Remove direct dependency to myconfig in database modules

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-17 10:26:33 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-17 10:26:49 +0200
commit: 4aac110f17f0528d90510eec00c9a8df60bcf04f (patch)
tree: f3fd7dfd999f56f397c1cdc972dd37978e15f0cd
parent: ffb14c1c25280777f5db3d2129c48dd319381f65 (diff)
download: Nix-4aac110f17f0528d90510eec00c9a8df60bcf04f.tar.gz
Nix-4aac110f17f0528d90510eec00c9a8df60bcf04f.tar.zst
Nix-4aac110f17f0528d90510eec00c9a8df60bcf04f.zip
5 files changed, 211 insertions, 39 deletions
diff --git a/modules/private/databases/default.nix b/modules/private/databases/default.nix
index 78d91dc..3f7a44b 100644
--- a/modules/private/databases/default.nix
+++ b/modules/private/databases/default.nix
@@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ lib, config, myconfig, ... }:
 let
  cfg = config.myServices.databases;
 in
@@ -9,10 +9,55 @@ in
      description = "Default databases configurations for certificates as accepted by acme";
    };
  };
+  config.nixpkgs.overlays = lib.mkIf cfg.enable [ (self: super: {
+    postgresql = self.postgresql_11_custom;
+  }) ];
  config.myServices.databases = lib.mkIf cfg.enable {
-    mariadb.enable = true;
+    mariadb = {
-    openldap.enable = true;
+      enable = true;
-    postgresql.enable = true;
+      ldapConfig = {
+        inherit (myconfig.env.ldap) host base;
+        inherit (myconfig.env.databases.mysql.pam) dn filter password;
+      };
+      credentials.root = myconfig.env.databases.mysql.systemUsers.root;
+    };
+    openldap = {
+      accessFile = "${myconfig.privateFiles}/ldap.conf";
+      baseDn = myconfig.env.ldap.base;
+      rootDn = myconfig.env.ldap.root_dn;
+      rootPw = myconfig.env.ldap.root_pw;
+      enable = true;
+    };
+    postgresql = {
+      ldapConfig = {
+        inherit (myconfig.env.ldap) host base;
+        inherit (myconfig.env.databases.postgresql.pam) dn filter password;
+      };
+      replicationLdapConfig = {
+        inherit (myconfig.env.ldap) host base password;
+        dn = myconfig.env.ldap.host_dn;
+      };
+      authorizedHosts = {
+        immaeEu = [{
+          ip4 = [
+            myconfig.env.servers.immaeEu.ips.main.ip4
+            myconfig.env.servers.immaeEu.ips.alt.ip4
+          ];
+        }];
+      };
+      replicationHosts = {
+        backup-1 = {
+          ip4 = [myconfig.env.servers.backup-1.ips.main.ip4];
+          ip6 = myconfig.env.servers.backup-1.ips.main.ip6;
+        };
+      };
+      enable = true;
+    };
    redis.enable = true;
  };
 }
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index cc99c3c..a7239c0 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, config, myconfig,  ... }:
+{ lib, pkgs, config, ... }:
 let
    cfg = config.myServices.databases.mariadb;
 in {
@@ -10,6 +10,30 @@ in {
        description = "Whether to enable mariadb database";
        type = lib.types.bool;
      };
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.mariadb;
+        description = ''
+          Mariadb package to use.
