true; };
6
7 databases = ./databases;
8 mariadb = ./databases/mariadb.nix;
9 openldap = ./databases/openldap;
10 postgresql = ./databases/postgresql.nix;
11 redis = ./databases/redis.nix;
6} 12}
diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index 35ce181..37f901e 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -35,7 +35,6 @@
35 ./modules/ssh 35 ./modules/ssh
36 ./modules/certificates.nix 36 ./modules/certificates.nix
37 ./modules/gitolite 37 ./modules/gitolite
38 ./modules/databases
39 ./modules/mpd.nix 38 ./modules/mpd.nix
40 ./modules/websites 39 ./modules/websites
41 ./modules/mail.nix 40 ./modules/mail.nix
@@ -46,8 +45,8 @@
46 ./modules/buildbot 45 ./modules/buildbot
47 ./modules/dns.nix 46 ./modules/dns.nix
48 ] ++ (builtins.attrValues (import ../modules)); 47 ] ++ (builtins.attrValues (import ../modules));
48 myServices.databases.enable = true;
49 services.myGitolite.enable = true; 49 services.myGitolite.enable = true;
50 services.myDatabases.enable = true;
51 services.pure-ftpd.enable = true; 50 services.pure-ftpd.enable = true;
52 services.irc.enable = true; 51 services.irc.enable = true;
53 services.pub.enable = true; 52 services.pub.enable = true;
diff --git a/nixops/modules/certificates.nix b/nixops/modules/certificates.nix
index d648ff7..9a9974e 100644
--- a/nixops/modules/certificates.nix
+++ b/nixops/modules/certificates.nix
@@ -16,6 +16,7 @@
16 16
17 config = { 17 config = {
18 services.websitesCerts = config.services.myCertificates.certConfig; 18 services.websitesCerts = config.services.myCertificates.certConfig;
19 myServices.databasesCerts = config.services.myCertificates.certConfig;
19 20
20 security.acme.preliminarySelfsigned = true; 21 security.acme.preliminarySelfsigned = true;
21 22
diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix
deleted file mode 100644
index be549b1..0000000
--- a/nixops/modules/databases/default.nix
+++ /dev/null
@@ -1,14 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 cfg = config.services.myDatabases;
4in {
5 imports = [
6 ./mysql.nix
7 ./openldap.nix
8 ./postgresql.nix
9 ./redis.nix
10 ];
11 options.services.myDatabases = {
12 enable = lib.mkEnableOption "my databases service";
13 };
14}
diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix
deleted file mode 100644
index ff97fb3..0000000
--- a/nixops/modules/databases/openldap.nix
+++ /dev/null
@@ -1,104 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 cfg = config.services.myDatabases;
4 ldapConfig = let
5 kerberosSchema = pkgs.fetchurl {
6 url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
7 sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
8 };
9 puppetSchema = pkgs.fetchurl {
10 url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
11 sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
12 };
13 in ''
14 include ${pkgs.openldap}/etc/schema/core.schema
15 include ${pkgs.openldap}/etc/schema/cosine.schema
16 include ${pkgs.openldap}/etc/schema/inetorgperson.schema
17 include ${pkgs.openldap}/etc/schema/nis.schema
18 include ${puppetSchema}
19 include ${kerberosSchema}
20 include ${./immae.schema}
21
22 pidfile /run/slapd/slapd.pid
23 argsfile /run/slapd/slapd.args
24
25 moduleload back_hdb
26 backend hdb
27
28 moduleload memberof
29 database hdb
30 suffix "${myconfig.env.ldap.base}"
31 rootdn "${myconfig.env.ldap.root_dn}"
32 include /var/secrets/ldap/password
33 directory /var/lib/openldap
34 overlay memberof
35
36 TLSCertificateFile /var/lib/acme/ldap/cert.pem
37 TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
38 TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
39 TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
40 #This makes openldap crash
41 #TLSCipherSuite DEFAULT
42
43 sasl-host kerberos.immae.eu
44 include /var/secrets/ldap/access
45 '';
46in {
47 options.services.myDatabases = {
48 ldap = {
49 enable = lib.mkOption {
50 default = cfg.enable;
51 example = true;
52 description = "Whether to enable ldap";
53 type = lib.types.bool;
54 };
55 };
56 };
57
58 config = lib.mkIf cfg.enable {
59 secrets.keys = [
60 {
61 dest = "ldap/password";
62 permissions = "0400";
63 user = "openldap";
64 group = "openldap";
65 text = "rootpw ${myconfig.env.ldap.root_pw}";
66 }
67 {
68 dest = "ldap/access ";
69 permissions = "0400";
70 user = "openldap";
71 group = "openldap";
72 text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
73 }
74 ];
75 users.users.openldap.extraGroups = [ "keys" ];
76 networking.firewall.allowedTCPPorts = [ 636 389 ];
77
78 services.cron = {
79 systemCronJobs = [
80 ''
81 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l /var/lib/openldap/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
82 ''
83 ];
84 };
85
86 security.acme.certs."ldap" = config.services.myCertificates.certConfig // {
87 user = "openldap";
88 group = "openldap";
89 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
90 domain = "ldap.immae.eu";
91 postRun = ''
92 systemctl restart openldap.service
93 '';
94 };
95
96 services.openldap = {
97 enable = config.services.myDatabases.ldap.enable;
98 dataDir = "/var/lib/openldap";
99 urlList = [ "ldap://" "ldaps://" ];
100 extraConfig = ldapConfig;
101 };
102 };
103}
104
diff --git a/nixops/modules/databases/redis.nix b/nixops/modules/databases/redis.nix
deleted file mode 100644
index 75c69a6..0000000
--- a/nixops/modules/databases/redis.nix
+++ /dev/null
@@ -1,35 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 cfg = config.services.myDatabases;
4in {
5 options.services.myDatabases = {
6 redis = {
7 enable = lib.mkOption {
8 default = cfg.enable;
9 example = true;
10 description = "Whether to enable redis database";
11 type = lib.types.bool;
12 };
13 };
14 };
15
16 config = lib.mkIf cfg.enable {
17 ids.uids.redis = myconfig.env.users.redis.uid;
18 ids.gids.redis = myconfig.env.users.redis.gid;
19 users.users.redis.uid = config.ids.uids.redis;
20 users.groups.redis.gid = config.ids.gids.redis;
21 services.redis = rec {
22 enable = config.services.myDatabases.redis.enable;
23 bind = "127.0.0.1";
24 unixSocket = myconfig.env.databases.redis.socket;
25 extraConfig = ''
26 unixsocketperm 777
27 maxclients 1024
28 '';
29 };
30 systemd.services.redis.serviceConfig.RuntimeDirectory =
31 assert myconfig.env.databases.redis.socket == "/run/redis/redis.sock";
32 "redis";
33 };
34}
35