diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-01-26 14:51:19 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-01-26 14:57:15 +0100 |
commit | 7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0 (patch) | |
tree | 955c11eb61c79333296cfb82f49836bd7e3eca70 | |
parent | bad8f8d3cfaf48e6693f9718857a4648a86b0d37 (diff) | |
download | Nix-7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0.tar.gz Nix-7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0.tar.zst Nix-7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0.zip |
Fix the SSL state for databases connections
Whenever possible, we use a socket connexion (all postgresql
connections, and a few mysql ones)
When remote (only mysql), we require SSL in the users database (cannot
be enforced globally)
Also, put pam configurations in a correct state
Fixes https://git.immae.eu/mantisbt/view.php?id=89
Fixes https://git.immae.eu/mantisbt/view.php?id=90
Fixes https://git.immae.eu/mantisbt/view.php?id=88
13 files changed, 83 insertions, 35 deletions
diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix index 94d8d75..d86373a 100644 --- a/nixops/modules/databases/default.nix +++ b/nixops/modules/databases/default.nix | |||
@@ -57,9 +57,21 @@ in { | |||
57 | 57 | ||
58 | networking.firewall.allowedTCPPorts = [ 3306 5432 ]; | 58 | networking.firewall.allowedTCPPorts = [ 3306 5432 ]; |
59 | 59 | ||
60 | # for adminer, ssl is implemented with mysqli only, which is | ||
61 | # currently disabled because it’s not compatible with pam. | ||
62 | # Thus we need to generate two users for each 'remote': one remote | ||
63 | # with SSL, and one localhost without SSL. | ||
64 | # User identified by LDAP: | ||
65 | # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; | ||
66 | # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; | ||
60 | services.mysql = rec { | 67 | services.mysql = rec { |
61 | enable = cfg.mariadb.enable; | 68 | enable = cfg.mariadb.enable; |
62 | package = pkgs.mariadb; | 69 | package = pkgs.mariadb; |
70 | extraOptions = '' | ||
71 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | ||
72 | ssl_key = /var/lib/acme/mysql/key.pem | ||
73 | ssl_cert = /var/lib/acme/mysql/fullchain.pem | ||
74 | ''; | ||
63 | }; | 75 | }; |
64 | 76 | ||
65 | security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { | 77 | security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { |
@@ -72,6 +84,16 @@ in { | |||
72 | ''; | 84 | ''; |
73 | }; | 85 | }; |
74 | 86 | ||
87 | security.acme.certs."mysql" = config.services.myCertificates.certConfig // { | ||
88 | user = "mysql"; | ||
89 | group = "mysql"; | ||
90 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; | ||
91 | domain = "db-1.immae.eu"; | ||
92 | postRun = '' | ||
93 | systemctl restart mysql.service | ||
94 | ''; | ||
95 | }; | ||
96 | |||
75 | system.activationScripts.postgresql = '' | 97 | system.activationScripts.postgresql = '' |
76 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} | 98 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} |
77 | ''; | 99 | ''; |
@@ -101,9 +123,6 @@ in { | |||
101 | authentication = '' | 123 | authentication = '' |
102 | local all postgres ident | 124 | local all postgres ident |
103 | local all all md5 | 125 | local all all md5 |
104 | hostssl all all samehost md5 | ||
105 | hostssl all all 178.33.252.96/32 md5 | ||
106 | hostssl all all 188.165.209.148/32 md5 | ||
107 | hostssl all all all pam | 126 | hostssl all all all pam |
108 | hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication | 127 | hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication |
109 | hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication | 128 | hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication |
