diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 23:40:37 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 23:40:37 +0200 |
commit | e1da84b06c408ea5d4d093de39efdda71ad6dc95 (patch) | |
tree | f30edd6efaef7b37ec4845271b6807c79c376460 /nixops | |
parent | cd85801d01ddadbe00f26f4f257621ee1cd81e4b (diff) | |
download | Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.tar.gz Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.tar.zst Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.zip |
Move database credentials to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
-rw-r--r-- | nixops/modules/databases/mysql.nix | 48 | ||||
-rw-r--r-- | nixops/modules/databases/openldap.nix | 21 | ||||
-rw-r--r-- | nixops/modules/databases/postgresql.nix | 57 |
3 files changed, 86 insertions, 40 deletions
diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix index 635f212..95de972 100644 --- a/nixops/modules/databases/mysql.nix +++ b/nixops/modules/databases/mysql.nix | |||
@@ -41,6 +41,7 @@ in { | |||
41 | ''; | 41 | ''; |
42 | }; | 42 | }; |
43 | 43 | ||
44 | users.users.mysql.extraGroups = [ "keys" ]; | ||
44 | security.acme.certs."mysql" = config.services.myCertificates.certConfig // { | 45 | security.acme.certs."mysql" = config.services.myCertificates.certConfig // { |
45 | user = "mysql"; | 46 | user = "mysql"; |
46 | group = "mysql"; | 47 | group = "mysql"; |
@@ -51,39 +52,52 @@ in { | |||
51 | ''; | 52 | ''; |
52 | }; | 53 | }; |
53 | 54 | ||
54 | services.cron = { | 55 | deployment.keys = { |
55 | enable = true; | 56 | mysqldump = { |
56 | systemCronJobs = let | 57 | destDir = "/run/keys/mysql"; |
57 | mycnf = pkgs.writeText "my.cnf" '' | 58 | permissions = "0400"; |
59 | user = "root"; | ||
60 | group = "root"; | ||
61 | text = '' | ||
58 | [mysqldump] | 62 | [mysqldump] |
59 | user = root | 63 | user = root |
60 | password = ${myconfig.env.databases.mysql.systemUsers.root} | 64 | password = ${myconfig.env.databases.mysql.systemUsers.root} |
65 | ''; | ||
66 | }; | ||
67 | mysql-pam = { | ||
68 | destDir = "/run/keys/mysql"; | ||
69 | permissions = "0400"; | ||
70 | user = "mysql"; | ||
71 | group = "mysql"; | ||
72 | text = with myconfig.env.databases.mysql.pam; '' | ||
73 | host ${myconfig.env.ldap.host} | ||
74 | base ${myconfig.env.ldap.base} | ||
75 | binddn ${dn} | ||
76 | bindpw ${password} | ||
77 | pam_filter ${filter} | ||
78 | ssl start_tls | ||
61 | ''; | 79 | ''; |
62 | in [ | 80 | }; |
81 | }; | ||
82 | |||
83 | services.cron = { | ||
84 | enable = true; | ||
85 | systemCronJobs = [ | ||
63 | '' | 86 | '' |
64 | 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${mycnf} --all-databases > /var/lib/mysql/backup.sql | 87 | 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql |
65 | '' | 88 | '' |
66 | ]; | 89 | ]; |
67 | }; | 90 | }; |
68 | 91 | ||
69 | security.pam.services = let | 92 | security.pam.services = let |
70 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 93 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; |
71 | pam_ldap_mysql = with myconfig.env.databases.mysql.pam; | ||
72 | pkgs.writeText "mysql.conf" '' | ||
73 | host ${myconfig.env.ldap.host} | ||
74 | base ${myconfig.env.ldap.base} | ||
75 | binddn ${dn} | ||
76 | bindpw ${password} | ||
77 | pam_filter ${filter} | ||
78 | ssl start_tls | ||
79 | ''; | ||
80 | in [ | 94 | in [ |
81 | { | 95 | { |
82 | name = "mysql"; | 96 | name = "mysql"; |
83 | text = '' | 97 | text = '' |
84 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | 98 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ |
85 | auth required ${pam_ldap} config=${pam_ldap_mysql} | 99 | auth required ${pam_ldap} config=/run/keys/mysql/mysql-pam |
86 | account required ${pam_ldap} config=${pam_ldap_mysql} | 100 | account required ${pam_ldap} config=/run/keys/mysql/mysql-pam |
87 | ''; | 101 | ''; |
88 | } | 102 | } |
89 | ]; | 103 | ]; |
diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix index 165a029..7ed4bc0 100644 --- a/nixops/modules/databases/openldap.nix +++ b/nixops/modules/databases/openldap.nix | |||
@@ -29,7 +29,7 @@ let | |||
29 | database hdb | 29 | database hdb |
30 | suffix "${myconfig.env.ldap.base}" | 30 | suffix "${myconfig.env.ldap.base}" |
31 | rootdn "${myconfig.env.ldap.root_dn}" | 31 | rootdn "${myconfig.env.ldap.root_dn}" |
32 | rootpw ${myconfig.env.ldap.root_pw} | 32 | include /run/keys/ldap/ldap-password |
33 | directory /var/lib/openldap | 33 | directory /var/lib/openldap |
34 | overlay memberof | 34 | overlay memberof |
35 | 35 | ||
@@ -41,7 +41,7 @@ let | |||
41 | #TLSCipherSuite DEFAULT | 41 | #TLSCipherSuite DEFAULT |
