diff options
-rw-r--r-- | nixops/modules/databases/default.nix | 202 | ||||
-rw-r--r-- | nixops/modules/databases/mysql.nix | 78 | ||||
-rw-r--r-- | nixops/modules/databases/postgresql.nix | 121 | ||||
-rw-r--r-- | nixops/modules/databases/redis.nix | 37 |
4 files changed, 239 insertions, 199 deletions
diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix index 3200181..01a130c 100644 --- a/nixops/modules/databases/default.nix +++ b/nixops/modules/databases/default.nix | |||
@@ -3,208 +3,12 @@ let | |||
3 | cfg = config.services.myDatabases; | 3 | cfg = config.services.myDatabases; |
4 | in { | 4 | in { |
5 | imports = [ | 5 | imports = [ |
6 | ./mysql.nix | ||
6 | ./openldap.nix | 7 | ./openldap.nix |
8 | ./postgresql.nix | ||
9 | ./redis.nix | ||
7 | ]; | 10 | ]; |
8 | options.services.myDatabases = { | 11 | options.services.myDatabases = { |
9 | enable = lib.mkEnableOption "my databases service"; | 12 | enable = lib.mkEnableOption "my databases service"; |
10 | postgresql = { | ||
11 | enable = lib.mkOption { | ||
12 | default = cfg.enable; | ||
13 | example = true; | ||
14 | description = "Whether to enable postgresql database"; | ||
15 | type = lib.types.bool; | ||
16 | }; | ||
17 | }; | ||
18 | |||
19 | mariadb = { | ||
20 | enable = lib.mkOption { | ||
21 | default = cfg.enable; | ||
22 | example = true; | ||
23 | description = "Whether to enable mariadb database"; | ||
24 | type = lib.types.bool; | ||
25 | }; | ||
26 | }; | ||
27 | |||
28 | redis = { | ||
29 | enable = lib.mkOption { | ||
30 | default = cfg.enable; | ||
31 | example = true; | ||
32 | description = "Whether to enable redis database"; | ||
33 | type = lib.types.bool; | ||
34 | }; | ||
35 | }; | ||
36 | }; | ||
37 | |||
38 | config = lib.mkIf cfg.enable { | ||
39 | nixpkgs.config.packageOverrides = oldpkgs: rec { | ||
40 | postgresql = postgresql111; | ||
41 | postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec { | ||
42 | passthru = old.passthru // { psqlSchema = "11.0"; }; | ||
43 | name = "postgresql-11.1"; | ||
44 | src = pkgs.fetchurl { | ||
45 | url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; | ||
46 | sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; | ||
47 | }; | ||
48 | configureFlags = old.configureFlags ++ [ "--with-pam" ]; | ||
49 | buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ]; | ||
50 | patches = old.patches ++ [ | ||
51 | ./postgresql_run_socket_path.patch | ||
52 | ]; | ||
53 | }); | ||
54 | mariadb = mariadbPAM; | ||
55 | mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { | ||
56 | cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; | ||
57 | buildInputs = old.buildInputs ++ [ pkgs.pam ]; | ||
58 | }); | ||
59 | }; | ||
60 | |||
61 | networking.firewall.allowedTCPPorts = [ 3306 5432 ]; | ||
62 | |||
63 | # for adminer, ssl is implemented with mysqli only, which is | ||
64 | # currently disabled because it’s not compatible with pam. | ||
65 | # Thus we need to generate two users for each 'remote': one remote | ||
66 | # with SSL, and one localhost without SSL. | ||
67 | # User identified by LDAP: | ||
68 | # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; | ||
69 | # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; | ||
70 | services.mysql = rec { | ||
71 | enable = cfg.mariadb.enable; | ||
72 | package = pkgs.mariadb; | ||
73 | extraOptions = '' | ||
74 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | ||