@@ -112,21 +131,31 @@ in { | |||
112 | 131 | ||
113 | security.pam.services = let | 132 | security.pam.services = let |
114 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 133 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; |
115 | pam_ldap_mysql = pkgs.writeText "mysql.conf" '' | 134 | pam_ldap_mysql = with myconfig.env.databases.mysql.pam; |
135 | pkgs.writeText "mysql.conf" '' | ||
116 | host ${myconfig.env.ldap.host} | 136 | host ${myconfig.env.ldap.host} |
117 | base ${myconfig.env.ldap.base} | 137 | base ${myconfig.env.ldap.base} |
118 | binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | 138 | binddn ${dn} |
119 | bindpw ${myconfig.env.databases.mysql.pam_password} | 139 | bindpw ${password} |
140 | pam_filter ${filter} | ||
141 | ssl start_tls | ||
142 | ''; | ||
143 | pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; | ||
144 | pkgs.writeText "postgresql.conf" '' | ||
145 | host ${myconfig.env.ldap.host} | ||
146 | base ${myconfig.env.ldap.base} | ||
147 | binddn ${dn} | ||
148 | bindpw ${password} | ||
149 | pam_filter ${filter} | ||
120 | ssl start_tls | 150 | ssl start_tls |
121 | pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | ||
122 | ''; | 151 | ''; |
123 | pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' | 152 | pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' |
124 | host ${myconfig.env.ldap.host} | 153 | host ${myconfig.env.ldap.host} |
125 | base ${myconfig.env.ldap.base} | 154 | base ${myconfig.env.ldap.base} |
126 | binddn ${myconfig.env.ldap.host_dn} | 155 | binddn ${myconfig.env.ldap.host_dn} |
127 | bindpw ${myconfig.env.ldap.password} | 156 | bindpw ${myconfig.env.ldap.password} |
128 | ssl start_tls | ||
129 | pam_login_attribute cn | 157 | pam_login_attribute cn |
158 | ssl start_tls | ||
130 | ''; | 159 | ''; |
131 | in [ | 160 | in [ |
132 | { | 161 | { |
@@ -140,8 +169,8 @@ in { | |||
140 | { | 169 | { |
141 | name = "postgresql"; | 170 | name = "postgresql"; |
142 | text = '' | 171 | text = '' |
143 | auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} | 172 | auth required ${pam_ldap} config=${pam_ldap_postgresql} |
144 | account required ${pam_ldap} config=${pam_ldap_postgresql_replication} | 173 | account required ${pam_ldap} config=${pam_ldap_postgresql} |
145 | ''; | 174 | ''; |
146 | } | 175 | } |
147 | { | 176 | { |
diff --git a/nixops/modules/websites/chloe/chloe.nix b/nixops/modules/websites/chloe/chloe.nix index 355cca7..9752db6 100644 --- a/nixops/modules/websites/chloe/chloe.nix +++ b/nixops/modules/websites/chloe/chloe.nix | |||
@@ -23,7 +23,8 @@ let | |||
23 | env[SPIP_LDAP_SEARCH_DN] = "${config.ldap.dn}" | 23 | env[SPIP_LDAP_SEARCH_DN] = "${config.ldap.dn}" |
24 | env[SPIP_LDAP_SEARCH_PW] = "${config.ldap.password}" | 24 | env[SPIP_LDAP_SEARCH_PW] = "${config.ldap.password}" |
25 | env[SPIP_LDAP_SEARCH] = "${config.ldap.search}" | 25 | env[SPIP_LDAP_SEARCH] = "${config.ldap.search}" |
26 | env[SPIP_MYSQL_HOST] = "db-1.immae.eu" | 26 | env[SPIP_MYSQL_HOST] = "${config.mysql.host}" |
27 | env[SPIP_MYSQL_PORT] = "${config.mysql.port}" | ||
27 | env[SPIP_MYSQL_DB] = "${config.mysql.name}" | 28 | env[SPIP_MYSQL_DB] = "${config.mysql.name}" |
28 | env[SPIP_MYSQL_USER] = "${config.mysql.user}" | 29 | env[SPIP_MYSQL_USER] = "${config.mysql.user}" |
29 | env[SPIP_MYSQL_PASSWORD] = "${config.mysql.password}" | 30 | env[SPIP_MYSQL_PASSWORD] = "${config.mysql.password}" |
diff --git a/nixops/modules/websites/chloe/chloe_config_dev/connect.php b/nixops/modules/websites/chloe/chloe_config_dev/connect.php index 2e4439f..18b0933 100644 --- a/nixops/modules/websites/chloe/chloe_config_dev/connect.php +++ b/nixops/modules/websites/chloe/chloe_config_dev/connect.php | |||
