aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-01-26 14:51:19 +0100
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-01-26 14:57:15 +0100
commit7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0 (patch)
tree955c11eb61c79333296cfb82f49836bd7e3eca70
parentbad8f8d3cfaf48e6693f9718857a4648a86b0d37 (diff)
downloadNix-7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0.tar.gz
Nix-7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0.tar.zst
Nix-7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0.zip
Fix the SSL state for databases connections
Whenever possible, we use a socket connexion (all postgresql connections, and a few mysql ones) When remote (only mysql), we require SSL in the users database (cannot be enforced globally) Also, put pam configurations in a correct state Fixes https://git.immae.eu/mantisbt/view.php?id=89 Fixes https://git.immae.eu/mantisbt/view.php?id=90 Fixes https://git.immae.eu/mantisbt/view.php?id=88
-rw-r--r--nixops/modules/databases/default.nix49
-rw-r--r--nixops/modules/websites/chloe/chloe.nix3
-rw-r--r--nixops/modules/websites/chloe/chloe_config_dev/connect.php11
-rw-r--r--nixops/modules/websites/chloe/chloe_config_prod/connect.php11
-rw-r--r--nixops/modules/websites/connexionswing/connexionswing.nix4
-rw-r--r--nixops/modules/websites/ludivine/ludivinecassal.nix4
-rw-r--r--nixops/modules/websites/piedsjaloux/piedsjaloux.nix4
-rw-r--r--nixops/modules/websites/tellesflorian/tellesflorian.nix4
-rw-r--r--nixops/modules/websites/tools/dav/davical.nix2
-rw-r--r--nixops/modules/websites/tools/diaspora/diaspora.nix8
-rw-r--r--nixops/modules/websites/tools/git/mantisbt/mantisbt.nix6
-rw-r--r--nixops/modules/websites/tools/tools/ttrss.nix8
-rw-r--r--nixops/modules/websites/tools/tools/yourls.nix4
13 files changed, 83 insertions, 35 deletions
diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix
index 94d8d75..d86373a 100644
--- a/nixops/modules/databases/default.nix
+++ b/nixops/modules/databases/default.nix
@@ -57,9 +57,21 @@ in {
57 57
58 networking.firewall.allowedTCPPorts = [ 3306 5432 ]; 58 networking.firewall.allowedTCPPorts = [ 3306 5432 ];
59 59
60 # for adminer, ssl is implemented with mysqli only, which is
61 # currently disabled because it’s not compatible with pam.
62 # Thus we need to generate two users for each 'remote': one remote
63 # with SSL, and one localhost without SSL.
64 # User identified by LDAP:
65 # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
66 # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
60 services.mysql = rec { 67 services.mysql = rec {
61 enable = cfg.mariadb.enable; 68 enable = cfg.mariadb.enable;
62 package = pkgs.mariadb; 69 package = pkgs.mariadb;
70 extraOptions = ''
71 ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
72 ssl_key = /var/lib/acme/mysql/key.pem
73 ssl_cert = /var/lib/acme/mysql/fullchain.pem
74 '';
63 }; 75 };
64 76
65 security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { 77 security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
@@ -72,6 +84,16 @@ in {
72 ''; 84 '';
73 }; 85 };
74 86
87 security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
88 user = "mysql";
89 group = "mysql";
90 plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
91 domain = "db-1.immae.eu";
92 postRun = ''
93 systemctl restart mysql.service
94 '';
95 };
96
75 system.activationScripts.postgresql = '' 97 system.activationScripts.postgresql = ''
