diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 23:40:37 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 23:40:37 +0200 |
| commit | e1da84b06c408ea5d4d093de39efdda71ad6dc95 (patch) | |
| tree | f30edd6efaef7b37ec4845271b6807c79c376460 /nixops/modules/databases/openldap.nix | |
| parent | cd85801d01ddadbe00f26f4f257621ee1cd81e4b (diff) | |
| download | Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.tar.gz Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.tar.zst Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.zip | |
Move database credentials to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules/databases/openldap.nix')
| -rw-r--r-- | nixops/modules/databases/openldap.nix | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix index 165a029..7ed4bc0 100644 --- a/nixops/modules/databases/openldap.nix +++ b/nixops/modules/databases/openldap.nix | |||
| @@ -29,7 +29,7 @@ let | |||
| 29 | database hdb | 29 | database hdb |
| 30 | suffix "${myconfig.env.ldap.base}" | 30 | suffix "${myconfig.env.ldap.base}" |
| 31 | rootdn "${myconfig.env.ldap.root_dn}" | 31 | rootdn "${myconfig.env.ldap.root_dn}" |
| 32 | rootpw ${myconfig.env.ldap.root_pw} | 32 | include /run/keys/ldap/ldap-password |
| 33 | directory /var/lib/openldap | 33 | directory /var/lib/openldap |
| 34 | overlay memberof | 34 | overlay memberof |
| 35 | 35 | ||
| @@ -41,7 +41,7 @@ let | |||
| 41 | #TLSCipherSuite DEFAULT | 41 | #TLSCipherSuite DEFAULT |
| 42 | 42 | ||
| 43 | sasl-host kerberos.immae.eu | 43 | sasl-host kerberos.immae.eu |
| 44 | ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"} | 44 | include /run/keys/ldap/ldap-access |
| 45 | ''; | 45 | ''; |
| 46 | in { | 46 | in { |
| 47 | options.services.myDatabases = { | 47 | options.services.myDatabases = { |
| @@ -56,6 +56,23 @@ in { | |||
| 56 | }; | 56 | }; |
| 57 | 57 | ||
| 58 | config = lib.mkIf cfg.enable { | 58 | config = lib.mkIf cfg.enable { |
| 59 | deployment.keys = { | ||
| 60 | ldap-password = { | ||
| 61 | destDir = "/run/keys/ldap"; | ||
| 62 | permissions = "0400"; | ||
| 63 | user = "openldap"; | ||
| 64 | group = "openldap"; | ||
| 65 | text = "rootpw ${myconfig.env.ldap.root_pw}"; | ||
| 66 | }; | ||
| 67 | ldap-access = { | ||
| 68 | destDir = "/run/keys/ldap"; | ||
| 69 | permissions = "0400"; | ||
| 70 | user = "openldap"; | ||
| 71 | group = "openldap"; | ||
| 72 | text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; | ||
| 73 | }; | ||
| 74 | }; | ||
| 75 | users.users.openldap.extraGroups = [ "keys" ]; | ||
| 59 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | 76 | networking.firewall.allowedTCPPorts = [ 636 389 ]; |
| 60 | 77 | ||
| 61 | services.cron = { | 78 | services.cron = { |