aboutsummaryrefslogtreecommitdiff
path: root/nixops
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-20 23:40:37 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-20 23:40:37 +0200
commite1da84b06c408ea5d4d093de39efdda71ad6dc95 (patch)
treef30edd6efaef7b37ec4845271b6807c79c376460 /nixops
parentcd85801d01ddadbe00f26f4f257621ee1cd81e4b (diff)
downloadNix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.tar.gz
Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.tar.zst
Nix-e1da84b06c408ea5d4d093de39efdda71ad6dc95.zip
Move database credentials to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
-rw-r--r--nixops/modules/databases/mysql.nix48
-rw-r--r--nixops/modules/databases/openldap.nix21
-rw-r--r--nixops/modules/databases/postgresql.nix57
3 files changed, 86 insertions, 40 deletions
diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix
index 635f212..95de972 100644
--- a/nixops/modules/databases/mysql.nix
+++ b/nixops/modules/databases/mysql.nix
@@ -41,6 +41,7 @@ in {
41 ''; 41 '';
42 }; 42 };
43 43
44 users.users.mysql.extraGroups = [ "keys" ];
44 security.acme.certs."mysql" = config.services.myCertificates.certConfig // { 45 security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
45 user = "mysql"; 46 user = "mysql";
46 group = "mysql"; 47 group = "mysql";
@@ -51,39 +52,52 @@ in {
51 ''; 52 '';
52 }; 53 };
53 54
54 services.cron = { 55 deployment.keys = {
55 enable = true; 56 mysqldump = {
56 systemCronJobs = let 57 destDir = "/run/keys/mysql";
57 mycnf = pkgs.writeText "my.cnf" '' 58 permissions = "0400";
59 user = "root";
60 group = "root";
61 text = ''
58 [mysqldump] 62 [mysqldump]
59 user = root 63 user = root
60 password = ${myconfig.env.databases.mysql.systemUsers.root} 64 password = ${myconfig.env.databases.mysql.systemUsers.root}
65 '';
66 };
67 mysql-pam = {
68 destDir = "/run/keys/mysql";
69 permissions = "0400";
70 user = "mysql";
71 group = "mysql";
72 text = with myconfig.env.databases.mysql.pam; ''
73 host ${myconfig.env.ldap.host}
74 base ${myconfig.env.ldap.base}
75 binddn ${dn}
76 bindpw ${password}
77 pam_filter ${filter}
78 ssl start_tls
61 ''; 79 '';
62 in [ 80 };
81 };
82
83 services.cron = {
84 enable = true;
85 systemCronJobs = [
63 '' 86 ''
64 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${mycnf} --all-databases > /var/lib/mysql/backup.sql 87 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql
65 '' 88 ''
66 ]; 89 ];
67 }; 90 };
68 91
69 security.pam.services = let 92 security.pam.services = let
70 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; 93 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
71 pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
72 pkgs.writeText "mysql.conf" ''
73 host ${myconfig.env.ldap.host}
74 base ${myconfig.env.ldap.base}
75 binddn ${dn}
76 bindpw ${password}
77 pam_filter ${filter}
78 ssl start_tls
79 '';
80 in [ 94 in [
81 { 95 {
82 name = "mysql"; 96 name = "mysql";
83 text = '' 97 text = ''
84 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ 98 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
85 auth required ${pam_ldap} config=${pam_ldap_mysql} 99 auth required ${pam_ldap} config=/run/keys/mysql/mysql-pam
86 account required ${pam_ldap} config=${pam_ldap_mysql} 100 account required ${pam_ldap} config=/run/keys/mysql/mysql-pam
87 ''; 101 '';
88 } 102 }
89 ]; 103 ];
diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix
index 165a029..7ed4bc0 100644
--- a/nixops/modules/databases/openldap.nix
+++ b/nixops/modules/databases/openldap.nix
@@ -29,7 +29,7 @@ let
29 database hdb 29 database hdb
30 suffix "${myconfig.env.ldap.base}" 30 suffix "${myconfig.env.ldap.base}"
31 rootdn "${myconfig.env.ldap.root_dn}" 31 rootdn "${myconfig.env.ldap.root_dn}"
32 rootpw ${myconfig.env.ldap.root_pw} 32 include /run/keys/ldap/ldap-password
33 directory /var/lib/openldap 33 directory /var/lib/openldap
34 overlay memberof 34 overlay memberof
35 35
@@ -41,7 +41,7 @@ let