76 install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} 98 install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
77 ''; 99 '';
@@ -101,9 +123,6 @@ in {
101 authentication = '' 123 authentication = ''
102 local all postgres ident 124 local all postgres ident
103 local all all md5 125 local all all md5
104 hostssl all all samehost md5
105 hostssl all all 178.33.252.96/32 md5
106 hostssl all all 188.165.209.148/32 md5
107 hostssl all all all pam 126 hostssl all all all pam
108 hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication 127 hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
109 hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication 128 hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
@@ -112,21 +131,31 @@ in {
112 131
113 security.pam.services = let 132 security.pam.services = let
114 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; 133 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
115 pam_ldap_mysql = pkgs.writeText "mysql.conf" '' 134 pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
135 pkgs.writeText "mysql.conf" ''
116 host ${myconfig.env.ldap.host} 136 host ${myconfig.env.ldap.host}
117 base ${myconfig.env.ldap.base} 137 base ${myconfig.env.ldap.base}
118 binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu 138 binddn ${dn}
119 bindpw ${myconfig.env.databases.mysql.pam_password} 139 bindpw ${password}
140 pam_filter ${filter}
141 ssl start_tls
142 '';
143 pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
144 pkgs.writeText "postgresql.conf" ''
145 host ${myconfig.env.ldap.host}
146 base ${myconfig.env.ldap.base}
147 binddn ${dn}
148 bindpw ${password}
149 pam_filter ${filter}
120 ssl start_tls 150 ssl start_tls
121 pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
122 ''; 151 '';
123 pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' 152 pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
124 host ${myconfig.env.ldap.host} 153 host ${myconfig.env.ldap.host}
125 base ${myconfig.env.ldap.base} 154 base ${myconfig.env.ldap.base}
126 binddn ${myconfig.env.ldap.host_dn} 155 binddn ${myconfig.env.ldap.host_dn}
127 bindpw ${myconfig.env.ldap.password} 156 bindpw ${myconfig.env.ldap.password}
128 ssl start_tls
129 pam_login_attribute cn 157 pam_login_attribute cn
158 ssl start_tls
130 ''; 159 '';
131 in [ 160 in [
132 { 161 {
@@ -140,8 +169,8 @@ in {
140 { 169 {
141 name = "postgresql"; 170 name = "postgresql";
142 text = '' 171 text = ''
143 auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} 172 auth required ${pam_ldap} config=${pam_ldap_postgresql}
144 account required ${pam_ldap} config=${pam_ldap_postgresql_replication} 173 account required ${pam_ldap} config=${pam_ldap_postgresql}
145 ''; 174 '';
146 } 175 }
147 { 176 {
diff --git a/nixops/modules/websites/chloe/chloe.nix b/nixops/modules/websites/chloe/chloe.nix
index 355cca7..9752db6 100644
--- a/nixops/modules/websites/chloe/chloe.nix
+++ b/nixops/modules/websites/chloe/chloe.nix
@@ -23,7 +23,8 @@ let
23 env[SPIP_LDAP_SEARCH_DN] = "${config.ldap.dn}" 23 env[SPIP_LDAP_SEARCH_DN] = "${config.ldap.dn}"
24 env[SPIP_LDAP_SEARCH_PW] = "${config.ldap.password}" 24 env[SPIP_LDAP_SEARCH_PW] = "${config.ldap.password}"
25 env[SPIP_LDAP_SEARCH] = "${config.ldap.search}" 25 env[SPIP_LDAP_SEARCH] = "${config.ldap.search}"
26 env[SPIP_MYSQL_HOST] = "db-1.immae.eu" 26 env[SPIP_MYSQL_HOST] = "${config.mysql.host}"
27 env[SPIP_MYSQL_PORT] = "${config.mysql.port}"
27 env[SPIP_MYSQL_DB] = "${config.mysql.name}" 28 env[SPIP_MYSQL_DB] = "${config.mysql.name}"