+          '';
+      };
+      credentials = lib.mkOption {
+        default = {};
+        description = "Credentials";
+        type = lib.types.attrsOf lib.types.str;
+      };
+      ldapConfig = lib.mkOption {
+        description = "LDAP configuration to allow PAM identification via LDAP";
+        type = lib.types.submodule {
+          options = {
+            host = lib.mkOption { type = lib.types.str; };
+            base = lib.mkOption { type = lib.types.str; };
+            dn = lib.mkOption { type = lib.types.str; };
+            password = lib.mkOption { type = lib.types.str; };
+            filter = lib.mkOption { type = lib.types.str; };
+          };
+        };
+      };
      dataDir = lib.mkOption {
        type = lib.types.path;
        default = "/var/lib/mysql";
@@ -50,7 +74,7 @@ in {
    # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
    services.mysql = {
      enable = true;
-      package = pkgs.mariadb;
+      package = cfg.package;
      dataDir = cfg.dataDir;
      extraOptions = ''
        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
@@ -79,7 +103,7 @@ in {
        text = ''
          [mysqldump]
          user = root
-          password = ${myconfig.env.databases.mysql.systemUsers.root}
+          password = ${cfg.credentials.root}
        '';
      }
      {
@@ -87,14 +111,14 @@ in {
        permissions = "0400";
        user = "mysql";
        group = "mysql";
-        text = with myconfig.env.databases.mysql.pam; ''
+        text =  with cfg.ldapConfig; ''
-          host ${myconfig.env.ldap.host}
+          host ${host}
-          base ${myconfig.env.ldap.base}
+          base ${base}
          binddn ${dn}
          bindpw ${password}
          pam_filter ${filter}
          ssl start_tls
-          '';
+        '';
      }
    ];
@@ -102,7 +126,7 @@ in {
      enable = true;
      systemCronJobs = [
        ''
-          30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
+          30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
        ''
      ];
    };
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index 46f85d2..e048d56 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, config, myconfig,  ... }:
+{ lib, pkgs, config, ... }:
 let
  cfg = config.myServices.databases.openldap;
  ldapConfig = let
@@ -27,8 +27,8 @@ let
    moduleload      memberof
    database        hdb
-    suffix          "${myconfig.env.ldap.base}"
+    suffix          "${cfg.baseDn}"
-    rootdn          "${myconfig.env.ldap.root_dn}"
+    rootdn          "${cfg.rootDn}"
    include         ${config.secrets.location}/ldap/password
    directory       ${cfg.dataDir}
    overlay         memberof
@@ -53,6 +53,30 @@ in
        description = "Whether to enable ldap";
        type = lib.types.bool;
      };
+      baseDn = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          Base DN for LDAP
+        '';
+      };
+      rootDn = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          Root DN
+        '';
+      };
+      rootPw = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          Root (Hashed) password
+        '';
+      };
+      accessFile = lib.mkOption {
+        type = lib.types.path;
+        description = ''
+          The file path that defines the access
+        '';
+      };
      dataDir = lib.mkOption {
        type = lib.types.path;
        default = "/var/lib/openldap";
@@ -89,14 +113,14 @@ in
        permissions = "0400";
        user = "openldap";
        group = "openldap";
-        text = "rootpw          ${myconfig.env.ldap.root_pw}";
+        text = "rootpw          ${cfg.rootPw}";
      }
      {
-        dest = "ldap/access ";
+        dest = "ldap/access";
        permissions = "0400";
        user = "openldap";
        group = "openldap";
-        text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+        text = builtins.readFile "${cfg.accessFile}";
      }
    ];
    users.users.openldap.extraGroups = [ "keys" ];
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index 8c36d84..911a6d1 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, config, myconfig,  ... }:
+{ lib, pkgs, config, ... }:
 let
    cfg = config.myServices.databases.postgresql;
 in {
@@ -10,6 +10,78 @@ in {
        description = "Whether to enable postgresql database";
        type = lib.types.bool;
      };
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.postgresql;
+        description = ''
+          Postgresql package to use.
