Move databases configs to modules

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-17 00:49:27 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-17 01:31:05 +0200
commit: 182ae57f53731be220075bc87aff4d47a35563b8 (patch)
tree: 79b523057406db394668bbfd720660d6a1e24094 /modules/private/databases
parent: 6c97d2d715620a1cdc3b8a785174590ec0dafb98 (diff)
download: Nix-182ae57f53731be220075bc87aff4d47a35563b8.tar.gz
Nix-182ae57f53731be220075bc87aff4d47a35563b8.tar.zst
Nix-182ae57f53731be220075bc87aff4d47a35563b8.zip
6 files changed, 638 insertions, 0 deletions
diff --git a/modules/private/databases/default.nix b/modules/private/databases/default.nix
new file mode 100644
index 0000000..78d91dc
--- /dev/null
+++ b/modules/private/databases/default.nix
@@ -0,0 +1,18 @@
+{ lib, config, ... }:
+let
+  cfg = config.myServices.databases;
+in
+{
+  options.myServices = {
+    databases.enable = lib.mkEnableOption "my databases service";
+    databasesCerts = lib.mkOption {
+      description = "Default databases configurations for certificates as accepted by acme";
+    };
+  };
+  config.myServices.databases = lib.mkIf cfg.enable {
+    mariadb.enable = true;
+    openldap.enable = true;
+    postgresql.enable = true;
+    redis.enable = true;
+  };
+}
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
new file mode 100644
index 0000000..21f4359
--- /dev/null
+++ b/modules/private/databases/mariadb.nix
@@ -0,0 +1,125 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    cfg = config.myServices.databases.mariadb;
+in {
+  options.myServices.databases = {
+    mariadb = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable mariadb database";
+        type = lib.types.bool;
+      };
+      dataDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/lib/mysql";
+        description = ''
+          The directory where Mariadb stores its data.
+        '';
+      };
+      # Output variables
+      socketsDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/run/mysqld";
+        description = ''
+          The directory where Mariadb puts sockets.
+          '';
+      };
+      sockets = lib.mkOption {
+        type = lib.types.attrsOf lib.types.path;
+        default = {
+          mysqld  = "${cfg.socketsDir}/mysqld.sock";
+        };
+        readOnly = true;
+        description = ''
+          Mariadb sockets
+          '';
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 3306 ];
+    # for adminer, ssl is implemented with mysqli only, which is
+    # currently disabled because it’s not compatible with pam.
+    # Thus we need to generate two users for each 'remote': one remote
+    # with SSL, and one localhost without SSL.
+    # User identified by LDAP:
+    # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
+    # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
+    services.mysql = {
+      enable = true;
+      package = pkgs.mariadb;
+      dataDir = cfg.dataDir;
+      extraOptions = ''
+        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+        ssl_key = /var/lib/acme/mysql/key.pem
+        ssl_cert = /var/lib/acme/mysql/fullchain.pem
+        '';
+    };
+    users.users.mysql.extraGroups = [ "keys" ];
+    security.acme.certs."mysql" = config.myServices.databasesCerts // {
+      user = "mysql";
+      group = "mysql";
+      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+      domain = "db-1.immae.eu";
+      postRun = ''
+        systemctl restart mysql.service
+      '';
+    };
+    secrets.keys = [
+      {
+        dest = "mysql/mysqldump";
+        permissions = "0400";
+        user = "root";
+        group = "root";
+        text = ''
+          [mysqldump]
+          user = root
+          password = ${myconfig.env.databases.mysql.systemUsers.root}
+        '';
+      }
+      {
+        dest = "mysql/pam";
+        permissions = "0400";
+        user = "mysql";
+        group = "mysql";
+        text = with myconfig.env.databases.mysql.pam; ''
+          host ${myconfig.env.ldap.host}
+          base ${myconfig.env.ldap.base}
+          binddn ${dn}
+          bindpw ${password}
+          pam_filter ${filter}
+          ssl start_tls
+          '';
+      }
+    ];
+    services.cron = {
+      enable = true;
+      systemCronJobs = [
+        ''
+          30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
+        ''
+      ];
+    };
+    security.pam.services = let
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+    in [
+      {
+        name = "mysql";
+        text = ''
+          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
+          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam
+          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
+          '';
+      }
+    ];
+  };
+}
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
new file mode 100644
index 0000000..850f3ff
--- /dev/null
+++ b/modules/private/databases/openldap/default.nix
@@ -0,0 +1,130 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.databases.openldap;
+  ldapConfig = let
+    kerberosSchema = pkgs.fetchurl {
+      url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
+      sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
+    };
+    puppetSchema = pkgs.fetchurl {
+      url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
+      sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
+    };
+  in ''
+    include         ${pkgs.openldap}/etc/schema/core.schema
+    include         ${pkgs.openldap}/etc/schema/cosine.schema
+    include         ${pkgs.openldap}/etc/schema/inetorgperson.schema
+    include         ${pkgs.openldap}/etc/schema/nis.schema
+    include         ${puppetSchema}
+    include         ${kerberosSchema}
+    include         ${./immae.schema}
+    pidfile         ${cfg.pids.pid}
+    argsfile        ${cfg.pids.args}
+    moduleload      back_hdb
+    backend         hdb
+    moduleload      memberof
+    database        hdb
+    suffix          "${myconfig.env.ldap.base}"
+    rootdn          "${myconfig.env.ldap.root_dn}"
+    include         ${config.secrets.location}/ldap/password
+    directory       ${cfg.dataDir}
+    overlay         memberof
+    TLSCertificateFile    /var/lib/acme/ldap/cert.pem
+    TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
+    TLSCACertificateFile  /var/lib/acme/ldap/fullchain.pem
+    TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
+    #This makes openldap crash
+    #TLSCipherSuite        DEFAULT
+    sasl-host kerberos.immae.eu
+    include ${config.secrets.location}/ldap/access
+    '';
+in
+{
+  options.myServices.databases = {
+    openldap = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable ldap";
+        type = lib.types.bool;
+      };
+      dataDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/lib/openldap";
+        description = ''
+          The directory where Openldap stores its data.