28 env[SPIP_MYSQL_USER] = "${config.mysql.user}" 29 env[SPIP_MYSQL_USER] = "${config.mysql.user}"
29 env[SPIP_MYSQL_PASSWORD] = "${config.mysql.password}" 30 env[SPIP_MYSQL_PASSWORD] = "${config.mysql.password}"
diff --git a/nixops/modules/websites/chloe/chloe_config_dev/connect.php b/nixops/modules/websites/chloe/chloe_config_dev/connect.php
index 2e4439f..18b0933 100644
--- a/nixops/modules/websites/chloe/chloe_config_dev/connect.php
+++ b/nixops/modules/websites/chloe/chloe_config_dev/connect.php
@@ -2,5 +2,14 @@
2if (!defined("_ECRIRE_INC_VERSION")) return; 2if (!defined("_ECRIRE_INC_VERSION")) return;
3define('_MYSQL_SET_SQL_MODE',true); 3define('_MYSQL_SET_SQL_MODE',true);
4$GLOBALS['spip_connect_version'] = 0.7; 4$GLOBALS['spip_connect_version'] = 0.7;
5spip_connect_db(getenv("SPIP_MYSQL_HOST"),'',getenv("SPIP_MYSQL_USER"),getenv("SPIP_MYSQL_PASSWORD"),getenv("SPIP_MYSQL_DB"),'mysql', 'spip','ldap.php'); 5spip_connect_db(
6 getenv("SPIP_MYSQL_HOST"),
7 getenv("SPIP_MYSQL_PORT"),
8 getenv("SPIP_MYSQL_USER"),
9 getenv("SPIP_MYSQL_PASSWORD"),
10 getenv("SPIP_MYSQL_DB"),
11 'mysql',
12 'spip',
13 'ldap.php'
14);
6?> 15?>
diff --git a/nixops/modules/websites/chloe/chloe_config_prod/connect.php b/nixops/modules/websites/chloe/chloe_config_prod/connect.php
index 2e4439f..18b0933 100644
--- a/nixops/modules/websites/chloe/chloe_config_prod/connect.php
+++ b/nixops/modules/websites/chloe/chloe_config_prod/connect.php
@@ -2,5 +2,14 @@
2if (!defined("_ECRIRE_INC_VERSION")) return; 2if (!defined("_ECRIRE_INC_VERSION")) return;
3define('_MYSQL_SET_SQL_MODE',true); 3define('_MYSQL_SET_SQL_MODE',true);
4$GLOBALS['spip_connect_version'] = 0.7; 4$GLOBALS['spip_connect_version'] = 0.7;
5spip_connect_db(getenv("SPIP_MYSQL_HOST"),'',getenv("SPIP_MYSQL_USER"),getenv("SPIP_MYSQL_PASSWORD"),getenv("SPIP_MYSQL_DB"),'mysql', 'spip','ldap.php'); 5spip_connect_db(
6 getenv("SPIP_MYSQL_HOST"),
7 getenv("SPIP_MYSQL_PORT"),
8 getenv("SPIP_MYSQL_USER"),
9 getenv("SPIP_MYSQL_PASSWORD"),
10 getenv("SPIP_MYSQL_DB"),
11 'mysql',
12 'spip',
13 'ldap.php'
14);
6?> 15?>
diff --git a/nixops/modules/websites/connexionswing/connexionswing.nix b/nixops/modules/websites/connexionswing/connexionswing.nix
index f394574..a9ee2ba 100644
--- a/nixops/modules/websites/connexionswing/connexionswing.nix
+++ b/nixops/modules/websites/connexionswing/connexionswing.nix
@@ -7,8 +7,8 @@ let
7 writeText "parameters.yml" '' 7 writeText "parameters.yml" ''
8 # This file is auto-generated during the composer install 8 # This file is auto-generated during the composer install
9 parameters: 9 parameters:
10 database_host: db-1.immae.eu 10 database_host: ${config.mysql.host}
11 database_port: null 11 database_port: ${config.mysql.port}
12 database_name: ${config.mysql.name} 12 database_name: ${config.mysql.name}
13 database_user: ${config.mysql.user} 13 database_user: ${config.mysql.user}
14 database_password: ${config.mysql.password} 14 database_password: ${config.mysql.password}
diff --git a/nixops/modules/websites/ludivine/ludivinecassal.nix b/nixops/modules/websites/ludivine/ludivinecassal.nix
index eff0bf8..e17a64e 100644
--- a/nixops/modules/websites/ludivine/ludivinecassal.nix
+++ b/nixops/modules/websites/ludivine/ludivinecassal.nix
@@ -7,8 +7,8 @@ let
7 writeText "parameters.yml" '' 7 writeText "parameters.yml" ''
8 # This file is auto-generated during the composer install 8 # This file is auto-generated during the composer install
9 parameters: 9 parameters:
10 database_host: db-1.immae.eu 10 database_host: ${config.mysql.host}
11 database_port: null 11 database_port: ${config.mysql.port}
12 database_name: ${config.mysql.name} 12 database_name: ${config.mysql.name}
13 database_user: ${config.mysql.user} 13 database_user: ${config.mysql.user}
14 database_password: ${config.mysql.password} 14 database_password: ${config.mysql.password}
diff --git a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
index 1b53c4a..52838c6 100644
--- a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
+++ b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
@@ -7,8 +7,8 @@ let
7 writeText "parameters.yml" '' 7 writeText "parameters.yml" ''
8 # This file is auto-generated during the composer install 8 # This file is auto-generated during the composer install
9 parameters: 9 parameters:
10 database_host: db-1.immae.eu 10 database_host: ${config.mysql.host}
11 database_port: null 11 database_port: ${config.mysql.port}
12 database_name: ${config.mysql.name} 12 database_name: ${config.mysql.name}
13 database_user: ${config.mysql.user} 13 database_user: ${config.mysql.user}
14 database_password: ${config.mysql.password} 14 database_password: ${config.mysql.password}
diff --git a/nixops/modules/websites/tellesflorian/tellesflorian.nix b/nixops/modules/websites/tellesflorian/tellesflorian.nix
index 4237af8..41be4b0 100644
--- a/nixops/modules/websites/tellesflorian/tellesflorian.nix
+++ b/nixops/modules/websites/tellesflorian/tellesflorian.nix
@@ -7,8 +7,8 @@ let
7 writeText "parameters.yml" '' 7 writeText "parameters.yml" ''
8 # This file is auto-generated during the composer install 8 # This file is auto-generated during the composer install
9 parameters: 9 parameters:
10 database_host: db-1.immae.eu 10 database_host: ${config.mysql.host}
11 database_port: null 11 database_port: ${config.mysql.port}
12 database_name: ${config.mysql.name} 12 database_name: ${config.mysql.name}
13 database_user: ${config.mysql.user} 13 database_user: ${config.mysql.user}
14 database_password: ${config.mysql.password} 14 database_password: ${config.mysql.password}
diff --git a/nixops/modules/websites/tools/dav/davical.nix b/nixops/modules/websites/tools/dav/davical.nix
index 4d0639f..3f43607 100644
--- a/nixops/modules/websites/tools/dav/davical.nix
+++ b/nixops/modules/websites/tools/dav/davical.nix
@@ -18,7 +18,7 @@ let
18 davical = rec { 18 davical = rec {
19 config = writeText "davical_config.php" '' 19 config = writeText "davical_config.php" ''
20 <?php 20 <?php
21 $c->pg_connect[] = "dbname=davical user=davical_app host=db-1.immae.eu password=${env.postgresql.password}"; 21 $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
22 22
23 $c->readonly_webdav_collections = false; 23 $c->readonly_webdav_collections = false;
24 24
diff --git a/nixops/modules/websites/tools/diaspora/diaspora.nix b/nixops/modules/websites/tools/diaspora/diaspora.nix
index 798ebe6..765c0a5 100644
--- a/nixops/modules/websites/tools/diaspora/diaspora.nix
+++ b/nixops/modules/websites/tools/diaspora/diaspora.nix
@@ -99,9 +99,9 @@ let
99 database_config = writeText "database.yml" '' 99 database_config = writeText "database.yml" ''
100 postgresql: &postgresql 100 postgresql: &postgresql
101 adapter: postgresql 101 adapter: postgresql
102 host: db-1.immae.eu 102 host: "${env.postgresql.socket}"
103 port: 5432 103 port: "${env.postgresql.port}"
104 username: "diaspora" 104 username: "${env.postgresql.user}"