+          '';
+      };
+      ldapConfig = lib.mkOption {
+        description = "LDAP configuration to allow PAM identification via LDAP";
+        type = lib.types.submodule {
+          options = {
+            host = lib.mkOption { type = lib.types.str; };
+            base = lib.mkOption { type = lib.types.str; };
+            dn = lib.mkOption { type = lib.types.str; };
+            password = lib.mkOption { type = lib.types.str; };
+            filter = lib.mkOption { type = lib.types.str; };
+          };
+        };
+      };
+      replicationLdapConfig = lib.mkOption {
+        description = "LDAP configuration to allow replication";
+        type = lib.types.submodule {
+          options = {
+            host = lib.mkOption { type = lib.types.str; };
+            base = lib.mkOption { type = lib.types.str; };
+            dn = lib.mkOption { type = lib.types.str; };
+            password = lib.mkOption { type = lib.types.str; };
+          };
+        };
+      };
+      authorizedHosts = lib.mkOption {
+        default = {};
+        description = "Hosts to allow connections from";
+        type = lib.types.attrsOf (lib.types.listOf (lib.types.submodule {
+          options = {
+            method = lib.mkOption {
+              default = "md5";
+              type = lib.types.str;
+            };
+            username = lib.mkOption {
+              default = "all";
+              type = lib.types.str;
+            };
+            database = lib.mkOption {
+              default = "all";
+              type = lib.types.str;
+            };
+            ip4 = lib.mkOption {
+              default = [];
+              type = lib.types.listOf lib.types.str;
+            };
+            ip6 = lib.mkOption {
+              default = [];
+              type = lib.types.listOf lib.types.str;
+            };
+          };
+        }));
+      };
+      replicationHosts = lib.mkOption {
+        default = {};
+        description = "Hosts to allow replication from";
+        type = lib.types.attrsOf (lib.types.submodule {
+          options = {
+            ip4 = lib.mkOption {
+              type = lib.types.listOf lib.types.str;
+            };
+            ip6 = lib.mkOption {
+              type = lib.types.listOf lib.types.str;
+            };
+          };
+        });
+      };
      # Output variables
      socketsDir = lib.mkOption {
        type = lib.types.path;
@@ -33,10 +105,6 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    nixpkgs.overlays = [ (self: super: rec {
-      postgresql = self.postgresql_11_custom;
-    }) ];
    networking.firewall.allowedTCPPorts = [ 5432 ];
    security.acme.certs."postgresql" = config.myServices.databasesCerts // {
@@ -53,9 +121,9 @@ in {
      SupplementaryGroups = "keys";
      RuntimeDirectory = cfg.systemdRuntimeDirectory;
    };
-    services.postgresql = rec {
+    services.postgresql = {
      enable = true;
-      package = pkgs.postgresql;
+      package = cfg.package;
      enableTCPIP = true;
      extraConfig = ''
        max_connections = 100
@@ -76,14 +144,25 @@ in {
        ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
        ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
        '';
-      authentication = ''
+      authentication = let
+        hosts = builtins.concatStringsSep "\n" (
+          lib.lists.flatten (lib.mapAttrsToList (k: vs: map (v:
+            map (ip6: "hostssl  ${v.database}   ${v.username}   ${ip6}/128      ${v.method}") v.ip6
+            ++ map (ip4: "hostssl       ${v.database}   ${v.username}   ${ip4}/32               ${v.method}") v.ip4
+          ) vs) cfg.authorizedHosts
+        ));
+        replication = builtins.concatStringsSep "\n" (
+          lib.lists.flatten (lib.mapAttrsToList (k: v:
+          map (ip6: "hostssl    replication     ${k}    ${ip6}/128      pam pamservice=postgresql_replication") v.ip6
+          ++ map (ip4: "hostssl replication     ${k}    ${ip4}/32               pam pamservice=postgresql_replication") v.ip4
+          ) cfg.replicationHosts
+        ));
+      in ''
        local   all     postgres                                ident
        local   all     all                                     md5
-        hostssl all     all     188.165.209.148/32              md5
+        ${hosts}
-        hostssl all     all     178.33.252.96/32                md5
        hostssl all     all     all                             pam
-        hostssl replication     backup-1        2001:41d0:302:1100::9:e5a9/128  pam pamservice=postgresql_replication
+        ${replication}