+        '';
+      };
+      socketsDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/run/slapd";
+        description = ''
+          The directory where Openldap puts sockets and pid files.
+          '';
+      };
+      # Output variables
+      pids = lib.mkOption {
+        type = lib.types.attrsOf lib.types.path;
+        default = {
+          pid  = "${cfg.socketsDir}/slapd.pid";
+          args = "${cfg.socketsDir}/slapd.args";
+        };
+        readOnly = true;
+        description = ''
+          Slapd pid files
+          '';
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    secrets.keys = [
+       {
+        dest = "ldap/password";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = "rootpw          ${myconfig.env.ldap.root_pw}";
+      }
+      {
+        dest = "ldap/access ";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
+      }
+    ];
+    users.users.openldap.extraGroups = [ "keys" ];
+    networking.firewall.allowedTCPPorts = [ 636 389 ];
+    services.cron = {
+      systemCronJobs = [
+        ''
+          35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
+        ''
+      ];
+    };
+    security.acme.certs."ldap" = config.myServices.databasesCerts // {
+      user = "openldap";
+      group = "openldap";
+      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+      domain = "ldap.immae.eu";
+      postRun = ''
+        systemctl restart openldap.service
+      '';
+    };
+    services.openldap = {
+      enable = true;
+      dataDir = cfg.dataDir;
+      urlList = [ "ldap://" "ldaps://" ];
+      extraConfig = ldapConfig;
+    };
+  };
+}
diff --git a/modules/private/databases/openldap/immae.schema b/modules/private/databases/openldap/immae.schema
new file mode 100644
index 0000000..f5ee5d5
--- /dev/null
+++ b/modules/private/databases/openldap/immae.schema
@@ -0,0 +1,167 @@
+# vim: set filetype=slapd:
+objectIdentifier Immaeroot 1.3.6.1.4.1.50071
+objectIdentifier Immae Immaeroot:2
+objectIdentifier ImmaeattributeType Immae:3
+objectIdentifier ImmaeobjectClass Immae:4
+# TT-RSS
+attributetype ( ImmaeattributeType:1 NAME 'immaeTtrssLogin'
+        DESC 'login for TTRSS'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+objectclass ( ImmaeobjectClass:1 NAME 'immaeTtrssClass'
+        DESC 'Expansion of the existing object classes for ttrss'
+        SUP top AUXILIARY
+        MUST ( immaeTtrssLogin ) )
+# FTP
+attributetype ( ImmaeattributeType:2 NAME 'immaeFtpDirectory'
+        DESC 'home directory for ftp'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+attributetype ( ImmaeattributeType:3 NAME 'immaeFtpUid'
+        DESC 'user id for ftp'
+        EQUALITY integerMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+attributetype ( ImmaeattributeType:4 NAME 'immaeFtpGid'
+        DESC 'group id for ftp'
+        EQUALITY integerMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+objectclass ( ImmaeobjectClass:2 NAME 'immaeFtpClass'
+        DESC 'Expansion of the existing object classes for ftp'
+        SUP top AUXILIARY
+        MUST ( immaeFtpDirectory $ immaeFtpGid $ immaeFtpUid ) )
+# SSH keys
+attributetype ( ImmaeattributeType:5 NAME 'immaeSshKey'
+        DESC 'OpenSSH Public key'
+        EQUALITY octetStringMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+objectClass ( ImmaeobjectClass:3 NAME 'immaeSshClass'
+        DESC 'OpenSSH class'
+        SUP top AUXILIARY
+        MAy ( immaeSSHKey ) )
+# Specific access
+attributetype (ImmaeattributeType:6 NAME 'immaeAccessDn'
+        EQUALITY distinguishedNameMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+attributetype (ImmaeattributeType:17 NAME 'immaeAccessWriteDn'
+        EQUALITY distinguishedNameMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree'
+        EQUALITY distinguishedNameMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+objectClass ( ImmaeobjectClass:4 NAME 'immaeAccessClass'
+        DESC 'Access class'
+        SUP top AUXILIARY
+        MAY ( immaeAccessDn $ immaeAccessWriteDn $ immaeAccessReadSubtree ) )
+# Xmpp uid
+attributetype ( ImmaeattributeType:7 NAME 'immaeXmppUid'
+        DESC 'user part for Xmpp'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+objectclass ( ImmaeobjectClass:5 NAME 'immaeXmppClass'
+        DESC 'Expansion of the existing object classes for XMPP'
+        SUP top AUXILIARY
+        MUST ( immaeXmppUid ) )
+# Postfix accounts
+attributetype ( ImmaeattributeType:8 NAME 'immaePostfixAddress'
+        DESC 'the dovecot address to match as username'
+        EQUALITY caseIgnoreIA5Match
+        SUBSTR caseIgnoreIA5SubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+attributetype ( ImmaeattributeType:9 NAME 'immaePostfixHome'
+        DESC 'the postfix home directory'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+attributetype ( ImmaeattributeType:10 NAME 'immaePostfixMail'
+        DESC 'the dovecot mail location'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+attributetype ( ImmaeattributeType:11 NAME 'immaePostfixUid'
+        DESC 'the dovecot uid'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+attributetype ( ImmaeattributeType:12 NAME 'immaePostfixGid'
+        DESC 'the dovecot gid'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+objectclass ( ImmaeobjectClass:6 NAME 'immaePostfixClass'
+        DESC 'Expansion of the existing object classes for Postfix'
+        SUP top AUXILIARY
+        MUST ( immaePostfixAddress $ immaePostfixHome $
+          immaePostfixMail $ immaePostfixUid $ immaePostfixGid )
+        )
+# Tinc informations
+# Domaine = une classe a part ou une partie du dn ?