75 | ssl_key = /var/lib/acme/mysql/key.pem | ||
76 | ssl_cert = /var/lib/acme/mysql/fullchain.pem | ||
77 | ''; | ||
78 | }; | ||
79 | |||
80 | security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { | ||
81 | user = "postgres"; | ||
82 | group = "postgres"; | ||
83 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; | ||
84 | domain = "db-1.immae.eu"; | ||
85 | postRun = '' | ||
86 | systemctl reload postgresql.service | ||
87 | ''; | ||
88 | }; | ||
89 | |||
90 | security.acme.certs."mysql" = config.services.myCertificates.certConfig // { | ||
91 | user = "mysql"; | ||
92 | group = "mysql"; | ||
93 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; | ||
94 | domain = "db-1.immae.eu"; | ||
95 | postRun = '' | ||
96 | systemctl restart mysql.service | ||
97 | ''; | ||
98 | }; | ||
99 | |||
100 | system.activationScripts.postgresql = '' | ||
101 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} | ||
102 | ''; | ||
103 | |||
104 | services.postgresql = rec { | ||
105 | enable = cfg.postgresql.enable; | ||
106 | package = pkgs.postgresql; | ||
107 | enableTCPIP = true; | ||
108 | extraConfig = '' | ||
109 | max_connections = 100 | ||
110 | wal_level = logical | ||
111 | shared_buffers = 512MB | ||
112 | work_mem = 10MB | ||
113 | max_wal_size = 1GB | ||
114 | min_wal_size = 80MB | ||
115 | log_timezone = 'Europe/Paris' | ||
116 | datestyle = 'iso, mdy' | ||
117 | timezone = 'Europe/Paris' | ||
118 | lc_messages = 'en_US.UTF-8' | ||
119 | lc_monetary = 'en_US.UTF-8' | ||
120 | lc_numeric = 'en_US.UTF-8' | ||
121 | lc_time = 'en_US.UTF-8' | ||
122 | default_text_search_config = 'pg_catalog.english' | ||
123 | ssl = on | ||
124 | ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem' | ||
125 | ssl_key_file = '/var/lib/acme/postgresql/key.pem' | ||
126 | ''; | ||
127 | authentication = '' | ||
128 | local all postgres ident | ||
129 | local all all md5 | ||
130 | hostssl all all 188.165.209.148/32 md5 | ||
131 | hostssl all all 178.33.252.96/32 md5 | ||
132 | hostssl all all all pam | ||
133 | hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication | ||
134 | hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication | ||
135 | ''; | ||
136 | }; | ||
137 | |||
138 | security.pam.services = let | ||
139 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | ||
140 | pam_ldap_mysql = with myconfig.env.databases.mysql.pam; | ||
141 | pkgs.writeText "mysql.conf" '' | ||
142 | host ${myconfig.env.ldap.host} | ||
143 | base ${myconfig.env.ldap.base} | ||
144 | binddn ${dn} | ||
145 | bindpw ${password} | ||
146 | pam_filter ${filter} | ||
147 | ssl start_tls | ||
148 | ''; | ||
149 | pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; | ||
150 | pkgs.writeText "postgresql.conf" '' | ||
151 | host ${myconfig.env.ldap.host} | ||
152 | base ${myconfig.env.ldap.base} | ||
153 | binddn ${dn} | ||
154 | bindpw ${password} | ||
155 | pam_filter ${filter} | ||
156 | ssl start_tls | ||
157 | ''; | ||
158 | pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' | ||
159 | host ${myconfig.env.ldap.host} | ||
160 | base ${myconfig.env.ldap.base} | ||
161 | binddn ${myconfig.env.ldap.host_dn} | ||
162 | bindpw ${myconfig.env.ldap.password} | ||
163 | pam_login_attribute cn | ||
164 | ssl start_tls | ||
165 | ''; | ||
166 | in [ | ||
167 | { | ||
168 | name = "mysql"; | ||
169 | text = '' | ||
170 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | ||