105 password: "${env.postgresql.password}" 105 password: "${env.postgresql.password}"
106 encoding: unicode 106 encoding: unicode
107 common: &common 107 common: &common
@@ -113,7 +113,7 @@ let
113 database: diaspora_development 113 database: diaspora_development
114 production: 114 production:
115 <<: *combined 115 <<: *combined
116 database: diaspora 116 database: ${env.postgresql.database}
117 test: 117 test:
118 <<: *combined 118 <<: *combined
119 database: "diaspora_test" 119 database: "diaspora_test"
diff --git a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
index bc2ff3a..c6c3bff 100644
--- a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
+++ b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
@@ -20,10 +20,10 @@ let
20 config = 20 config =
21 writeText "config_inc.php" '' 21 writeText "config_inc.php" ''
22 <?php 22 <?php
23 $g_hostname = 'db-1.immae.eu'; 23 $g_hostname = '${env.postgresql.socket}';
24 $g_db_username = 'mantisbt'; 24 $g_db_username = '${env.postgresql.user}';
25 $g_db_password = '${env.postgresql.password}'; 25 $g_db_password = '${env.postgresql.password}';
26 $g_database_name = 'mantisbt'; 26 $g_database_name = '${env.postgresql.database}';
27 $g_db_type = 'pgsql'; 27 $g_db_type = 'pgsql';
28 $g_crypto_master_salt = '${env.master_salt}'; 28 $g_crypto_master_salt = '${env.master_salt}';
29 $g_allow_signup = OFF; 29 $g_allow_signup = OFF;
diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/nixops/modules/websites/tools/tools/ttrss.nix
index 76105be..95cca9d 100644
--- a/nixops/modules/websites/tools/tools/ttrss.nix
+++ b/nixops/modules/websites/tools/tools/ttrss.nix
@@ -66,11 +66,11 @@ let
66 define('MYSQL_CHARSET', 'UTF8'); 66 define('MYSQL_CHARSET', 'UTF8');
67 67
68 define('DB_TYPE', 'pgsql'); 68 define('DB_TYPE', 'pgsql');
69 define('DB_HOST', 'db-1.immae.eu'); 69 define('DB_HOST', '${env.postgresql.socket}');
70 define('DB_USER', 'ttrss'); 70 define('DB_USER', '${env.postgresql.user}');
71 define('DB_NAME', 'ttrss'); 71 define('DB_NAME', '${env.postgresql.database}');
72 define('DB_PASS', '${env.postgresql.password}'); 72 define('DB_PASS', '${env.postgresql.password}');
73 define('DB_PORT', '5432'); 73 define('DB_PORT', '${env.postgresql.port}');
74 74
75 define('AUTH_AUTO_CREATE', true); 75 define('AUTH_AUTO_CREATE', true);
76 define('AUTH_AUTO_LOGIN', true); 76 define('AUTH_AUTO_LOGIN', true);
diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/nixops/modules/websites/tools/tools/yourls.nix
index b97dac9..66dd2fd 100644
--- a/nixops/modules/websites/tools/tools/yourls.nix
+++ b/nixops/modules/websites/tools/tools/yourls.nix
@@ -18,9 +18,9 @@ let
18 define( 'YOURLS_DB_USER', '${env.mysql.user}' ); 18 define( 'YOURLS_DB_USER', '${env.mysql.user}' );
19 define( 'YOURLS_DB_PASS', '${env.mysql.password}' ); 19 define( 'YOURLS_DB_PASS', '${env.mysql.password}' );
20 define( 'YOURLS_DB_NAME', '${env.mysql.database}' ); 20 define( 'YOURLS_DB_NAME', '${env.mysql.database}' );
21 define( 'YOURLS_DB_HOST', 'db-1.immae.eu' ); 21 define( 'YOURLS_DB_HOST', '${env.mysql.host}' );
22 define( 'YOURLS_DB_PREFIX', 'yourls_' ); 22 define( 'YOURLS_DB_PREFIX', 'yourls_' );
23 define( 'YOURLS_SITE', 'http://tools.immae.eu/url' ); 23 define( 'YOURLS_SITE', 'https://tools.immae.eu/url' );
24 define( 'YOURLS_HOURS_OFFSET', 0 ); 24 define( 'YOURLS_HOURS_OFFSET', 0 );
25 define( 'YOURLS_LANG', ''' ); 25 define( 'YOURLS_LANG', ''' );
26 define( 'YOURLS_UNIQUE_URLS', true ); 26 define( 'YOURLS_UNIQUE_URLS', true );