+# attributetype ( ImmaeattributeType:13 NAME 'immaeTincIpSegment'
+#         DESC 'the internal ip segment in tinc'
+#         EQUALITY caseIgnoreIA5Match
+#         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+# 
+# attributetype ( ImmaeattributeType:14 NAME 'immaeTincSubdomain'
+#         DESC 'the host subdomain'
+#         EQUALITY caseIgnoreIA5Match
+#         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+# 
+# attributetype ( ImmaeattributeType:15 NAME 'immaeTincHostname'
+#         DESC 'the host name'
+#         EQUALITY caseIgnoreIA5Match
+#         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+# 
+# objectclass ( ImmaeobjectClass:7 NAME 'immaeTincHostClass'
+#       DESC 'Expansion of the existing object classes for Tinc'
+#       SUP top AUXILIARY
+#       MUST ( immaeTincInternalIp $ immaeTincSubdomain $
+#         immaeTincHostname )
+#         )
+attributetype (ImmaeattributeType:16 NAME 'immaePuppetJson'
+        DESC 'Puppet hiera json'
+        EQUALITY octetStringMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass'
+        DESC 'Expansion of the existing object classes for Puppet'
+        SUP top AUXILIARY
+        MUST ( immaePuppetJson )
+        )
+attributetype (ImmaeattributeType:19 NAME 'immaeTaskId'
+        DESC 'Taskwarrior server Org:Name:Key'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass'
+        DESC 'Expansion of the existing object classes for Task'
+        SUP top AUXILIARY
+        MUST ( immaeTaskId )
+        )
+# Last:
+# attributetype (ImmaeattributeType:19 NAME 'immaeTaskId'
+# objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass'
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
new file mode 100644
index 0000000..26242a8
--- /dev/null
+++ b/modules/private/databases/postgresql.nix
@@ -0,0 +1,141 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    cfg = config.myServices.databases.postgresql;
+in {
+  options.myServices.databases = {
+    postgresql = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable postgresql database";
+        type = lib.types.bool;
+      };
+      # Output variables
+      socketsDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/run/postgresql";
+        description = ''
+          The directory where Postgresql puts sockets.
+          '';
+        readOnly = true;
+      };
+      systemdRuntimeDirectory = lib.mkOption {
+        type = lib.types.str;
+        # Use ReadWritePaths= instead if socketsDir is outside of /run
+        default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+          lib.strings.removePrefix "/run/" cfg.socketsDir;
+        description = ''
+        Adjusted Postgresql sockets directory for systemd
+        '';
+        readOnly = true;
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    nixpkgs.overlays = [ (self: super: rec {
+      postgresql = self.postgresql_11_custom;
+    }) ];
+    networking.firewall.allowedTCPPorts = [ 5432 ];
+    security.acme.certs."postgresql" = config.myServices.databasesCerts // {
+      user = "postgres";
+      group = "postgres";
+      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+      domain = "db-1.immae.eu";
+      postRun = ''
+        systemctl reload postgresql.service
+      '';
+    };
+    systemd.services.postgresql.serviceConfig = {
+      SupplementaryGroups = "keys";
+      RuntimeDirectory = cfg.systemdRuntimeDirectory;
+    };
+    services.postgresql = rec {
+      enable = true;
+      package = pkgs.postgresql;
+      enableTCPIP = true;
+      extraConfig = ''
+        max_connections = 100
+        wal_level = logical
+        shared_buffers = 512MB
+        work_mem = 10MB
+        max_wal_size = 1GB
+        min_wal_size = 80MB
+        log_timezone = 'Europe/Paris'
+        datestyle = 'iso, mdy'
+        timezone = 'Europe/Paris'
+        lc_messages = 'en_US.UTF-8'
+        lc_monetary = 'en_US.UTF-8'
+        lc_numeric = 'en_US.UTF-8'
+        lc_time = 'en_US.UTF-8'
+        default_text_search_config = 'pg_catalog.english'
+        ssl = on
+        ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
+        ssl_key_file = '/var/lib/acme/postgresql/key.pem'
+        '';
+      authentication = ''
+        local   all     postgres                                ident
+        local   all     all                                     md5
+        hostssl all     all     188.165.209.148/32              md5
+        hostssl all     all     178.33.252.96/32                md5
+        hostssl all     all     all                             pam
+        hostssl replication     backup-1        2001:41d0:302:1100::9:e5a9/128  pam pamservice=postgresql_replication
+        hostssl replication     backup-1        54.37.151.137/32                pam pamservice=postgresql_replication
+      '';
+    };
+    secrets.keys = [
+      {
+        dest = "postgresql/pam";
+        permissions = "0400";
+        group = "postgres";
+        user = "postgres";
+        text =  with myconfig.env.databases.postgresql.pam; ''