171 | auth required ${pam_ldap} config=${pam_ldap_mysql} | ||
172 | account required ${pam_ldap} config=${pam_ldap_mysql} | ||
173 | ''; | ||
174 | } | ||
175 | { | ||
176 | name = "postgresql"; | ||
177 | text = '' | ||
178 | auth required ${pam_ldap} config=${pam_ldap_postgresql} | ||
179 | account required ${pam_ldap} config=${pam_ldap_postgresql} | ||
180 | ''; | ||
181 | } | ||
182 | { | ||
183 | name = "postgresql_replication"; | ||
184 | text = '' | ||
185 | auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} | ||
186 | account required ${pam_ldap} config=${pam_ldap_postgresql_replication} | ||
187 | ''; | ||
188 | } | ||
189 | ]; | ||
190 | |||
191 | ids.uids.redis = myconfig.env.users.redis.uid; | ||
192 | ids.gids.redis = myconfig.env.users.redis.gid; | ||
193 | users.users.redis.uid = config.ids.uids.redis; | ||
194 | users.groups.redis.gid = config.ids.gids.redis; | ||
195 | services.redis = rec { | ||
196 | enable = config.services.myDatabases.redis.enable; | ||
197 | bind = "127.0.0.1"; | ||
198 | unixSocket = myconfig.env.databases.redis.socket; | ||
199 | extraConfig = '' | ||
200 | unixsocketperm 777 | ||
201 | maxclients 1024 | ||
202 | ''; | ||
203 | }; | ||
204 | system.activationScripts.redis = '' | ||
205 | mkdir -p $(dirname ${myconfig.env.databases.redis.socket}) | ||
206 | chown redis $(dirname ${myconfig.env.databases.redis.socket}) | ||
207 | ''; | ||
208 | |||
209 | }; | 13 | }; |
210 | } | 14 | } |
diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix new file mode 100644 index 0000000..acf4750 --- /dev/null +++ b/nixops/modules/databases/mysql.nix | |||
@@ -0,0 +1,78 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | ||
2 | let | ||
3 | cfg = config.services.myDatabases; | ||
4 | in { | ||
5 | options.services.myDatabases = { | ||
6 | mariadb = { | ||
7 | enable = lib.mkOption { | ||
8 | default = cfg.enable; | ||
9 | example = true; | ||
10 | description = "Whether to enable mariadb database"; | ||
11 | type = lib.types.bool; | ||
12 | }; | ||
13 | }; | ||
14 | }; | ||
15 | |||
16 | config = lib.mkIf cfg.enable { | ||
17 | nixpkgs.config.packageOverrides = oldpkgs: rec { | ||
18 | mariadb = mariadbPAM; | ||
19 | mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { | ||
20 | cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; | ||
21 | buildInputs = old.buildInputs ++ [ pkgs.pam ]; | ||
22 | }); | ||
23 | }; | ||
24 | |||
25 | networking.firewall.allowedTCPPorts = [ 3306 ]; | ||
26 | |||
27 | # for adminer, ssl is implemented with mysqli only, which is | ||
28 | # currently disabled because it’s not compatible with pam. | ||
29 | # Thus we need to generate two users for each 'remote': one remote | ||
30 | # with SSL, and one localhost without SSL. | ||
31 | # User identified by LDAP: | ||
32 | # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; | ||
33 | # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; | ||
34 | services.mysql = rec { | ||
35 | enable = cfg.mariadb.enable; | ||
36 | package = pkgs.mariadb; | ||
37 | extraOptions = '' | ||
38 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | ||
39 | ssl_key = /var/lib/acme/mysql/key.pem | ||
40 | ssl_cert = /var/lib/acme/mysql/fullchain.pem | ||
41 | ''; | ||
42 | }; | ||
43 | |||
44 | security.acme.certs."mysql" = config.services.myCertificates.certConfig // { | ||
45 | user = "mysql"; | ||
46 | group = "mysql"; | ||