-        hostssl replication     backup-1        54.37.151.137/32                pam pamservice=postgresql_replication
      '';
    };
@@ -93,9 +172,9 @@ in {
        permissions = "0400";
        group = "postgres";
        user = "postgres";
-        text =  with myconfig.env.databases.postgresql.pam; ''
+        text =  with cfg.ldapConfig; ''
-          host ${myconfig.env.ldap.host}
+          host ${host}
-          base ${myconfig.env.ldap.base}
+          base ${base}
          binddn ${dn}
          bindpw ${password}
          pam_filter ${filter}
@@ -107,11 +186,11 @@ in {
        permissions = "0400";
        group = "postgres";
        user = "postgres";
-        text = ''
+        text = with cfg.replicationLdapConfig; ''
-          host ${myconfig.env.ldap.host}
+          host ${host}
-          base ${myconfig.env.ldap.base}
+          base ${base}
-          binddn ${myconfig.env.ldap.host_dn}
+          binddn ${dn}
-          bindpw ${myconfig.env.ldap.password}
+          bindpw ${password}
          pam_login_attribute cn
          ssl start_tls
        '';
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
index a1c2c75..1ba6eed 100644
--- a/modules/private/databases/redis.nix
+++ b/modules/private/databases/redis.nix
@@ -1,4 +1,4 @@
-{ lib, config, myconfig,  ... }:
+{ lib, config, ... }:
 let
    cfg = config.myServices.databases.redis;
 in {
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-17 10:26:33 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-17 10:26:49 +0200
commit	4aac110f17f0528d90510eec00c9a8df60bcf04f (patch)
tree	f3fd7dfd999f56f397c1cdc972dd37978e15f0cd
parent	ffb14c1c25280777f5db3d2129c48dd319381f65 (diff)
download	Nix-4aac110f17f0528d90510eec00c9a8df60bcf04f.tar.gz Nix-4aac110f17f0528d90510eec00c9a8df60bcf04f.tar.zst Nix-4aac110f17f0528d90510eec00c9a8df60bcf04f.zip

diff --git a/modules/private/databases/default.nix b/modules/private/databases/default.nix index 78d91dc..3f7a44b 100644 --- a/modules/private/databases/default.nix +++ b/modules/private/databases/default.nix
@@ -1,4 +1,4 @@
1	{ lib, config, ... }:	1	{ lib, config, myconfig, ... }:
2	let	2	let
3	cfg = config.myServices.databases;	3	cfg = config.myServices.databases;
4	in	4	in
@@ -9,10 +9,55 @@ in
9	description = "Default databases configurations for certificates as accepted by acme";	9	description = "Default databases configurations for certificates as accepted by acme";
10	};	10	};
11	};	11	};
		12
		13	config.nixpkgs.overlays = lib.mkIf cfg.enable [ (self: super: {
		14	postgresql = self.postgresql_11_custom;
		15	}) ];
		16
12	config.myServices.databases = lib.mkIf cfg.enable {	17	config.myServices.databases = lib.mkIf cfg.enable {
13	mariadb.enable = true;	18	mariadb = {
14	openldap.enable = true;	19	enable = true;
15	postgresql.enable = true;	20	ldapConfig = {
		21	inherit (myconfig.env.ldap) host base;
		22	inherit (myconfig.env.databases.mysql.pam) dn filter password;
		23	};
		24	credentials.root = myconfig.env.databases.mysql.systemUsers.root;
		25	};
		26
		27	openldap = {
		28	accessFile = "${myconfig.privateFiles}/ldap.conf";
		29	baseDn = myconfig.env.ldap.base;
		30	rootDn = myconfig.env.ldap.root_dn;
		31	rootPw = myconfig.env.ldap.root_pw;
		32	enable = true;
		33	};
		34
		35	postgresql = {
		36	ldapConfig = {
		37	inherit (myconfig.env.ldap) host base;
		38	inherit (myconfig.env.databases.postgresql.pam) dn filter password;
		39	};
		40	replicationLdapConfig = {
		41	inherit (myconfig.env.ldap) host base password;
		42	dn = myconfig.env.ldap.host_dn;
		43	};
		44	authorizedHosts = {
		45	immaeEu = [{
		46	ip4 = [
		47	myconfig.env.servers.immaeEu.ips.main.ip4
		48	myconfig.env.servers.immaeEu.ips.alt.ip4
		49	];
		50	}];
		51	};
		52	replicationHosts = {
		53	backup-1 = {
		54	ip4 = [myconfig.env.servers.backup-1.ips.main.ip4];
		55	ip6 = myconfig.env.servers.backup-1.ips.main.ip6;
		56	};
		57	};
		58	enable = true;
		59	};
		60
16	redis.enable = true;	61	redis.enable = true;
17	};	62	};
18	}	63	}


diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index cc99c3c..a7239c0 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix
@@ -1,4 +1,4 @@
1	{ lib, pkgs, config, myconfig, ... }:	1	{ lib, pkgs, config, ... }:
2	let	2	let
3	cfg = config.myServices.databases.mariadb;	3	cfg = config.myServices.databases.mariadb;
4	in {	4	in {
@@ -10,6 +10,30 @@ in {
10	description = "Whether to enable mariadb database";	10	description = "Whether to enable mariadb database";
11	type = lib.types.bool;	11	type = lib.types.bool;
12	};	12	};
		13	package = lib.mkOption {
		14	type = lib.types.package;
		15	default = pkgs.mariadb;
		16	description = ''
