diff options
Diffstat (limited to 'modules/private/databases')
| -rw-r--r-- | modules/private/databases/mariadb.nix | 6 | ||||
| -rw-r--r-- | modules/private/databases/openldap/default.nix | 35 | ||||
| -rw-r--r-- | modules/private/databases/openldap/eldiron_schemas.nix | 8 | ||||
| -rw-r--r-- | modules/private/databases/openldap_replication.nix | 4 | ||||
| -rw-r--r-- | modules/private/databases/postgresql.nix | 17 | ||||
| -rw-r--r-- | modules/private/databases/redis.nix | 11 |
6 files changed, 32 insertions, 49 deletions
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index ed647ea..04e4bd6 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix | |||
| @@ -96,8 +96,8 @@ in { | |||
| 96 | dataDir = cfg.dataDir; | 96 | dataDir = cfg.dataDir; |
| 97 | extraOptions = '' | 97 | extraOptions = '' |
| 98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | 98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt |
| 99 | ssl_key = ${config.security.acme2.certs.mysql.directory}/key.pem | 99 | ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem |
| 100 | ssl_cert = ${config.security.acme2.certs.mysql.directory}/fullchain.pem | 100 | ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem |
| 101 | 101 | ||
| 102 | # for replication | 102 | # for replication |
| 103 | log-bin=mariadb-bin | 103 | log-bin=mariadb-bin |
| @@ -110,7 +110,7 @@ in { | |||
| 110 | }; | 110 | }; |
| 111 | 111 | ||
| 112 | users.users.mysql.extraGroups = [ "keys" ]; | 112 | users.users.mysql.extraGroups = [ "keys" ]; |
| 113 | security.acme2.certs."mysql" = config.myServices.databasesCerts // { | 113 | security.acme.certs."mysql" = config.myServices.databasesCerts // { |
| 114 | user = "mysql"; | 114 | user = "mysql"; |
| 115 | group = "mysql"; | 115 | group = "mysql"; |
| 116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | 116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; |
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index d7d61db..efe9379 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix | |||
| @@ -12,27 +12,14 @@ let | |||
| 12 | moduleload back_hdb | 12 | moduleload back_hdb |
| 13 | backend hdb | 13 | backend hdb |
| 14 | 14 | ||
| 15 | moduleload memberof | 15 | TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem |
| 16 | database hdb | 16 | TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem |
| 17 | suffix "${cfg.baseDn}" | 17 | TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem |
| 18 | rootdn "${cfg.rootDn}" | ||
| 19 | include ${config.secrets.location}/ldap/password | ||
| 20 | directory ${cfg.dataDir} | ||
| 21 | overlay memberof | ||
| 22 | |||
| 23 | moduleload syncprov | ||
| 24 | overlay syncprov | ||
| 25 | syncprov-checkpoint 100 10 | ||
| 26 | |||
| 27 | TLSCertificateFile ${config.security.acme2.certs.ldap.directory}/cert.pem | ||
| 28 | TLSCertificateKeyFile ${config.security.acme2.certs.ldap.directory}/key.pem | ||
| 29 | TLSCACertificateFile ${config.security.acme2.certs.ldap.directory}/fullchain.pem | ||
| 30 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ | 18 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ |
| 31 | #This makes openldap crash | 19 | #This makes openldap crash |
| 32 | #TLSCipherSuite DEFAULT | 20 | #TLSCipherSuite DEFAULT |
| 33 | 21 | ||
| 34 | sasl-host kerberos.immae.eu | 22 | sasl-host kerberos.immae.eu |
| 35 | include ${config.secrets.location}/ldap/access | ||
| 36 | ''; | 23 | ''; |
| 37 | in | 24 | in |
| 38 | { | 25 | { |
| @@ -117,7 +104,7 @@ in | |||
| 117 | users.users.openldap.extraGroups = [ "keys" ]; | 104 | users.users.openldap.extraGroups = [ "keys" ]; |
| 118 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | 105 | networking.firewall.allowedTCPPorts = [ 636 389 ]; |
| 119 | 106 | ||
| 120 | security.acme2.certs."ldap" = config.myServices.databasesCerts // { | 107 | security.acme.certs."ldap" = config.myServices.databasesCerts // { |
| 121 | user = "openldap"; | 108 | user = "openldap"; |