+          host ${myconfig.env.ldap.host}
+          base ${myconfig.env.ldap.base}
+          binddn ${dn}
+          bindpw ${password}
+          pam_filter ${filter}
+          ssl start_tls
+        '';
+      }
+      {
+        dest = "postgresql/pam_replication";
+        permissions = "0400";
+        group = "postgres";
+        user = "postgres";
+        text = ''
+          host ${myconfig.env.ldap.host}
+          base ${myconfig.env.ldap.base}
+          binddn ${myconfig.env.ldap.host_dn}
+          bindpw ${myconfig.env.ldap.password}
+          pam_login_attribute cn
+          ssl start_tls
+        '';
+      }
+    ];
+    security.pam.services = let
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+    in [
+      {
+        name = "postgresql";
+        text = ''
+          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
+          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
+          '';
+      }
+      {
+        name = "postgresql_replication";
+        text = ''
+          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
+          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
+          '';
+      }
+    ];
+  };
+}
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
new file mode 100644
index 0000000..a1c2c75
--- /dev/null
+++ b/modules/private/databases/redis.nix
@@ -0,0 +1,57 @@
+{ lib, config, myconfig,  ... }:
+let
+    cfg = config.myServices.databases.redis;
+in {
+  options.myServices.databases.redis = {
+    enable = lib.mkOption {
+      default = cfg.enable;
+      example = true;
+      description = "Whether to enable redis database";
+      type = lib.types.bool;
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/redis";
+      description = ''
+        The directory where Redis puts sockets.
+        '';
+    };
+    # Output variables
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted redis sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        redis  = "${cfg.socketsDir}/redis.sock";
+      };
+      readOnly = true;
+      description = ''
+        Redis sockets
+        '';
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    users.users.redis.uid = config.ids.uids.redis;
+    users.groups.redis.gid = config.ids.gids.redis;
+    services.redis = rec {
+      enable = true;
+      bind = "127.0.0.1";
+      unixSocket = cfg.sockets.redis;
+      extraConfig = ''
+        unixsocketperm 777
+        maxclients 1024
+        '';
+    };
+    systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
+  };
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-17 00:49:27 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-17 01:31:05 +0200
commit	182ae57f53731be220075bc87aff4d47a35563b8 (patch)
tree	79b523057406db394668bbfd720660d6a1e24094 /modules/private/databases
parent	6c97d2d715620a1cdc3b8a785174590ec0dafb98 (diff)
download	Nix-182ae57f53731be220075bc87aff4d47a35563b8.tar.gz Nix-182ae57f53731be220075bc87aff4d47a35563b8.tar.zst Nix-182ae57f53731be220075bc87aff4d47a35563b8.zip

diff --git a/modules/private/databases/default.nix b/modules/private/databases/default.nix new file mode 100644 index 0000000..78d91dc --- /dev/null +++ b/modules/private/databases/default.nix
@@ -0,0 +1,18 @@
	1	{ lib, config, ... }:
	2	let
	3	cfg = config.myServices.databases;
	4	in
	5	{
	6	options.myServices = {
	7	databases.enable = lib.mkEnableOption "my databases service";
	8	databasesCerts = lib.mkOption {
	9	description = "Default databases configurations for certificates as accepted by acme";
	10	};
	11	};
	12	config.myServices.databases = lib.mkIf cfg.enable {
	13	mariadb.enable = true;
	14	openldap.enable = true;
	15	postgresql.enable = true;
	16	redis.enable = true;
	17	};
	18	}


diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix new file mode 100644 index 0000000..21f4359 --- /dev/null +++ b/modules/private/databases/mariadb.nix
@@ -0,0 +1,125 @@
	1	{ lib, pkgs, config, myconfig, ... }:
	2	let
	3	cfg = config.myServices.databases.mariadb;
	4	in {
	5	options.myServices.databases = {
	6	mariadb = {
	7	enable = lib.mkOption {
	8	default = cfg.enable;
	9	example = true;
	10	description = "Whether to enable mariadb database";
	11	type = lib.types.bool;
	12	};
	13	dataDir = lib.mkOption {
	14	type = lib.types.path;
	15	default = "/var/lib/mysql";
	16	description = ''
	17	The directory where Mariadb stores its data.
	18	'';
	19	};
	20	# Output variables
	21	socketsDir = lib.mkOption {
	22	type = lib.types.path;
	23	default = "/run/mysqld";
	24	description = ''
	25	The directory where Mariadb puts sockets.
	26	'';
	27	};
	28	sockets = lib.mkOption {
	29	type = lib.types.attrsOf lib.types.path;
	30	default = {
	31	mysqld = "${cfg.socketsDir}/mysqld.sock";
	32	};
	33	readOnly = true;
	34	description = ''
	35	Mariadb sockets
	36	'';
	37	};
	38	};
	39	};
	40
	41	config = lib.mkIf cfg.enable {
	42	networking.firewall.allowedTCPPorts = [ 3306 ];
	43
	44	# for adminer, ssl is implemented with mysqli only, which is
	45	# currently disabled because it’s not compatible with pam.