		17	Mariadb package to use.
		18	'';
		19	};
		20	credentials = lib.mkOption {
		21	default = {};
		22	description = "Credentials";
		23	type = lib.types.attrsOf lib.types.str;
		24	};
		25	ldapConfig = lib.mkOption {
		26	description = "LDAP configuration to allow PAM identification via LDAP";
		27	type = lib.types.submodule {
		28	options = {
		29	host = lib.mkOption { type = lib.types.str; };
		30	base = lib.mkOption { type = lib.types.str; };
		31	dn = lib.mkOption { type = lib.types.str; };
		32	password = lib.mkOption { type = lib.types.str; };
		33	filter = lib.mkOption { type = lib.types.str; };
		34	};
		35	};
		36	};
13	dataDir = lib.mkOption {	37	dataDir = lib.mkOption {
14	type = lib.types.path;	38	type = lib.types.path;
15	default = "/var/lib/mysql";	39	default = "/var/lib/mysql";
@@ -50,7 +74,7 @@ in {
50	# CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';	74	# CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
51	services.mysql = {	75	services.mysql = {
52	enable = true;	76	enable = true;
53	package = pkgs.mariadb;	77	package = cfg.package;
54	dataDir = cfg.dataDir;	78	dataDir = cfg.dataDir;
55	extraOptions = ''	79	extraOptions = ''
56	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt	80	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
@@ -79,7 +103,7 @@ in {
79	text = ''	103	text = ''
80	[mysqldump]	104	[mysqldump]
81	user = root	105	user = root
82	password = ${myconfig.env.databases.mysql.systemUsers.root}	106	password = ${cfg.credentials.root}
83	'';	107	'';
84	}	108	}
85	{	109	{
@@ -87,14 +111,14 @@ in {
87	permissions = "0400";	111	permissions = "0400";
88	user = "mysql";	112	user = "mysql";
89	group = "mysql";	113	group = "mysql";
90	text = with myconfig.env.databases.mysql.pam; ''	114	text = with cfg.ldapConfig; ''
91	host ${myconfig.env.ldap.host}	115	host ${host}
92	base ${myconfig.env.ldap.base}	116	base ${base}
93	binddn ${dn}	117	binddn ${dn}
94	bindpw ${password}	118	bindpw ${password}
95	pam_filter ${filter}	119	pam_filter ${filter}
96	ssl start_tls	120	ssl start_tls
97	'';	121	'';
98	}	122	}
99	];	123	];
100		124
@@ -102,7 +126,7 @@ in {
102	enable = true;	126	enable = true;
103	systemCronJobs = [	127	systemCronJobs = [
104	''	128	''
105	30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql	129	30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
106	''	130	''
107	];	131	];
108	};	132	};


diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index 46f85d2..e048d56 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix
@@ -1,4 +1,4 @@
1	{ lib, pkgs, config, myconfig, ... }:	1	{ lib, pkgs, config, ... }:
2	let	2	let
3	cfg = config.myServices.databases.openldap;	3	cfg = config.myServices.databases.openldap;
4	ldapConfig = let	4	ldapConfig = let
@@ -27,8 +27,8 @@ let
27		27
28	moduleload memberof	28	moduleload memberof
29	database hdb	29	database hdb
30	suffix "${myconfig.env.ldap.base}"	30	suffix "${cfg.baseDn}"
31	rootdn "${myconfig.env.ldap.root_dn}"	31	rootdn "${cfg.rootDn}"
32	include ${config.secrets.location}/ldap/password	32	include ${config.secrets.location}/ldap/password
33	directory ${cfg.dataDir}	33	directory ${cfg.dataDir}
34	overlay memberof	34	overlay memberof
@@ -53,6 +53,30 @@ in
53	description = "Whether to enable ldap";	53	description = "Whether to enable ldap";
54	type = lib.types.bool;	54	type = lib.types.bool;
55	};	55	};
		56	baseDn = lib.mkOption {
		57	type = lib.types.str;
		58	description = ''
		59	Base DN for LDAP
		60	'';
		61	};
		62	rootDn = lib.mkOption {
		63	type = lib.types.str;
		64	description = ''
		65	Root DN
		66	'';
		67	};
		68	rootPw = lib.mkOption {
		69	type = lib.types.str;
		70	description = ''
		71	Root (Hashed) password
		72	'';
		73	};
		74	accessFile = lib.mkOption {
