Move databases config to new secrets

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-25 02:18:11 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-25 02:18:11 +0200
commit: 7178c2b1009694c8a750dcd376a36c3d4bf90cf4 (patch)
tree: 1dbc6b18804a901c64f53bceddce8027b202580a /nixops
parent: 1b3154e40a568a296c74759d68827366b5f26da9 (diff)
download: Nix-7178c2b1009694c8a750dcd376a36c3d4bf90cf4.tar.gz
Nix-7178c2b1009694c8a750dcd376a36c3d4bf90cf4.tar.zst
Nix-7178c2b1009694c8a750dcd376a36c3d4bf90cf4.zip
3 files changed, 33 insertions, 33 deletions
diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix
index 95de972..a9ca8d3 100644
--- a/nixops/modules/databases/mysql.nix
+++ b/nixops/modules/databases/mysql.nix
@@ -52,9 +52,9 @@ in {
      '';
    };
-    deployment.keys = {
+    mySecrets.keys = [
-      mysqldump = {
+      {
-        destDir = "/run/keys/mysql";
+        dest = "mysql/mysqldump";
        permissions = "0400";
        user = "root";
        group = "root";
@@ -63,9 +63,9 @@ in {
          user = root
          password = ${myconfig.env.databases.mysql.systemUsers.root}
        '';
-      };
+      }
-      mysql-pam = {
+      {
-        destDir = "/run/keys/mysql";
+        dest = "mysql/pam";
        permissions = "0400";
        user = "mysql";
        group = "mysql";
@@ -77,14 +77,14 @@ in {
          pam_filter ${filter}
          ssl start_tls
          '';
-      };
+      }
-    };
+    ];
    services.cron = {
      enable = true;
      systemCronJobs = [
        ''
-          30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
+          30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
        ''
      ];
    };
@@ -96,8 +96,8 @@ in {
        name = "mysql";
        text = ''
          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap} config=/run/keys/mysql/mysql-pam
+          auth    required ${pam_ldap} config=/var/secrets/mysql/pam
-          account required ${pam_ldap} config=/run/keys/mysql/mysql-pam
+          account required ${pam_ldap} config=/var/secrets/mysql/pam
          '';
      }
    ];
diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix
index 7ed4bc0..a447ccc 100644
--- a/nixops/modules/databases/openldap.nix
+++ b/nixops/modules/databases/openldap.nix
@@ -29,7 +29,7 @@ let
      database        hdb
      suffix          "${myconfig.env.ldap.base}"
      rootdn          "${myconfig.env.ldap.root_dn}"
-      include         /run/keys/ldap/ldap-password
+      include         /var/secrets/ldap/password
      directory       /var/lib/openldap
      overlay         memberof
@@ -41,7 +41,7 @@ let
      #TLSCipherSuite        DEFAULT
      sasl-host kerberos.immae.eu
-      include /run/keys/ldap/ldap-access
+      include /var/secrets/ldap/access
      '';
 in {
  options.services.myDatabases = {
@@ -56,22 +56,22 @@ in {
  };
  config = lib.mkIf cfg.enable {
-    deployment.keys = {
+    mySecrets.keys = [
-      ldap-password = {
+       {
-        destDir = "/run/keys/ldap";
+        dest = "ldap/password";
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = "rootpw          ${myconfig.env.ldap.root_pw}";
-      };
+      }
-      ldap-access = {
+      {
-        destDir = "/run/keys/ldap";
+        dest = "ldap/access ";
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
-      };
+      }
-    };
+    ];
    users.users.openldap.extraGroups = [ "keys" ];
    networking.firewall.allowedTCPPorts = [ 636 389 ];
diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix
index 7e2f4e6..62e9e34 100644
--- a/nixops/modules/databases/postgresql.nix
+++ b/nixops/modules/databases/postgresql.nix
@@ -77,9 +77,9 @@ in {
      '';
    };
-    deployment.keys = {
+    mySecrets.keys = [
-      postgresql-pam = {
+      {
-        destDir = "/run/keys/postgresql";
+        dest = "postgresql/pam";
        permissions = "0400";