42 | 42 | ||
43 | sasl-host kerberos.immae.eu | 43 | sasl-host kerberos.immae.eu |
44 | ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"} | 44 | include /run/keys/ldap/ldap-access |
45 | ''; | 45 | ''; |
46 | in { | 46 | in { |
47 | options.services.myDatabases = { | 47 | options.services.myDatabases = { |
@@ -56,6 +56,23 @@ in { | |||
56 | }; | 56 | }; |
57 | 57 | ||
58 | config = lib.mkIf cfg.enable { | 58 | config = lib.mkIf cfg.enable { |
59 | deployment.keys = { | ||
60 | ldap-password = { | ||
61 | destDir = "/run/keys/ldap"; | ||
62 | permissions = "0400"; | ||
63 | user = "openldap"; | ||
64 | group = "openldap"; | ||
65 | text = "rootpw ${myconfig.env.ldap.root_pw}"; | ||
66 | }; | ||
67 | ldap-access = { | ||
68 | destDir = "/run/keys/ldap"; | ||
69 | permissions = "0400"; | ||
70 | user = "openldap"; | ||
71 | group = "openldap"; | ||
72 | text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; | ||
73 | }; | ||
74 | }; | ||
75 | users.users.openldap.extraGroups = [ "keys" ]; | ||
59 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | 76 | networking.firewall.allowedTCPPorts = [ 636 389 ]; |
60 | 77 | ||
61 | services.cron = { | 78 | services.cron = { |
diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix index 673ced8..7e2f4e6 100644 --- a/nixops/modules/databases/postgresql.nix +++ b/nixops/modules/databases/postgresql.nix | |||
@@ -42,6 +42,7 @@ in { | |||
42 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} | 42 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} |
43 | ''; | 43 | ''; |
44 | 44 | ||
45 | systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys"; | ||
45 | services.postgresql = rec { | 46 | services.postgresql = rec { |
46 | enable = cfg.postgresql.enable; | 47 | enable = cfg.postgresql.enable; |
47 | package = pkgs.postgresql; | 48 | package = pkgs.postgresql; |
@@ -76,38 +77,52 @@ in { | |||
76 | ''; | 77 | ''; |
77 | }; | 78 | }; |
78 | 79 | ||
79 | security.pam.services = let | 80 | deployment.keys = { |
80 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | 81 | postgresql-pam = { |
81 | pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; | 82 | destDir = "/run/keys/postgresql"; |
82 | pkgs.writeText "postgresql.conf" '' | 83 | permissions = "0400"; |
83 | host ${myconfig.env.ldap.host} | 84 | group = "postgres"; |
84 | base ${myconfig.env.ldap.base} | 85 | user = "postgres"; |
85 | binddn ${dn} | 86 | text = with myconfig.env.databases.postgresql.pam; '' |
86 | bindpw ${password} | 87 | host ${myconfig.env.ldap.host} |
87 | pam_filter ${filter} | 88 | base ${myconfig.env.ldap.base} |
88 | ssl start_tls | 89 | binddn ${dn} |
90 | bindpw ${password} | ||
91 | pam_filter ${filter} | ||
92 | ssl start_tls | ||
89 | ''; | 93 | ''; |
90 | pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' | 94 | }; |
91 | host ${myconfig.env.ldap.host} | 95 | postgresql-pam_replication = { |
92 | base ${myconfig.env.ldap.base} | 96 | destDir = "/run/keys/postgresql"; |
93 | binddn ${myconfig.env.ldap.host_dn} | 97 | permissions = "0400"; |
94 | bindpw ${myconfig.env.ldap.password} | 98 | group = "postgres"; |
95 | pam_login_attribute cn | 99 | user = "postgres"; |
96 | ssl start_tls | 100 | text = '' |
101 | host ${myconfig.env.ldap.host} | ||
102 | base ${myconfig.env.ldap.base} | ||
103 | binddn ${myconfig.env.ldap.host_dn} | ||
104 | bindpw ${myconfig.env.ldap.password} | ||
105 | pam_login_attribute cn | ||
106 | ssl start_tls | ||
97 | ''; | 107 | ''; |
108 | }; | ||
109 | }; | ||
110 | |||
111 | security.pam.services = let | ||
112 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | ||
98 | in [ | 113 | in [ |
99 | { | 114 | { |
100 | name = "postgresql"; | 115 | name = "postgresql"; |
101 | text = '' | 116 | text = '' |
102 | auth required ${pam_ldap} config=${pam_ldap_postgresql} | 117 | auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam |
103 | account required ${pam_ldap} config=${pam_ldap_postgresql} | 118 | account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam |
104 | ''; | 119 | ''; |
105 | } | 120 | } |
106 | { | 121 | { |
107 | name = "postgresql_replication"; | 122 | name = "postgresql_replication"; |
108 | text = '' | 123 | text = '' |
109 | auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} | 124 | auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication |
110 | account required ${pam_ldap} config=${pam_ldap_postgresql_replication} | 125 | account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication |
111 | ''; | 126 | ''; |
112 | } | 127 | } |
113 | ]; | 128 | ]; |