		75	type = lib.types.path;
		76	description = ''
		77	The file path that defines the access
		78	'';
		79	};
56	dataDir = lib.mkOption {	80	dataDir = lib.mkOption {
57	type = lib.types.path;	81	type = lib.types.path;
58	default = "/var/lib/openldap";	82	default = "/var/lib/openldap";
@@ -89,14 +113,14 @@ in
89	permissions = "0400";	113	permissions = "0400";
90	user = "openldap";	114	user = "openldap";
91	group = "openldap";	115	group = "openldap";
92	text = "rootpw ${myconfig.env.ldap.root_pw}";	116	text = "rootpw ${cfg.rootPw}";
93	}	117	}
94	{	118	{
95	dest = "ldap/access ";	119	dest = "ldap/access";
96	permissions = "0400";	120	permissions = "0400";
97	user = "openldap";	121	user = "openldap";
98	group = "openldap";	122	group = "openldap";
99	text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";	123	text = builtins.readFile "${cfg.accessFile}";
100	}	124	}
101	];	125	];
102	users.users.openldap.extraGroups = [ "keys" ];	126	users.users.openldap.extraGroups = [ "keys" ];


diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index 8c36d84..911a6d1 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix
@@ -1,4 +1,4 @@
1	{ lib, pkgs, config, myconfig, ... }:	1	{ lib, pkgs, config, ... }:
2	let	2	let
3	cfg = config.myServices.databases.postgresql;	3	cfg = config.myServices.databases.postgresql;
4	in {	4	in {
@@ -10,6 +10,78 @@ in {
10	description = "Whether to enable postgresql database";	10	description = "Whether to enable postgresql database";
11	type = lib.types.bool;	11	type = lib.types.bool;
12	};	12	};
		13	package = lib.mkOption {
		14	type = lib.types.package;
		15	default = pkgs.postgresql;
		16	description = ''
		17	Postgresql package to use.
		18	'';
		19	};
		20	ldapConfig = lib.mkOption {
		21	description = "LDAP configuration to allow PAM identification via LDAP";
		22	type = lib.types.submodule {
		23	options = {
		24	host = lib.mkOption { type = lib.types.str; };
		25	base = lib.mkOption { type = lib.types.str; };
		26	dn = lib.mkOption { type = lib.types.str; };
		27	password = lib.mkOption { type = lib.types.str; };
		28	filter = lib.mkOption { type = lib.types.str; };
		29	};
		30	};
		31	};
		32	replicationLdapConfig = lib.mkOption {
		33	description = "LDAP configuration to allow replication";
		34	type = lib.types.submodule {
		35	options = {
		36	host = lib.mkOption { type = lib.types.str; };
		37	base = lib.mkOption { type = lib.types.str; };
		38	dn = lib.mkOption { type = lib.types.str; };
		39	password = lib.mkOption { type = lib.types.str; };
		40	};
		41	};
		42	};
		43	authorizedHosts = lib.mkOption {
		44	default = {};
		45	description = "Hosts to allow connections from";
		46	type = lib.types.attrsOf (lib.types.listOf (lib.types.submodule {
		47	options = {
		48	method = lib.mkOption {
		49	default = "md5";
		50	type = lib.types.str;
		51	};
		52	username = lib.mkOption {
		53	default = "all";
		54	type = lib.types.str;
		55	};
		56	database = lib.mkOption {
		57	default = "all";
		58	type = lib.types.str;
		59	};
		60	ip4 = lib.mkOption {
		61	default = [];
		62	type = lib.types.listOf lib.types.str;
		63	};
		64	ip6 = lib.mkOption {
		65	default = [];
		66	type = lib.types.listOf lib.types.str;
		67	};
		68	};
		69	}));
		70	};
		71	replicationHosts = lib.mkOption {
		72	default = {};
		73	description = "Hosts to allow replication from";
		74	type = lib.types.attrsOf (lib.types.submodule {
		75	options = {
		76	ip4 = lib.mkOption {
		77	type = lib.types.listOf lib.types.str;
		78	};
		79	ip6 = lib.mkOption {
		80	type = lib.types.listOf lib.types.str;
		81	};
		82	};
		83	});
		84	};
13	# Output variables	85	# Output variables
14	socketsDir = lib.mkOption {	86	socketsDir = lib.mkOption {
15	type = lib.types.path;	87	type = lib.types.path;
@@ -33,10 +105,6 @@ in {