47 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; | ||
48 | domain = "db-1.immae.eu"; | ||
49 | postRun = '' | ||
50 | systemctl restart mysql.service | ||
51 | ''; | ||
52 | }; | ||
53 | |||
54 | security.pam.services = let | ||
55 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | ||
56 | pam_ldap_mysql = with myconfig.env.databases.mysql.pam; | ||
57 | pkgs.writeText "mysql.conf" '' | ||
58 | host ${myconfig.env.ldap.host} | ||
59 | base ${myconfig.env.ldap.base} | ||
60 | binddn ${dn} | ||
61 | bindpw ${password} | ||
62 | pam_filter ${filter} | ||
63 | ssl start_tls | ||
64 | ''; | ||
65 | in [ | ||
66 | { | ||
67 | name = "mysql"; | ||
68 | text = '' | ||
69 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | ||
70 | auth required ${pam_ldap} config=${pam_ldap_mysql} | ||
71 | account required ${pam_ldap} config=${pam_ldap_mysql} | ||
72 | ''; | ||
73 | } | ||
74 | ]; | ||
75 | |||
76 | }; | ||
77 | } | ||
78 | |||
diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix new file mode 100644 index 0000000..2e658f8 --- /dev/null +++ b/nixops/modules/databases/postgresql.nix | |||
@@ -0,0 +1,121 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | ||
2 | let | ||
3 | cfg = config.services.myDatabases; | ||
4 | in { | ||
5 | options.services.myDatabases = { | ||
6 | postgresql = { | ||
7 | enable = lib.mkOption { | ||
8 | default = cfg.enable; | ||
9 | example = true; | ||
10 | description = "Whether to enable postgresql database"; | ||
11 | type = lib.types.bool; | ||
12 | }; | ||
13 | }; | ||
14 | }; | ||
15 | |||
16 | config = lib.mkIf cfg.enable { | ||
17 | nixpkgs.config.packageOverrides = oldpkgs: rec { | ||
18 | postgresql = postgresql111; | ||
19 | postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec { | ||
20 | passthru = old.passthru // { psqlSchema = "11.0"; }; | ||
21 | name = "postgresql-11.1"; | ||
22 | src = pkgs.fetchurl { | ||
23 | url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; | ||
24 | sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; | ||
25 | }; | ||
26 | configureFlags = old.configureFlags ++ [ "--with-pam" ]; | ||
27 | buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ]; | ||
28 | patches = old.patches ++ [ | ||
29 | ./postgresql_run_socket_path.patch | ||
30 | ]; | ||
31 | }); | ||
32 | }; | ||
33 | |||
34 | networking.firewall.allowedTCPPorts = [ 5432 ]; | ||
35 | |||
36 | security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { | ||
37 | user = "postgres"; | ||
38 | group = "postgres"; | ||
39 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; | ||
40 | domain = "db-1.immae.eu"; | ||
41 | postRun = '' | ||
42 | systemctl reload postgresql.service | ||
43 | ''; | ||
44 | }; | ||
45 | |||
46 | system.activationScripts.postgresql = '' | ||
47 | install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} | ||
48 | ''; | ||
49 | |||
50 | services.postgresql = rec { | ||
51 | enable = cfg.postgresql.enable; | ||
52 | package = pkgs.postgresql; | ||
53 | enableTCPIP = true; | ||
54 | extraConfig = '' | ||
55 | max_connections = 100 | ||
56 | wal_level = logical | ||
57 | shared_buffers = 512MB | ||
58 | work_mem = 10MB | ||
59 | max_wal_size = 1GB | ||
60 | min_wal_size = 80MB | ||
61 | log_timezone = 'Europe/Paris' | ||
62 | datestyle = 'iso, mdy' | ||
63 | timezone = 'Europe/Paris' | ||
64 | lc_messages = 'en_US.UTF-8' | ||
65 | lc_monetary = 'en_US.UTF-8' | ||