	46	# Thus we need to generate two users for each 'remote': one remote
	47	# with SSL, and one localhost without SSL.
	48	# User identified by LDAP:
	49	# CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
	50	# CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
	51	services.mysql = {
	52	enable = true;
	53	package = pkgs.mariadb;
	54	dataDir = cfg.dataDir;
	55	extraOptions = ''
	56	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
	57	ssl_key = /var/lib/acme/mysql/key.pem
	58	ssl_cert = /var/lib/acme/mysql/fullchain.pem
	59	'';
	60	};
	61
	62	users.users.mysql.extraGroups = [ "keys" ];
	63	security.acme.certs."mysql" = config.myServices.databasesCerts // {
	64	user = "mysql";
	65	group = "mysql";
	66	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
	67	domain = "db-1.immae.eu";
	68	postRun = ''
	69	systemctl restart mysql.service
	70	'';
	71	};
	72
	73	secrets.keys = [
	74	{
	75	dest = "mysql/mysqldump";
	76	permissions = "0400";
	77	user = "root";
	78	group = "root";
	79	text = ''
	80	[mysqldump]
	81	user = root
	82	password = ${myconfig.env.databases.mysql.systemUsers.root}
	83	'';
	84	}
	85	{
	86	dest = "mysql/pam";
	87	permissions = "0400";
	88	user = "mysql";
	89	group = "mysql";
	90	text = with myconfig.env.databases.mysql.pam; ''
	91	host ${myconfig.env.ldap.host}
	92	base ${myconfig.env.ldap.base}
	93	binddn ${dn}
	94	bindpw ${password}
	95	pam_filter ${filter}
	96	ssl start_tls
	97	'';
	98	}
	99	];
	100
	101	services.cron = {
	102	enable = true;
	103	systemCronJobs = [
	104	''
	105	30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
	106	''
	107	];
	108	};
	109
	110	security.pam.services = let
	111	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
	112	in [
	113	{
	114	name = "mysql";
	115	text = ''
	116	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
	117	auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam
	118	account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
	119	'';
	120	}
	121	];
	122
	123	};
	124	}
	125


diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix new file mode 100644 index 0000000..850f3ff --- /dev/null +++ b/modules/private/databases/openldap/default.nix
@@ -0,0 +1,130 @@
	1	{ lib, pkgs, config, myconfig, ... }:
	2	let
	3	cfg = config.myServices.databases.openldap;
	4	ldapConfig = let
	5	kerberosSchema = pkgs.fetchurl {
	6	url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
	7	sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
	8	};
	9	puppetSchema = pkgs.fetchurl {
	10	url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
	11	sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
	12	};
	13	in ''
	14	include ${pkgs.openldap}/etc/schema/core.schema
	15	include ${pkgs.openldap}/etc/schema/cosine.schema
	16	include ${pkgs.openldap}/etc/schema/inetorgperson.schema
	17	include ${pkgs.openldap}/etc/schema/nis.schema
	18	include ${puppetSchema}
	19	include ${kerberosSchema}
	20	include ${./immae.schema}
	21
	22	pidfile ${cfg.pids.pid}
	23	argsfile ${cfg.pids.args}
	24
	25	moduleload back_hdb
	26	backend hdb
	27
	28	moduleload memberof
	29	database hdb
	30	suffix "${myconfig.env.ldap.base}"
	31	rootdn "${myconfig.env.ldap.root_dn}"
	32	include ${config.secrets.location}/ldap/password
	33	directory ${cfg.dataDir}
	34	overlay memberof
	35
	36	TLSCertificateFile /var/lib/acme/ldap/cert.pem
	37	TLSCertificateKeyFile /var/lib/acme/ldap/key.pem
	38	TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem
	39	TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/
	40	#This makes openldap crash
	41	#TLSCipherSuite DEFAULT
	42
	43	sasl-host kerberos.immae.eu
	44	include ${config.secrets.location}/ldap/access
	45	'';
	46	in
	47	{
	48	options.myServices.databases = {
	49	openldap = {
	50	enable = lib.mkOption {
	51	default = cfg.enable;
	52	example = true;
	53	description = "Whether to enable ldap";
	54	type = lib.types.bool;
	55	};
	56	dataDir = lib.mkOption {
	57	type = lib.types.path;
	58	default = "/var/lib/openldap";
	59	description = ''
	60	The directory where Openldap stores its data.
	61	'';
	62	};
	63	socketsDir = lib.mkOption {
	64	type = lib.types.path;
	65	default = "/run/slapd";
	66	description = ''