        group = "postgres";
        user = "postgres";
@@ -91,9 +91,9 @@ in {
          pam_filter ${filter}
          ssl start_tls
        '';
-      };
+      }
-      postgresql-pam_replication = {
+      {
-        destDir = "/run/keys/postgresql";
+        dest = "postgresql/pam_replication";
        permissions = "0400";
        group = "postgres";
        user = "postgres";
@@ -105,8 +105,8 @@ in {
          pam_login_attribute cn
          ssl start_tls
        '';
-      };
+      }
-    };
+    ];
    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
@@ -114,15 +114,15 @@ in {
      {
        name = "postgresql";
        text = ''
-          auth    required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
+          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam
-          account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
+          account required ${pam_ldap} config=/var/secrets/postgresql/pam
          '';
      }
      {
        name = "postgresql_replication";
        text = ''
-          auth    required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
+          auth    required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
-          account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
+          account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
          '';
      }
    ];
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-25 02:18:11 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-25 02:18:11 +0200
commit	7178c2b1009694c8a750dcd376a36c3d4bf90cf4 (patch)
tree	1dbc6b18804a901c64f53bceddce8027b202580a /nixops
parent	1b3154e40a568a296c74759d68827366b5f26da9 (diff)
download	Nix-7178c2b1009694c8a750dcd376a36c3d4bf90cf4.tar.gz Nix-7178c2b1009694c8a750dcd376a36c3d4bf90cf4.tar.zst Nix-7178c2b1009694c8a750dcd376a36c3d4bf90cf4.zip

diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix index 95de972..a9ca8d3 100644 --- a/nixops/modules/databases/mysql.nix +++ b/nixops/modules/databases/mysql.nix
@@ -52,9 +52,9 @@ in {
52	'';	52	'';
53	};	53	};
54		54
55	deployment.keys = {	55	mySecrets.keys = [
56	mysqldump = {	56	{
57	destDir = "/run/keys/mysql";	57	dest = "mysql/mysqldump";
58	permissions = "0400";	58	permissions = "0400";
59	user = "root";	59	user = "root";
60	group = "root";	60	group = "root";
@@ -63,9 +63,9 @@ in {
63	user = root	63	user = root
64	password = ${myconfig.env.databases.mysql.systemUsers.root}	64	password = ${myconfig.env.databases.mysql.systemUsers.root}
65	'';	65	'';
66	};	66	}
67	mysql-pam = {	67	{
68	destDir = "/run/keys/mysql";	68	dest = "mysql/pam";
69	permissions = "0400";	69	permissions = "0400";
70	user = "mysql";	70	user = "mysql";
71	group = "mysql";	71	group = "mysql";
@@ -77,14 +77,14 @@ in {
77	pam_filter ${filter}	77	pam_filter ${filter}
78	ssl start_tls	78	ssl start_tls
79	'';	79	'';
80	};	80	}
81	};	81	];
82		82
83	services.cron = {	83	services.cron = {
84	enable = true;	84	enable = true;
85	systemCronJobs = [	85	systemCronJobs = [
86	''	86	''
87	30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql	87	30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
88	''	88	''
89	];	89	];
90	};	90	};
@@ -96,8 +96,8 @@ in {
96	name = "mysql";	96	name = "mysql";
97	text = ''	97	text = ''
98	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/	98	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
99	auth required ${pam_ldap} config=/run/keys/mysql/mysql-pam	99	auth required ${pam_ldap} config=/var/secrets/mysql/pam
100	account required ${pam_ldap} config=/run/keys/mysql/mysql-pam	100	account required ${pam_ldap} config=/var/secrets/mysql/pam
101	'';	101	'';
102	}	102	}
103	];	103	];


diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix index 7ed4bc0..a447ccc 100644 --- a/nixops/modules/databases/openldap.nix +++ b/nixops/modules/databases/openldap.nix
@@ -29,7 +29,7 @@ let