66 | lc_numeric = 'en_US.UTF-8' | ||
67 | lc_time = 'en_US.UTF-8' | ||
68 | default_text_search_config = 'pg_catalog.english' | ||
69 | ssl = on | ||
70 | ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem' | ||
71 | ssl_key_file = '/var/lib/acme/postgresql/key.pem' | ||
72 | ''; | ||
73 | authentication = '' | ||
74 | local all postgres ident | ||
75 | local all all md5 | ||
76 | hostssl all all 188.165.209.148/32 md5 | ||
77 | hostssl all all 178.33.252.96/32 md5 | ||
78 | hostssl all all all pam | ||
79 | hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication | ||
80 | hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication | ||
81 | ''; | ||
82 | }; | ||
83 | |||
84 | security.pam.services = let | ||
85 | pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; | ||
86 | pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; | ||
87 | pkgs.writeText "postgresql.conf" '' | ||
88 | host ${myconfig.env.ldap.host} | ||
89 | base ${myconfig.env.ldap.base} | ||
90 | binddn ${dn} | ||
91 | bindpw ${password} | ||
92 | pam_filter ${filter} | ||
93 | ssl start_tls | ||
94 | ''; | ||
95 | pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' | ||
96 | host ${myconfig.env.ldap.host} | ||
97 | base ${myconfig.env.ldap.base} | ||
98 | binddn ${myconfig.env.ldap.host_dn} | ||
99 | bindpw ${myconfig.env.ldap.password} | ||
100 | pam_login_attribute cn | ||
101 | ssl start_tls | ||
102 | ''; | ||
103 | in [ | ||
104 | { | ||
105 | name = "postgresql"; | ||
106 | text = '' | ||
107 | auth required ${pam_ldap} config=${pam_ldap_postgresql} | ||
108 | account required ${pam_ldap} config=${pam_ldap_postgresql} | ||
109 | ''; | ||
110 | } | ||
111 | { | ||
112 | name = "postgresql_replication"; | ||
113 | text = '' | ||
114 | auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} | ||
115 | account required ${pam_ldap} config=${pam_ldap_postgresql_replication} | ||
116 | ''; | ||
117 | } | ||
118 | ]; | ||
119 | }; | ||
120 | } | ||
121 | |||
diff --git a/nixops/modules/databases/redis.nix b/nixops/modules/databases/redis.nix new file mode 100644 index 0000000..7379685 --- /dev/null +++ b/nixops/modules/databases/redis.nix | |||
@@ -0,0 +1,37 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | ||
2 | let | ||
3 | cfg = config.services.myDatabases; | ||
4 | in { | ||
5 | options.services.myDatabases = { | ||
6 | redis = { | ||
7 | enable = lib.mkOption { | ||
8 | default = cfg.enable; | ||
9 | example = true; | ||
10 | description = "Whether to enable redis database"; | ||
11 | type = lib.types.bool; | ||
12 | }; | ||
13 | }; | ||
14 | }; | ||
15 | |||
16 | config = lib.mkIf cfg.enable { | ||
17 | ids.uids.redis = myconfig.env.users.redis.uid; | ||
18 | ids.gids.redis = myconfig.env.users.redis.gid; | ||
19 | users.users.redis.uid = config.ids.uids.redis; | ||
20 | users.groups.redis.gid = config.ids.gids.redis; | ||
21 | services.redis = rec { | ||
22 | enable = config.services.myDatabases.redis.enable; | ||
23 | bind = "127.0.0.1"; | ||
24 | unixSocket = myconfig.env.databases.redis.socket; | ||
25 | extraConfig = '' | ||
26 | unixsocketperm 777 | ||
27 | maxclients 1024 | ||
28 | ''; | ||
29 | }; | ||
30 | system.activationScripts.redis = '' | ||
31 | mkdir -p $(dirname ${myconfig.env.databases.redis.socket}) | ||
32 | chown redis $(dirname ${myconfig.env.databases.redis.socket}) | ||
33 | ''; | ||
34 | |||
35 | }; | ||
36 | } | ||
37 | |||