Move database credentials to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

1 files changed, 31 insertions, 17 deletions

diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix
index 635f212..95de972 100644
--- a/nixops/modules/databases/mysql.nix
+++ b/nixops/modules/databases/mysql.nix
@@ -41,6 +41,7 @@ in {
         '';
     };
 
+    users.users.mysql.extraGroups = [ "keys" ];
     security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
       user = "mysql";
       group = "mysql";
@@ -51,39 +52,52 @@ in {
       '';
     };
 
-    services.cron = {
-      enable = true;
-      systemCronJobs = let
-        mycnf = pkgs.writeText "my.cnf" ''
+    deployment.keys = {
+      mysqldump = {
+        destDir = "/run/keys/mysql";
+        permissions = "0400";
+        user = "root";
+        group = "root";
+        text = ''
           [mysqldump]
           user = root
           password = ${myconfig.env.databases.mysql.systemUsers.root}
+        '';
+      };
+      mysql-pam = {
+        destDir = "/run/keys/mysql";
+        permissions = "0400";
+        user = "mysql";
+        group = "mysql";
+        text = with myconfig.env.databases.mysql.pam; ''
+          host ${myconfig.env.ldap.host}
+          base ${myconfig.env.ldap.base}
+          binddn ${dn}
+          bindpw ${password}
+          pam_filter ${filter}
+          ssl start_tls
           '';
-      in [
+      };
+    };
+
+    services.cron = {
+      enable = true;
+      systemCronJobs = [
         ''
-          30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${mycnf} --all-databases > /var/lib/mysql/backup.sql
+          30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
         ''
       ];
     };
 
     security.pam.services = let
       pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-      pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
-        pkgs.writeText "mysql.conf" ''
-        host ${myconfig.env.ldap.host}
-        base ${myconfig.env.ldap.base}
-        binddn ${dn}
-        bindpw ${password}
-        pam_filter ${filter}
-        ssl start_tls
-        '';
     in [
       {
         name = "mysql";
         text = ''
           # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap} config=${pam_ldap_mysql}
-          account required ${pam_ldap} config=${pam_ldap_mysql}
+          auth    required ${pam_ldap} config=/run/keys/mysql/mysql-pam
+          account required ${pam_ldap} config=/run/keys/mysql/mysql-pam
           '';
       }
     ];