41 #TLSCipherSuite DEFAULT 41 #TLSCipherSuite DEFAULT
42 42
43 sasl-host kerberos.immae.eu 43 sasl-host kerberos.immae.eu
44 ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"} 44 include /run/keys/ldap/ldap-access
45 ''; 45 '';
46in { 46in {
47 options.services.myDatabases = { 47 options.services.myDatabases = {
@@ -56,6 +56,23 @@ in {
56 }; 56 };
57 57
58 config = lib.mkIf cfg.enable { 58 config = lib.mkIf cfg.enable {
59 deployment.keys = {
60 ldap-password = {
61 destDir = "/run/keys/ldap";
62 permissions = "0400";
63 user = "openldap";
64 group = "openldap";
65 text = "rootpw ${myconfig.env.ldap.root_pw}";
66 };
67 ldap-access = {
68 destDir = "/run/keys/ldap";
69 permissions = "0400";
70 user = "openldap";
71 group = "openldap";
72 text = builtins.readFile "${myconfig.privateFiles}/ldap.conf";
73 };
74 };
75 users.users.openldap.extraGroups = [ "keys" ];
59 networking.firewall.allowedTCPPorts = [ 636 389 ]; 76 networking.firewall.allowedTCPPorts = [ 636 389 ];
60 77
61 services.cron = { 78 services.cron = {
diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix
index 673ced8..7e2f4e6 100644
--- a/nixops/modules/databases/postgresql.nix
+++ b/nixops/modules/databases/postgresql.nix
@@ -42,6 +42,7 @@ in {
42 install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} 42 install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
43 ''; 43 '';
44 44
45 systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys";
45 services.postgresql = rec { 46 services.postgresql = rec {
46 enable = cfg.postgresql.enable; 47 enable = cfg.postgresql.enable;
47 package = pkgs.postgresql; 48 package = pkgs.postgresql;
@@ -76,38 +77,52 @@ in {
76 ''; 77 '';
77 }; 78 };
78 79
79 security.pam.services = let 80 deployment.keys = {
80 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; 81 postgresql-pam = {
81 pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; 82 destDir = "/run/keys/postgresql";
82 pkgs.writeText "postgresql.conf" '' 83 permissions = "0400";
83 host ${myconfig.env.ldap.host} 84 group = "postgres";
84 base ${myconfig.env.ldap.base} 85 user = "postgres";
85 binddn ${dn} 86 text = with myconfig.env.databases.postgresql.pam; ''
86 bindpw ${password} 87 host ${myconfig.env.ldap.host}
87 pam_filter ${filter} 88 base ${myconfig.env.ldap.base}
88 ssl start_tls 89 binddn ${dn}
90 bindpw ${password}
91 pam_filter ${filter}
92 ssl start_tls
89 ''; 93 '';
90 pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' 94 };
91 host ${myconfig.env.ldap.host} 95 postgresql-pam_replication = {
92 base ${myconfig.env.ldap.base} 96 destDir = "/run/keys/postgresql";
93 binddn ${myconfig.env.ldap.host_dn} 97 permissions = "0400";
94 bindpw ${myconfig.env.ldap.password} 98 group = "postgres";
95 pam_login_attribute cn 99 user = "postgres";
96 ssl start_tls 100 text = ''
101 host ${myconfig.env.ldap.host}
102 base ${myconfig.env.ldap.base}
103 binddn ${myconfig.env.ldap.host_dn}
104 bindpw ${myconfig.env.ldap.password}
105 pam_login_attribute cn
106 ssl start_tls
97 ''; 107 '';
108 };
109 };
110
111 security.pam.services = let
112 pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
98 in [ 113 in [
99 { 114 {
100 name = "postgresql"; 115 name = "postgresql";
101 text = '' 116 text = ''
102 auth required ${pam_ldap} config=${pam_ldap_postgresql} 117 auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
103 account required ${pam_ldap} config=${pam_ldap_postgresql} 118 account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam
104 ''; 119 '';
105 } 120 }
106 { 121 {
107 name = "postgresql_replication"; 122 name = "postgresql_replication";
108 text = '' 123 text = ''
109 auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} 124 auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
110 account required ${pam_ldap} config=${pam_ldap_postgresql_replication} 125 account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication
111 ''; 126 '';
112 } 127 }
113 ]; 128 ];