	67	The directory where Openldap puts sockets and pid files.
	68	'';
	69	};
	70	# Output variables
	71	pids = lib.mkOption {
	72	type = lib.types.attrsOf lib.types.path;
	73	default = {
	74	pid = "${cfg.socketsDir}/slapd.pid";
	75	args = "${cfg.socketsDir}/slapd.args";
	76	};
	77	readOnly = true;
	78	description = ''
	79	Slapd pid files
	80	'';
	81	};
	82	};
	83	};
	84
	85	config = lib.mkIf cfg.enable {
	86	secrets.keys = [
	87	{
	88	dest = "ldap/password";
	89	permissions = "0400";
	90	user = "openldap";
	91	group = "openldap";
	92	text = "rootpw ${myconfig.env.ldap.root_pw}";
	93	}
	94	{
	95	dest = "ldap/access ";
	96	permissions = "0400";
	97	user = "openldap";
	98	group = "openldap";
	99	text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
	100	}
	101	];
	102	users.users.openldap.extraGroups = [ "keys" ];
	103	networking.firewall.allowedTCPPorts = [ 636 389 ];
	104
	105	services.cron = {
	106	systemCronJobs = [
	107	''
	108	35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif \| ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
	109	''
	110	];
	111	};
	112
	113	security.acme.certs."ldap" = config.myServices.databasesCerts // {
	114	user = "openldap";
	115	group = "openldap";
	116	plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
	117	domain = "ldap.immae.eu";
	118	postRun = ''
	119	systemctl restart openldap.service
	120	'';
	121	};
	122
	123	services.openldap = {
	124	enable = true;
	125	dataDir = cfg.dataDir;
	126	urlList = [ "ldap://" "ldaps://" ];
	127	extraConfig = ldapConfig;
	128	};
	129	};
	130	}


diff --git a/modules/private/databases/openldap/immae.schema b/modules/private/databases/openldap/immae.schema new file mode 100644 index 0000000..f5ee5d5 --- /dev/null +++ b/modules/private/databases/openldap/immae.schema
@@ -0,0 +1,167 @@
	1	# vim: set filetype=slapd:
	2	objectIdentifier Immaeroot 1.3.6.1.4.1.50071
	3
	4	objectIdentifier Immae Immaeroot:2
	5	objectIdentifier ImmaeattributeType Immae:3
	6	objectIdentifier ImmaeobjectClass Immae:4
	7
	8	# TT-RSS
	9	attributetype ( ImmaeattributeType:1 NAME 'immaeTtrssLogin'
	10	DESC 'login for TTRSS'
	11	EQUALITY caseIgnoreMatch
	12	SUBSTR caseIgnoreSubstringsMatch
	13	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
	14
	15	objectclass ( ImmaeobjectClass:1 NAME 'immaeTtrssClass'
	16	DESC 'Expansion of the existing object classes for ttrss'
	17	SUP top AUXILIARY
	18	MUST ( immaeTtrssLogin ) )
	19
	20	# FTP
	21	attributetype ( ImmaeattributeType:2 NAME 'immaeFtpDirectory'
	22	DESC 'home directory for ftp'
	23	EQUALITY caseExactIA5Match
	24	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
	25
	26	attributetype ( ImmaeattributeType:3 NAME 'immaeFtpUid'
	27	DESC 'user id for ftp'
	28	EQUALITY integerMatch
	29	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
	30
	31	attributetype ( ImmaeattributeType:4 NAME 'immaeFtpGid'
	32	DESC 'group id for ftp'
	33	EQUALITY integerMatch
	34	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
	35
	36	objectclass ( ImmaeobjectClass:2 NAME 'immaeFtpClass'
	37	DESC 'Expansion of the existing object classes for ftp'
	38	SUP top AUXILIARY
	39	MUST ( immaeFtpDirectory $ immaeFtpGid $ immaeFtpUid ) )
	40
	41
	42	# SSH keys
	43	attributetype ( ImmaeattributeType:5 NAME 'immaeSshKey'
	44	DESC 'OpenSSH Public key'
	45	EQUALITY octetStringMatch
	46	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
	47
	48	objectClass ( ImmaeobjectClass:3 NAME 'immaeSshClass'
	49	DESC 'OpenSSH class'
	50	SUP top AUXILIARY
	51	MAy ( immaeSSHKey ) )
	52
	53	# Specific access
	54	attributetype (ImmaeattributeType:6 NAME 'immaeAccessDn'
	55	EQUALITY distinguishedNameMatch
	56	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
	57
	58	attributetype (ImmaeattributeType:17 NAME 'immaeAccessWriteDn'
	59	EQUALITY distinguishedNameMatch
	60	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
	61
	62	attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree'
	63	EQUALITY distinguishedNameMatch
	64	SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
	65
	66	objectClass ( ImmaeobjectClass:4 NAME 'immaeAccessClass'
	67	DESC 'Access class'
	68	SUP top AUXILIARY
	69	MAY ( immaeAccessDn $ immaeAccessWriteDn $ immaeAccessReadSubtree ) )
	70
	71	# Xmpp uid