@@ -2,5 +2,14 @@ | |||
2 | if (!defined("_ECRIRE_INC_VERSION")) return; | 2 | if (!defined("_ECRIRE_INC_VERSION")) return; |
3 | define('_MYSQL_SET_SQL_MODE',true); | 3 | define('_MYSQL_SET_SQL_MODE',true); |
4 | $GLOBALS['spip_connect_version'] = 0.7; | 4 | $GLOBALS['spip_connect_version'] = 0.7; |
5 | spip_connect_db(getenv("SPIP_MYSQL_HOST"),'',getenv("SPIP_MYSQL_USER"),getenv("SPIP_MYSQL_PASSWORD"),getenv("SPIP_MYSQL_DB"),'mysql', 'spip','ldap.php'); | 5 | spip_connect_db( |
6 | getenv("SPIP_MYSQL_HOST"), | ||
7 | getenv("SPIP_MYSQL_PORT"), | ||
8 | getenv("SPIP_MYSQL_USER"), | ||
9 | getenv("SPIP_MYSQL_PASSWORD"), | ||
10 | getenv("SPIP_MYSQL_DB"), | ||
11 | 'mysql', | ||
12 | 'spip', | ||
13 | 'ldap.php' | ||
14 | ); | ||
6 | ?> | 15 | ?> |
diff --git a/nixops/modules/websites/chloe/chloe_config_prod/connect.php b/nixops/modules/websites/chloe/chloe_config_prod/connect.php index 2e4439f..18b0933 100644 --- a/nixops/modules/websites/chloe/chloe_config_prod/connect.php +++ b/nixops/modules/websites/chloe/chloe_config_prod/connect.php | |||
@@ -2,5 +2,14 @@ | |||
2 | if (!defined("_ECRIRE_INC_VERSION")) return; | 2 | if (!defined("_ECRIRE_INC_VERSION")) return; |
3 | define('_MYSQL_SET_SQL_MODE',true); | 3 | define('_MYSQL_SET_SQL_MODE',true); |
4 | $GLOBALS['spip_connect_version'] = 0.7; | 4 | $GLOBALS['spip_connect_version'] = 0.7; |
5 | spip_connect_db(getenv("SPIP_MYSQL_HOST"),'',getenv("SPIP_MYSQL_USER"),getenv("SPIP_MYSQL_PASSWORD"),getenv("SPIP_MYSQL_DB"),'mysql', 'spip','ldap.php'); | 5 | spip_connect_db( |
6 | getenv("SPIP_MYSQL_HOST"), | ||
7 | getenv("SPIP_MYSQL_PORT"), | ||
8 | getenv("SPIP_MYSQL_USER"), | ||
9 | getenv("SPIP_MYSQL_PASSWORD"), | ||
10 | getenv("SPIP_MYSQL_DB"), | ||
11 | 'mysql', | ||
12 | 'spip', | ||
13 | 'ldap.php' | ||
14 | ); | ||
6 | ?> | 15 | ?> |
diff --git a/nixops/modules/websites/connexionswing/connexionswing.nix b/nixops/modules/websites/connexionswing/connexionswing.nix index f394574..a9ee2ba 100644 --- a/nixops/modules/websites/connexionswing/connexionswing.nix +++ b/nixops/modules/websites/connexionswing/connexionswing.nix | |||
@@ -7,8 +7,8 @@ let | |||
7 | writeText "parameters.yml" '' | 7 | writeText "parameters.yml" '' |
8 | # This file is auto-generated during the composer install | 8 | # This file is auto-generated during the composer install |
9 | parameters: | 9 | parameters: |
10 | database_host: db-1.immae.eu | 10 | database_host: ${config.mysql.host} |
11 | database_port: null | 11 | database_port: ${config.mysql.port} |
12 | database_name: ${config.mysql.name} | 12 | database_name: ${config.mysql.name} |
13 | database_user: ${config.mysql.user} | 13 | database_user: ${config.mysql.user} |
14 | database_password: ${config.mysql.password} | 14 | database_password: ${config.mysql.password} |
diff --git a/nixops/modules/websites/ludivine/ludivinecassal.nix b/nixops/modules/websites/ludivine/ludivinecassal.nix index eff0bf8..e17a64e 100644 --- a/nixops/modules/websites/ludivine/ludivinecassal.nix +++ b/nixops/modules/websites/ludivine/ludivinecassal.nix | |||
@@ -7,8 +7,8 @@ let | |||
7 | writeText "parameters.yml" '' | 7 | writeText "parameters.yml" '' |
8 | # This file is auto-generated during the composer install | 8 | # This file is auto-generated during the composer install |
9 | parameters: | 9 | parameters: |
10 | database_host: db-1.immae.eu | 10 | database_host: ${config.mysql.host} |
11 | database_port: null | 11 | database_port: ${config.mysql.port} |
12 | database_name: ${config.mysql.name} | 12 | database_name: ${config.mysql.name} |
