diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-01-26 14:51:19 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-01-26 14:57:15 +0100 |
commit | 7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0 (patch) | |
tree | 955c11eb61c79333296cfb82f49836bd7e3eca70 /nixops/modules/databases/default.nix | |
parent | bad8f8d3cfaf48e6693f9718857a4648a86b0d37 (diff) | |
download | Nix-7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0.tar.gz Nix-7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0.tar.zst Nix-7ebcaad53a3261d8a4aefd8a64c5c7d9d8ac2fa0.zip |
Fix the SSL state for databases connections
Whenever possible, we use a socket connexion (all postgresql
connections, and a few mysql ones)
When remote (only mysql), we require SSL in the users database (cannot
be enforced globally)
Also, put pam configurations in a correct state
Fixes https://git.immae.eu/mantisbt/view.php?id=89
Fixes https://git.immae.eu/mantisbt/view.php?id=90
Fixes https://git.immae.eu/mantisbt/view.php?id=88
Diffstat (limited to 'nixops/modules/databases/default.nix')
-rw-r--r-- | nixops/modules/databases/default.nix | 49 |
1 files changed, 39 insertions, 10 deletions
diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix index 94d8d75..d86373a 100644 --- a/nixops/modules/databases/default.nix +++ b/nixops/modules/databases/default.nix | |||
@@ -57,9 +57,21 @@ in { | |||
57 | 57 | ||
58 | networking.firewall.allowedTCPPorts = [ 3306 5432 ]; | 58 | networking.firewall.allowedTCPPorts = [ 3306 5432 ]; |
59 | 59 | ||
60 | # for adminer, ssl is implemented with mysqli only, which is | ||
61 | # currently disabled because it’s not compatible with pam. | ||
62 | # Thus we need to generate two users for each 'remote': one remote | ||
63 | # with SSL, and one localhost without SSL. | ||
64 | # User identified by LDAP: | ||
65 | # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; | ||
66 | # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; | ||
60 | services.mysql = rec { | 67 | services.mysql = rec { |
61 | enable = cfg.mariadb.enable; | 68 | enable = cfg.mariadb.enable; |
62 | package = pkgs.mariadb; | 69 | package = pkgs.mariadb; |
70 | extraOptions = '' | ||
71 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | ||
72 | ssl_key = /var/lib/acme/mysql/key.pem | ||
73 | ssl_cert = /var/lib/acme/mysql/fullchain.pem | ||
74 | ''; | ||
63 | }; | 75 | }; |
64 | 76 | ||
65 | security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { | 77 | security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { |
@@ -72,6 +84,16 @@ in { | |||
72 | ''; | 84 | ''; |
73 | }; | 85 | }; |
74 | 86 | ||
87 | security.acme.certs."mysql" = config.services.myCertificates.certConfig // { | ||
88 | user = "mysql"; | ||
89 | group = "mysql"; | ||
90 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; | ||
91 | domain = "db-1.immae.eu"; | ||
92 | postRun = '' | ||
93 | systemctl restart mysql.service | ||
94 | ''; | ||
95 | }; | ||
96 | |||
75 | system.activationScripts.postgresql = '' | 97 | system.activationScripts.postgresql = '' |
76 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} | 98 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} |
77 | ''; | 99 | ''; |
@@ -101,9 +123,6 @@ in { | |||
101 | authentication = '' | 123 | authentication = '' |
102 | local all postgres ident | 124 | local all postgres ident |
103 | local all all md5 | 125 | local all all md5 |
104 | hostssl all all samehost md5 | ||
105 | hostssl all all 178.33.252.96/32 md5 | ||
106 | hostssl all all 188.165.209.148/32 md5 | ||
107 | hostssl all all all pam | 126 | hostssl all all all pam |
108 | hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication | 127 | hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication |
109 | hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication | 128 | hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication |
@@ -112,21 +131,31 @@ in { | |||
112 | 131 | ||
113 | security.pam.services = let | 132 | security.pam.services = let |
114 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 133 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; |
115 | pam_ldap_mysql = pkgs.writeText "mysql.conf" '' | 134 | pam_ldap_mysql = with myconfig.env.databases.mysql.pam; |
135 | pkgs.writeText "mysql.conf" '' | ||
116 | host ${myconfig.env.ldap.host} | 136 | host ${myconfig.env.ldap.host} |
117 | base ${myconfig.env.ldap.base} | 137 | base ${myconfig.env.ldap.base} |
118 | binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | 138 | binddn ${dn} |
119 | bindpw ${myconfig.env.databases.mysql.pam_password} | 139 | bindpw ${password} |
140 | pam_filter ${filter} | ||
141 | ssl start_tls | ||
142 | ''; | ||
143 | pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; | ||
144 | pkgs.writeText "postgresql.conf" '' | ||
145 | host ${myconfig.env.ldap.host} | ||
146 | base ${myconfig.env.ldap.base} | ||
147 | binddn ${dn} | ||
148 | bindpw ${password} | ||
149 | pam_filter ${filter} | ||
120 | ssl start_tls | 150 | ssl start_tls |
121 | pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | ||
122 | ''; | 151 | ''; |
123 | pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' | 152 | pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' |
124 | host ${myconfig.env.ldap.host} | 153 | host ${myconfig.env.ldap.host} |
125 | base ${myconfig.env.ldap.base} | 154 | base ${myconfig.env.ldap.base} |
126 | binddn ${myconfig.env.ldap.host_dn} | 155 | binddn ${myconfig.env.ldap.host_dn} |
127 | bindpw ${myconfig.env.ldap.password} | 156 | bindpw ${myconfig.env.ldap.password} |
128 | ssl start_tls | ||
129 | pam_login_attribute cn | 157 | pam_login_attribute cn |
158 | ssl start_tls | ||
130 | ''; | 159 | ''; |
131 | in [ | 160 | in [ |
132 | { | 161 | { |
@@ -140,8 +169,8 @@ in { | |||
140 | { | 169 | { |
141 | name = "postgresql"; | 170 | name = "postgresql"; |
142 | text = '' | 171 | text = '' |
143 | auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} | 172 | auth required ${pam_ldap} config=${pam_ldap_postgresql} |
144 | account required ${pam_ldap} config=${pam_ldap_postgresql_replication} | 173 | account required ${pam_ldap} config=${pam_ldap_postgresql} |
145 | ''; | 174 | ''; |
146 | } | 175 | } |
147 | { | 176 | { |