	72	attributetype ( ImmaeattributeType:7 NAME 'immaeXmppUid'
	73	DESC 'user part for Xmpp'
	74	EQUALITY caseIgnoreMatch
	75	SUBSTR caseIgnoreSubstringsMatch
	76	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
	77
	78	objectclass ( ImmaeobjectClass:5 NAME 'immaeXmppClass'
	79	DESC 'Expansion of the existing object classes for XMPP'
	80	SUP top AUXILIARY
	81	MUST ( immaeXmppUid ) )
	82
	83	# Postfix accounts
	84	attributetype ( ImmaeattributeType:8 NAME 'immaePostfixAddress'
	85	DESC 'the dovecot address to match as username'
	86	EQUALITY caseIgnoreIA5Match
	87	SUBSTR caseIgnoreIA5SubstringsMatch
	88	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
	89
	90	attributetype ( ImmaeattributeType:9 NAME 'immaePostfixHome'
	91	DESC 'the postfix home directory'
	92	EQUALITY caseExactIA5Match
	93	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
	94
	95	attributetype ( ImmaeattributeType:10 NAME 'immaePostfixMail'
	96	DESC 'the dovecot mail location'
	97	EQUALITY caseExactIA5Match
	98	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
	99
	100	attributetype ( ImmaeattributeType:11 NAME 'immaePostfixUid'
	101	DESC 'the dovecot uid'
	102	EQUALITY caseExactIA5Match
	103	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
	104
	105	attributetype ( ImmaeattributeType:12 NAME 'immaePostfixGid'
	106	DESC 'the dovecot gid'
	107	EQUALITY caseExactIA5Match
	108	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
	109
	110	objectclass ( ImmaeobjectClass:6 NAME 'immaePostfixClass'
	111	DESC 'Expansion of the existing object classes for Postfix'
	112	SUP top AUXILIARY
	113	MUST ( immaePostfixAddress $ immaePostfixHome $
	114	immaePostfixMail $ immaePostfixUid $ immaePostfixGid )
	115	)
	116
	117	# Tinc informations
	118	# Domaine = une classe a part ou une partie du dn ?
	119	# attributetype ( ImmaeattributeType:13 NAME 'immaeTincIpSegment'
	120	# DESC 'the internal ip segment in tinc'
	121	# EQUALITY caseIgnoreIA5Match
	122	# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
	123	#
	124	# attributetype ( ImmaeattributeType:14 NAME 'immaeTincSubdomain'
	125	# DESC 'the host subdomain'
	126	# EQUALITY caseIgnoreIA5Match
	127	# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
	128	#
	129	# attributetype ( ImmaeattributeType:15 NAME 'immaeTincHostname'
	130	# DESC 'the host name'
	131	# EQUALITY caseIgnoreIA5Match
	132	# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
	133	#
	134	# objectclass ( ImmaeobjectClass:7 NAME 'immaeTincHostClass'
	135	# DESC 'Expansion of the existing object classes for Tinc'
	136	# SUP top AUXILIARY
	137	# MUST ( immaeTincInternalIp $ immaeTincSubdomain $
	138	# immaeTincHostname )
	139	# )
	140
	141	attributetype (ImmaeattributeType:16 NAME 'immaePuppetJson'
	142	DESC 'Puppet hiera json'
	143	EQUALITY octetStringMatch
	144	SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
	145
	146	objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass'
	147	DESC 'Expansion of the existing object classes for Puppet'
	148	SUP top AUXILIARY
	149	MUST ( immaePuppetJson )
	150	)
	151
	152	attributetype (ImmaeattributeType:19 NAME 'immaeTaskId'
	153	DESC 'Taskwarrior server Org:Name:Key'
	154	EQUALITY caseIgnoreMatch
	155	SUBSTR caseIgnoreSubstringsMatch
	156	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
	157
	158	objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass'
	159	DESC 'Expansion of the existing object classes for Task'
	160	SUP top AUXILIARY
	161	MUST ( immaeTaskId )
	162	)
	163
	164	# Last:
	165	# attributetype (ImmaeattributeType:19 NAME 'immaeTaskId'
	166	# objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass'
	167


diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix new file mode 100644 index 0000000..26242a8 --- /dev/null +++ b/modules/private/databases/postgresql.nix
@@ -0,0 +1,141 @@
	1	{ lib, pkgs, config, myconfig, ... }:
	2	let
	3	cfg = config.myServices.databases.postgresql;
	4	in {
	5	options.myServices.databases = {
	6	postgresql = {
	7	enable = lib.mkOption {
	8	default = cfg.enable;
	9	example = true;
	10	description = "Whether to enable postgresql database";
	11	type = lib.types.bool;
	12	};
	13	# Output variables
	14	socketsDir = lib.mkOption {
	15	type = lib.types.path;
	16	default = "/run/postgresql";
	17	description = ''
