diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 23:40:37 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 23:40:37 +0200 |
commit | e1da84b06c408ea5d4d093de39efdda71ad6dc95 (patch) | |
tree | f30edd6efaef7b37ec4845271b6807c79c376460 /nixops/modules/databases/openldap.nix | |
parent | cd85801d01ddadbe00f26f4f257621ee1cd81e4b (diff) | |
download | Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.tar.gz Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.tar.zst Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.zip |
Move database credentials to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules/databases/openldap.nix')
-rw-r--r-- | nixops/modules/databases/openldap.nix | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix index 165a029..7ed4bc0 100644 --- a/nixops/modules/databases/openldap.nix +++ b/nixops/modules/databases/openldap.nix | |||
@@ -29,7 +29,7 @@ let | |||
29 | database hdb | 29 | database hdb |
30 | suffix "${myconfig.env.ldap.base}" | 30 | suffix "${myconfig.env.ldap.base}" |
31 | rootdn "${myconfig.env.ldap.root_dn}" | 31 | rootdn "${myconfig.env.ldap.root_dn}" |
32 | rootpw ${myconfig.env.ldap.root_pw} | 32 | include /run/keys/ldap/ldap-password |
33 | directory /var/lib/openldap | 33 | directory /var/lib/openldap |
34 | overlay memberof | 34 | overlay memberof |
35 | 35 | ||
@@ -41,7 +41,7 @@ let | |||
41 | #TLSCipherSuite DEFAULT | 41 | #TLSCipherSuite DEFAULT |
42 | 42 | ||
43 | sasl-host kerberos.immae.eu | 43 | sasl-host kerberos.immae.eu |
44 | ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"} | 44 | include /run/keys/ldap/ldap-access |
45 | ''; | 45 | ''; |
46 | in { | 46 | in { |
47 | options.services.myDatabases = { | 47 | options.services.myDatabases = { |
@@ -56,6 +56,23 @@ in { | |||
56 | }; | 56 | }; |
57 | 57 | ||
58 | config = lib.mkIf cfg.enable { | 58 | config = lib.mkIf cfg.enable { |
59 | deployment.keys = { | ||
60 | ldap-password = { | ||
61 | destDir = "/run/keys/ldap"; | ||
62 | permissions = "0400"; | ||
63 | user = "openldap"; | ||
64 | group = "openldap"; | ||
65 | text = "rootpw ${myconfig.env.ldap.root_pw}"; | ||
66 | }; | ||
67 | ldap-access = { | ||
68 | destDir = "/run/keys/ldap"; | ||
69 | permissions = "0400"; | ||
70 | user = "openldap"; | ||
71 | group = "openldap"; | ||
72 | text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; | ||
73 | }; | ||
74 | }; | ||
75 | users.users.openldap.extraGroups = [ "keys" ]; | ||
59 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | 76 | networking.firewall.allowedTCPPorts = [ 636 389 ]; |
60 | 77 | ||
61 | services.cron = { | 78 | services.cron = { |