13 | database_user: ${config.mysql.user} | 13 | database_user: ${config.mysql.user} |
14 | database_password: ${config.mysql.password} | 14 | database_password: ${config.mysql.password} |
diff --git a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix index 1b53c4a..52838c6 100644 --- a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix +++ b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix | |||
@@ -7,8 +7,8 @@ let | |||
7 | writeText "parameters.yml" '' | 7 | writeText "parameters.yml" '' |
8 | # This file is auto-generated during the composer install | 8 | # This file is auto-generated during the composer install |
9 | parameters: | 9 | parameters: |
10 | database_host: db-1.immae.eu | 10 | database_host: ${config.mysql.host} |
11 | database_port: null | 11 | database_port: ${config.mysql.port} |
12 | database_name: ${config.mysql.name} | 12 | database_name: ${config.mysql.name} |
13 | database_user: ${config.mysql.user} | 13 | database_user: ${config.mysql.user} |
14 | database_password: ${config.mysql.password} | 14 | database_password: ${config.mysql.password} |
diff --git a/nixops/modules/websites/tellesflorian/tellesflorian.nix b/nixops/modules/websites/tellesflorian/tellesflorian.nix index 4237af8..41be4b0 100644 --- a/nixops/modules/websites/tellesflorian/tellesflorian.nix +++ b/nixops/modules/websites/tellesflorian/tellesflorian.nix | |||
@@ -7,8 +7,8 @@ let | |||
7 | writeText "parameters.yml" '' | 7 | writeText "parameters.yml" '' |
8 | # This file is auto-generated during the composer install | 8 | # This file is auto-generated during the composer install |
9 | parameters: | 9 | parameters: |
10 | database_host: db-1.immae.eu | 10 | database_host: ${config.mysql.host} |
11 | database_port: null | 11 | database_port: ${config.mysql.port} |
12 | database_name: ${config.mysql.name} | 12 | database_name: ${config.mysql.name} |
13 | database_user: ${config.mysql.user} | 13 | database_user: ${config.mysql.user} |
14 | database_password: ${config.mysql.password} | 14 | database_password: ${config.mysql.password} |
diff --git a/nixops/modules/websites/tools/dav/davical.nix b/nixops/modules/websites/tools/dav/davical.nix index 4d0639f..3f43607 100644 --- a/nixops/modules/websites/tools/dav/davical.nix +++ b/nixops/modules/websites/tools/dav/davical.nix | |||
@@ -18,7 +18,7 @@ let | |||
18 | davical = rec { | 18 | davical = rec { |
19 | config = writeText "davical_config.php" '' | 19 | config = writeText "davical_config.php" '' |
20 | <?php | 20 | <?php |
21 | $c->pg_connect[] = "dbname=davical user=davical_app host=db-1.immae.eu password=${env.postgresql.password}"; | 21 | $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}"; |
22 | 22 | ||
23 | $c->readonly_webdav_collections = false; | 23 | $c->readonly_webdav_collections = false; |
24 | 24 | ||
diff --git a/nixops/modules/websites/tools/diaspora/diaspora.nix b/nixops/modules/websites/tools/diaspora/diaspora.nix index 798ebe6..765c0a5 100644 --- a/nixops/modules/websites/tools/diaspora/diaspora.nix +++ b/nixops/modules/websites/tools/diaspora/diaspora.nix | |||
@@ -99,9 +99,9 @@ let | |||
99 | database_config = writeText "database.yml" '' | 99 | database_config = writeText "database.yml" '' |
100 | postgresql: &postgresql | 100 | postgresql: &postgresql |
101 | adapter: postgresql | 101 | adapter: postgresql |
102 | host: db-1.immae.eu | 102 | host: "${env.postgresql.socket}" |
103 | port: 5432 | 103 | port: "${env.postgresql.port}" |
104 | username: "diaspora" | 104 | username: "${env.postgresql.user}" |
105 | password: "${env.postgresql.password}" | 105 | password: "${env.postgresql.password}" |
106 | encoding: unicode | 106 | encoding: unicode |
107 | common: &common | 107 | common: &common |
