diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-05 15:57:20 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-06 00:25:00 +0200 |
| commit | 258dd18bac4bf5dd03cf1098ffa35cb954f9e015 (patch) | |
| tree | 03ca447495573f6745b701096d8b31283ce30466 /modules/private/databases | |
| parent | e7b890d0999fe54a99f84fe92d625d9d488358dc (diff) | |
| download | Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.gz Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.tar.zst Nix-258dd18bac4bf5dd03cf1098ffa35cb954f9e015.zip | |
Upgrade to nixos-unstable
Diffstat (limited to 'modules/private/databases')
| -rw-r--r-- | modules/private/databases/mariadb.nix | 39 | ||||
| -rw-r--r-- | modules/private/databases/openldap/default.nix | 1 | ||||
| -rw-r--r-- | modules/private/databases/postgresql.nix | 15 |
3 files changed, 25 insertions, 30 deletions
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index 04e4bd6..36edaeb 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix | |||
| @@ -94,26 +94,27 @@ in { | |||
| 94 | enable = true; | 94 | enable = true; |
| 95 | package = cfg.package; | 95 | package = cfg.package; |
| 96 | dataDir = cfg.dataDir; | 96 | dataDir = cfg.dataDir; |
| 97 | extraOptions = '' | 97 | settings = { |
| 98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | 98 | mysqld = { |
| 99 | ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem | 99 | ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
| 100 | ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem | 100 | ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem"; |
| 101 | ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem"; | ||
| 101 | 102 | ||
| 102 | # for replication | 103 | # for replication |
| 103 | log-bin=mariadb-bin | 104 | log-bin = "mariadb-bin"; |
| 104 | server-id=1 | 105 | server-id = "1"; |
| 105 | 106 | ||
| 106 | # this introduces a small delay before storing on disk, but | 107 | # this introduces a small delay before storing on disk, but |
| 107 | # makes it order of magnitudes quicker | 108 | # makes it order of magnitudes quicker |
| 108 | innodb_flush_log_at_trx_commit = 0 | 109 | innodb_flush_log_at_trx_commit = "0"; |
| 109 | ''; | 110 | }; |
| 111 | }; | ||
| 110 | }; | 112 | }; |
| 111 | 113 | ||
| 112 | users.users.mysql.extraGroups = [ "keys" ]; | 114 | users.users.mysql.extraGroups = [ "keys" ]; |
| 113 | security.acme.certs."mysql" = config.myServices.databasesCerts // { | 115 | security.acme.certs."mysql" = config.myServices.databasesCerts // { |
| 114 | user = "mysql"; | 116 | user = "mysql"; |
| 115 | group = "mysql"; | 117 | group = "mysql"; |
| 116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | ||
| 117 | domain = "db-1.immae.eu"; | 118 | domain = "db-1.immae.eu"; |
| 118 | postRun = '' | 119 | postRun = '' |
| 119 | systemctl restart mysql.service | 120 | systemctl restart mysql.service |
| @@ -164,23 +165,21 @@ in { | |||
| 164 | 165 | ||
| 165 | security.pam.services = let | 166 | security.pam.services = let |
| 166 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 167 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; |
| 167 | in [ | 168 | in { |
| 168 | { | 169 | mysql = { |
| 169 | name = "mysql"; | ||
| 170 | text = '' | 170 | text = '' |
| 171 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | 171 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ |
| 172 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam | 172 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam |
| 173 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam | 173 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam |
| 174 | ''; | 174 | ''; |
| 175 | } | 175 | }; |
| 176 | { | 176 | mysql_replication = { |
| 177 | name = "mysql_replication"; | ||
| 178 | text = '' | 177 | text = '' |
| 179 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication | 178 | auth required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication |
| 180 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication | 179 | account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication |
| 181 | ''; | 180 | ''; |
| 182 | } | 181 | }; |
| 183 | ]; | 182 | }; |
| 184 | 183 | ||
| 185 | }; | 184 | }; |
| 186 | } | 185 | } |
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index efe9379..302aa04 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix | |||
| @@ -107,7 +107,6 @@ in | |||
| 107 | security.acme.certs."ldap" = config.myServices.databasesCerts // { | 107 | security.acme.certs."ldap" = config.myServices.databasesCerts // { |
| 108 | user = "openldap"; | 108 | user = "openldap"; |
| 109 | group = "openldap"; | 109 | group = "openldap"; |
| 110 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; | ||
| 111 | domain = "ldap.immae.eu"; | 110 | domain = "ldap.immae.eu"; |
| 112 | postRun = '' | 111 | postRun = '' |
| 113 | systemctl restart openldap.service | 112 | systemctl restart openldap.service |
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index d0b1a75..c442a63 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix | |||
| @@ -100,7 +100,6 @@ in { | |||
| 100 | security.acme.certs."postgresql" = config.myServices.databasesCerts // { | 100 | security.acme.certs."postgresql" = config.myServices.databasesCerts // { |
| 101 | user = "postgres"; | 101 | user = "postgres"; |
| 102 | group = "postgres"; | 102 | group = "postgres"; |
| 103 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | ||
| 104 | domain = "db-1.immae.eu"; | 103 | domain = "db-1.immae.eu"; |
| 105 | postRun = '' | 104 | postRun = '' |
| 106 | systemctl reload postgresql.service | 105 | systemctl reload postgresql.service |
| @@ -212,22 +211,20 @@ in { | |||
| 212 | 211 | ||
| 213 | security.pam.services = let | 212 | security.pam.services = let |
| 214 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 213 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; |
| 215 | in [ | 214 | in { |
| 216 | { | 215 | postgresql = { |
| 217 | name = "postgresql"; | ||
| 218 | text = '' | 216 | text = '' |
| 219 | auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam | 217 | auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam |
| 220 | account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam | 218 | account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam |
| 221 | ''; | 219 | ''; |
| 222 | } | 220 | }; |
| 223 | { | 221 | postgresql_replication = { |
| 224 | name = "postgresql_replication"; | ||
| 225 | text = '' | 222 | text = '' |
| 226 | auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication | 223 | auth required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication |
| 227 | account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication | 224 | account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication |
| 228 | ''; | 225 | ''; |
| 229 | } | 226 | }; |
| 230 | ]; | 227 | }; |
| 231 | }; | 228 | }; |
| 232 | } | 229 | } |
| 233 | 230 | ||