33	};	105	};
34		106
35	config = lib.mkIf cfg.enable {	107	config = lib.mkIf cfg.enable {
36	nixpkgs.overlays = [ (self: super: rec {
37	postgresql = self.postgresql_11_custom;
38	}) ];
39
40	networking.firewall.allowedTCPPorts = [ 5432 ];	108	networking.firewall.allowedTCPPorts = [ 5432 ];
41		109
42	security.acme.certs."postgresql" = config.myServices.databasesCerts // {	110	security.acme.certs."postgresql" = config.myServices.databasesCerts // {
@@ -53,9 +121,9 @@ in {
53	SupplementaryGroups = "keys";	121	SupplementaryGroups = "keys";
54	RuntimeDirectory = cfg.systemdRuntimeDirectory;	122	RuntimeDirectory = cfg.systemdRuntimeDirectory;
55	};	123	};
56	services.postgresql = rec {	124	services.postgresql = {
57	enable = true;	125	enable = true;
58	package = pkgs.postgresql;	126	package = cfg.package;
59	enableTCPIP = true;	127	enableTCPIP = true;
60	extraConfig = ''	128	extraConfig = ''
61	max_connections = 100	129	max_connections = 100
@@ -76,14 +144,25 @@ in {
76	ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'	144	ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
77	ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'	145	ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
78	'';	146	'';
79	authentication = ''	147	authentication = let
		148	hosts = builtins.concatStringsSep "\n" (
		149	lib.lists.flatten (lib.mapAttrsToList (k: vs: map (v:
		150	map (ip6: "hostssl ${v.database} ${v.username} ${ip6}/128 ${v.method}") v.ip6
		151	++ map (ip4: "hostssl ${v.database} ${v.username} ${ip4}/32 ${v.method}") v.ip4
		152	) vs) cfg.authorizedHosts
		153	));
		154	replication = builtins.concatStringsSep "\n" (
		155	lib.lists.flatten (lib.mapAttrsToList (k: v:
		156	map (ip6: "hostssl replication ${k} ${ip6}/128 pam pamservice=postgresql_replication") v.ip6
		157	++ map (ip4: "hostssl replication ${k} ${ip4}/32 pam pamservice=postgresql_replication") v.ip4
		158	) cfg.replicationHosts
		159	));
		160	in ''
80	local all postgres ident	161	local all postgres ident
81	local all all md5	162	local all all md5
82	hostssl all all 188.165.209.148/32 md5	163	${hosts}
83	hostssl all all 178.33.252.96/32 md5
84	hostssl all all all pam	164	hostssl all all all pam
85	hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication	165	${replication}
86	hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
87	'';	166	'';
88	};	167	};
89		168
@@ -93,9 +172,9 @@ in {
93	permissions = "0400";	172	permissions = "0400";
94	group = "postgres";	173	group = "postgres";
95	user = "postgres";	174	user = "postgres";
96	text = with myconfig.env.databases.postgresql.pam; ''	175	text = with cfg.ldapConfig; ''
97	host ${myconfig.env.ldap.host}	176	host ${host}
98	base ${myconfig.env.ldap.base}	177	base ${base}
99	binddn ${dn}	178	binddn ${dn}
100	bindpw ${password}	179	bindpw ${password}
101	pam_filter ${filter}	180	pam_filter ${filter}
@@ -107,11 +186,11 @@ in {
107	permissions = "0400";	186	permissions = "0400";
108	group = "postgres";	187	group = "postgres";
109	user = "postgres";	188	user = "postgres";
110	text = ''	189	text = with cfg.replicationLdapConfig; ''
111	host ${myconfig.env.ldap.host}	190	host ${host}
112	base ${myconfig.env.ldap.base}	191	base ${base}
113	binddn ${myconfig.env.ldap.host_dn}	192	binddn ${dn}
114	bindpw ${myconfig.env.ldap.password}	193	bindpw ${password}
115	pam_login_attribute cn	194	pam_login_attribute cn
116	ssl start_tls	195	ssl start_tls
117	'';	196	'';


diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index a1c2c75..1ba6eed 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix
@@ -1,4 +1,4 @@
1	{ lib, config, myconfig, ... }:	1	{ lib, config, ... }:
2	let	2	let
3	cfg = config.myServices.databases.redis;	3	cfg = config.myServices.databases.redis;
4	in {	4	in {