	18	The directory where Postgresql puts sockets.
	19	'';
	20	readOnly = true;
	21	};
	22	systemdRuntimeDirectory = lib.mkOption {
	23	type = lib.types.str;
	24	# Use ReadWritePaths= instead if socketsDir is outside of /run
	25	default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
	26	lib.strings.removePrefix "/run/" cfg.socketsDir;
	27	description = ''
	28	Adjusted Postgresql sockets directory for systemd
	29	'';
	30	readOnly = true;
	31	};
	32	};
	33	};
	34
	35	config = lib.mkIf cfg.enable {
	36	nixpkgs.overlays = [ (self: super: rec {
	37	postgresql = self.postgresql_11_custom;
	38	}) ];
	39
	40	networking.firewall.allowedTCPPorts = [ 5432 ];
	41
	42	security.acme.certs."postgresql" = config.myServices.databasesCerts // {
	43	user = "postgres";
	44	group = "postgres";
	45	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
	46	domain = "db-1.immae.eu";
	47	postRun = ''
	48	systemctl reload postgresql.service
	49	'';
	50	};
	51
	52	systemd.services.postgresql.serviceConfig = {
	53	SupplementaryGroups = "keys";
	54	RuntimeDirectory = cfg.systemdRuntimeDirectory;
	55	};
	56	services.postgresql = rec {
	57	enable = true;
	58	package = pkgs.postgresql;
	59	enableTCPIP = true;
	60	extraConfig = ''
	61	max_connections = 100
	62	wal_level = logical
	63	shared_buffers = 512MB
	64	work_mem = 10MB
	65	max_wal_size = 1GB
	66	min_wal_size = 80MB
	67	log_timezone = 'Europe/Paris'
	68	datestyle = 'iso, mdy'
	69	timezone = 'Europe/Paris'
	70	lc_messages = 'en_US.UTF-8'
	71	lc_monetary = 'en_US.UTF-8'
	72	lc_numeric = 'en_US.UTF-8'
	73	lc_time = 'en_US.UTF-8'
	74	default_text_search_config = 'pg_catalog.english'
	75	ssl = on
	76	ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
	77	ssl_key_file = '/var/lib/acme/postgresql/key.pem'
	78	'';
	79	authentication = ''
	80	local all postgres ident
	81	local all all md5
	82	hostssl all all 188.165.209.148/32 md5
	83	hostssl all all 178.33.252.96/32 md5
	84	hostssl all all all pam
	85	hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
	86	hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
	87	'';
	88	};
	89
	90	secrets.keys = [
	91	{
	92	dest = "postgresql/pam";
	93	permissions = "0400";
	94	group = "postgres";
	95	user = "postgres";
	96	text = with myconfig.env.databases.postgresql.pam; ''
	97	host ${myconfig.env.ldap.host}
	98	base ${myconfig.env.ldap.base}
	99	binddn ${dn}
	100	bindpw ${password}
	101	pam_filter ${filter}
	102	ssl start_tls
	103	'';
	104	}
	105	{
	106	dest = "postgresql/pam_replication";
	107	permissions = "0400";
	108	group = "postgres";
	109	user = "postgres";
	110	text = ''
	111	host ${myconfig.env.ldap.host}
	112	base ${myconfig.env.ldap.base}
	113	binddn ${myconfig.env.ldap.host_dn}
	114	bindpw ${myconfig.env.ldap.password}
	115	pam_login_attribute cn
	116	ssl start_tls
	117	'';
	118	}
	119	];
	120
	121	security.pam.services = let
	122	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
	123	in [
	124	{
	125	name = "postgresql";
	126	text = ''
	127	auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
	128	account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
	129	'';
	130	}
	131	{
	132	name = "postgresql_replication";
	133	text = ''
	134	auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
	135	account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
	136	'';
	137	}
	138	];
	139	};
	140	}
	141


diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix new file mode 100644 index 0000000..a1c2c75 --- /dev/null +++ b/modules/private/databases/redis.nix
@@ -0,0 +1,57 @@
	1	{ lib, config, myconfig, ... }:
	2	let
	3	cfg = config.myServices.databases.redis;
	4	in {
	5	options.myServices.databases.redis = {
	6	enable = lib.mkOption {
	7	default = cfg.enable;
	8	example = true;
	9	description = "Whether to enable redis database";
	10	type = lib.types.bool;
	11	};
	12	socketsDir = lib.mkOption {
	13	type = lib.types.path;
	14	default = "/run/redis";
	15	description = ''
	16	The directory where Redis puts sockets.
	17	'';
	18	};
	19	# Output variables
	20	systemdRuntimeDirectory = lib.mkOption {
	21	type = lib.types.str;
	22	# Use ReadWritePaths= instead if socketsDir is outside of /run
	23	default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
	24	lib.strings.removePrefix "/run/" cfg.socketsDir;
	25	description = ''
	26	Adjusted redis sockets directory for systemd
	27	'';
	28	readOnly = true;
	29	};
	30	sockets = lib.mkOption {
	31	type = lib.types.attrsOf lib.types.path;
	32	default = {
	33	redis = "${cfg.socketsDir}/redis.sock";
	34	};
	35	readOnly = true;
	36	description = ''
	37	Redis sockets
	38	'';
	39	};
	40	};
	41
	42	config = lib.mkIf cfg.enable {
	43	users.users.redis.uid = config.ids.uids.redis;
	44	users.groups.redis.gid = config.ids.gids.redis;
	45	services.redis = rec {
	46	enable = true;
	47	bind = "127.0.0.1";
	48	unixSocket = cfg.sockets.redis;
	49	extraConfig = ''
	50	unixsocketperm 777
	51	maxclients 1024
	52	'';
	53	};
	54	systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
	55	};
	56	}
	57