@@ -113,7 +113,7 @@ let | |||
113 | database: diaspora_development | 113 | database: diaspora_development |
114 | production: | 114 | production: |
115 | <<: *combined | 115 | <<: *combined |
116 | database: diaspora | 116 | database: ${env.postgresql.database} |
117 | test: | 117 | test: |
118 | <<: *combined | 118 | <<: *combined |
119 | database: "diaspora_test" | 119 | database: "diaspora_test" |
diff --git a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix index bc2ff3a..c6c3bff 100644 --- a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix +++ b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix | |||
@@ -20,10 +20,10 @@ let | |||
20 | config = | 20 | config = |
21 | writeText "config_inc.php" '' | 21 | writeText "config_inc.php" '' |
22 | <?php | 22 | <?php |
23 | $g_hostname = 'db-1.immae.eu'; | 23 | $g_hostname = '${env.postgresql.socket}'; |
24 | $g_db_username = 'mantisbt'; | 24 | $g_db_username = '${env.postgresql.user}'; |
25 | $g_db_password = '${env.postgresql.password}'; | 25 | $g_db_password = '${env.postgresql.password}'; |
26 | $g_database_name = 'mantisbt'; | 26 | $g_database_name = '${env.postgresql.database}'; |
27 | $g_db_type = 'pgsql'; | 27 | $g_db_type = 'pgsql'; |
28 | $g_crypto_master_salt = '${env.master_salt}'; | 28 | $g_crypto_master_salt = '${env.master_salt}'; |
29 | $g_allow_signup = OFF; | 29 | $g_allow_signup = OFF; |
diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/nixops/modules/websites/tools/tools/ttrss.nix index 76105be..95cca9d 100644 --- a/nixops/modules/websites/tools/tools/ttrss.nix +++ b/nixops/modules/websites/tools/tools/ttrss.nix | |||
@@ -66,11 +66,11 @@ let | |||
66 | define('MYSQL_CHARSET', 'UTF8'); | 66 | define('MYSQL_CHARSET', 'UTF8'); |
67 | 67 | ||
68 | define('DB_TYPE', 'pgsql'); | 68 | define('DB_TYPE', 'pgsql'); |
69 | define('DB_HOST', 'db-1.immae.eu'); | 69 | define('DB_HOST', '${env.postgresql.socket}'); |
70 | define('DB_USER', 'ttrss'); | 70 | define('DB_USER', '${env.postgresql.user}'); |
71 | define('DB_NAME', 'ttrss'); | 71 | define('DB_NAME', '${env.postgresql.database}'); |
72 | define('DB_PASS', '${env.postgresql.password}'); | 72 | define('DB_PASS', '${env.postgresql.password}'); |
73 | define('DB_PORT', '5432'); | 73 | define('DB_PORT', '${env.postgresql.port}'); |
74 | 74 | ||
75 | define('AUTH_AUTO_CREATE', true); | 75 | define('AUTH_AUTO_CREATE', true); |
76 | define('AUTH_AUTO_LOGIN', true); | 76 | define('AUTH_AUTO_LOGIN', true); |
diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/nixops/modules/websites/tools/tools/yourls.nix index b97dac9..66dd2fd 100644 --- a/nixops/modules/websites/tools/tools/yourls.nix +++ b/nixops/modules/websites/tools/tools/yourls.nix | |||
@@ -18,9 +18,9 @@ let | |||
18 | define( 'YOURLS_DB_USER', '${env.mysql.user}' ); | 18 | define( 'YOURLS_DB_USER', '${env.mysql.user}' ); |
19 | define( 'YOURLS_DB_PASS', '${env.mysql.password}' ); | 19 | define( 'YOURLS_DB_PASS', '${env.mysql.password}' ); |
20 | define( 'YOURLS_DB_NAME', '${env.mysql.database}' ); | 20 | define( 'YOURLS_DB_NAME', '${env.mysql.database}' ); |
21 | define( 'YOURLS_DB_HOST', 'db-1.immae.eu' ); | 21 | define( 'YOURLS_DB_HOST', '${env.mysql.host}' ); |
22 | define( 'YOURLS_DB_PREFIX', 'yourls_' ); | 22 | define( 'YOURLS_DB_PREFIX', 'yourls_' ); |
23 | define( 'YOURLS_SITE', 'http://tools.immae.eu/url' ); | 23 | define( 'YOURLS_SITE', 'https://tools.immae.eu/url' ); |
24 | define( 'YOURLS_HOURS_OFFSET', 0 ); | 24 | define( 'YOURLS_HOURS_OFFSET', 0 ); |
25 | define( 'YOURLS_LANG', ''' ); | 25 | define( 'YOURLS_LANG', ''' ); |
26 | define( 'YOURLS_UNIQUE_URLS', true ); | 26 | define( 'YOURLS_UNIQUE_URLS', true ); |