29	database hdb	29	database hdb
30	suffix "${myconfig.env.ldap.base}"	30	suffix "${myconfig.env.ldap.base}"
31	rootdn "${myconfig.env.ldap.root_dn}"	31	rootdn "${myconfig.env.ldap.root_dn}"
32	include /run/keys/ldap/ldap-password	32	include /var/secrets/ldap/password
33	directory /var/lib/openldap	33	directory /var/lib/openldap
34	overlay memberof	34	overlay memberof
35		35
@@ -41,7 +41,7 @@ let
41	#TLSCipherSuite DEFAULT	41	#TLSCipherSuite DEFAULT
42		42
43	sasl-host kerberos.immae.eu	43	sasl-host kerberos.immae.eu
44	include /run/keys/ldap/ldap-access	44	include /var/secrets/ldap/access
45	'';	45	'';
46	in {	46	in {
47	options.services.myDatabases = {	47	options.services.myDatabases = {
@@ -56,22 +56,22 @@ in {
56	};	56	};
57		57
58	config = lib.mkIf cfg.enable {	58	config = lib.mkIf cfg.enable {
59	deployment.keys = {	59	mySecrets.keys = [
60	ldap-password = {	60	{
61	destDir = "/run/keys/ldap";	61	dest = "ldap/password";
62	permissions = "0400";	62	permissions = "0400";
63	user = "openldap";	63	user = "openldap";
64	group = "openldap";	64	group = "openldap";
65	text = "rootpw ${myconfig.env.ldap.root_pw}";	65	text = "rootpw ${myconfig.env.ldap.root_pw}";
66	};	66	}
67	ldap-access = {	67	{
68	destDir = "/run/keys/ldap";	68	dest = "ldap/access ";
69	permissions = "0400";	69	permissions = "0400";
70	user = "openldap";	70	user = "openldap";
71	group = "openldap";	71	group = "openldap";
72	text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";	72	text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
73	};	73	}
74	};	74	];
75	users.users.openldap.extraGroups = [ "keys" ];	75	users.users.openldap.extraGroups = [ "keys" ];
76	networking.firewall.allowedTCPPorts = [ 636 389 ];	76	networking.firewall.allowedTCPPorts = [ 636 389 ];
77		77


diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix index 7e2f4e6..62e9e34 100644 --- a/nixops/modules/databases/postgresql.nix +++ b/nixops/modules/databases/postgresql.nix
@@ -77,9 +77,9 @@ in {
77	'';	77	'';
78	};	78	};
79		79
80	deployment.keys = {	80	mySecrets.keys = [
81	postgresql-pam = {	81	{
82	destDir = "/run/keys/postgresql";	82	dest = "postgresql/pam";
83	permissions = "0400";	83	permissions = "0400";
84	group = "postgres";	84	group = "postgres";
85	user = "postgres";	85	user = "postgres";
@@ -91,9 +91,9 @@ in {
91	pam_filter ${filter}	91	pam_filter ${filter}
92	ssl start_tls	92	ssl start_tls
93	'';	93	'';
94	};	94	}
95	postgresql-pam_replication = {	95	{
96	destDir = "/run/keys/postgresql";	96	dest = "postgresql/pam_replication";
97	permissions = "0400";	97	permissions = "0400";
98	group = "postgres";	98	group = "postgres";
99	user = "postgres";	99	user = "postgres";
@@ -105,8 +105,8 @@ in {
105	pam_login_attribute cn	105	pam_login_attribute cn
106	ssl start_tls	106	ssl start_tls
107	'';	107	'';
108	};	108	}
109	};	109	];
110		110
111	security.pam.services = let	111	security.pam.services = let
112	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";	112	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
@@ -114,15 +114,15 @@ in {
114	{	114	{
115	name = "postgresql";	115	name = "postgresql";
116	text = ''	116	text = ''
117	auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam	117	auth required ${pam_ldap} config=/var/secrets/postgresql/pam
118	account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam	118	account required ${pam_ldap} config=/var/secrets/postgresql/pam
119	'';	119	'';
120	}	120	}
121	{	121	{
122	name = "postgresql_replication";	122	name = "postgresql_replication";
123	text = ''	123	text = ''
124	auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication	124	auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
125	account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication	125	account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication
126	'';	126	'';
127	}	127	}
128	];	128	];