| 122 | group = "openldap"; | 109 | group = "openldap"; |
| 123 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; | 110 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; |
| @@ -137,6 +124,20 @@ in | |||
| 137 | dataDir = cfg.dataDir; | 124 | dataDir = cfg.dataDir; |
| 138 | urlList = [ "ldap://" "ldaps://" ]; | 125 | urlList = [ "ldap://" "ldaps://" ]; |
| 139 | extraConfig = ldapConfig; | 126 | extraConfig = ldapConfig; |
| 127 | extraDatabaseConfig = '' | ||
| 128 | moduleload memberof | ||
| 129 | overlay memberof | ||
| 130 | |||
| 131 | moduleload syncprov | ||
| 132 | overlay syncprov | ||
| 133 | syncprov-checkpoint 100 10 | ||
| 134 | |||
| 135 | include ${config.secrets.location}/ldap/access | ||
| 136 | ''; | ||
| 137 | rootpwFile = "${config.secrets.location}/ldap/password"; | ||
| 138 | suffix = cfg.baseDn; | ||
| 139 | rootdn = cfg.rootDn; | ||
| 140 | database = "hdb"; | ||
| 140 | }; | 141 | }; |
| 141 | }; | 142 | }; |
| 142 | } | 143 | } |
diff --git a/modules/private/databases/openldap/eldiron_schemas.nix b/modules/private/databases/openldap/eldiron_schemas.nix index fc686dd..cf45ebe 100644 --- a/modules/private/databases/openldap/eldiron_schemas.nix +++ b/modules/private/databases/openldap/eldiron_schemas.nix | |||
| @@ -9,10 +9,10 @@ let | |||
| 9 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; | 9 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; |
| 10 | }; | 10 | }; |
| 11 | schemas = [ | 11 | schemas = [ |
| 12 | "${openldap}/etc/schema/core.schema" | 12 | #"${openldap}/etc/schema/core.schema" |
| 13 | "${openldap}/etc/schema/cosine.schema" | 13 | #"${openldap}/etc/schema/cosine.schema" |
| 14 | "${openldap}/etc/schema/inetorgperson.schema" | 14 | #"${openldap}/etc/schema/inetorgperson.schema" |
| 15 | "${openldap}/etc/schema/nis.schema" | 15 | #"${openldap}/etc/schema/nis.schema" |
| 16 | puppetSchema | 16 | puppetSchema |
| 17 | kerberosSchema | 17 | kerberosSchema |
| 18 | ./immae.schema | 18 | ./immae.schema |
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix index 2980c97..df4101b 100644 --- a/modules/private/databases/openldap_replication.nix +++ b/modules/private/databases/openldap_replication.nix | |||
| @@ -3,6 +3,10 @@ let | |||
| 3 | cfg = config.myServices.databasesReplication.openldap; | 3 | cfg = config.myServices.databasesReplication.openldap; |
| 4 | eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; | 4 | eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; |
| 5 | ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' | 5 | ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' |
| 6 | include ${pkgs.openldap}/etc/schema/core.schema | ||
| 7 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
| 8 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
| 9 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
| 6 | ${eldiron_schemas} | 10 | ${eldiron_schemas} |
| 7 | pidfile /run/slapd_${name}/slapd.pid | 11 | pidfile /run/slapd_${name}/slapd.pid |
| 8 | argsfile /run/slapd_${name}/slapd.args | 12 | argsfile /run/slapd_${name}/slapd.args |
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index 27ea59c..d0b1a75 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix | |||
| @@ -91,23 +91,13 @@ in { | |||
| 91 | ''; | 91 | ''; |
| 92 | readOnly = true; | 92 | readOnly = true; |
| 93 | }; | 93 | }; |
| 94 | systemdRuntimeDirectory = lib.mkOption { | ||
| 95 | type = lib.types.str; | ||
| 96 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
| 97 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
| 98 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
| 99 | description = '' | ||
| 100 | Adjusted Postgresql sockets directory for systemd | ||
| 101 | ''; | ||
| 102 | readOnly = true; | ||
| 103 | }; | ||
| 104 | }; | 94 | }; |
| 105 | }; | 95 | }; |
| 106 | 96 | ||
| 107 | config = lib.mkIf cfg.enable { | 97 | config = lib.mkIf cfg.enable { |
| 108 | networking.firewall.allowedTCPPorts = [ 5432 ]; | 98 | networking.firewall.allowedTCPPorts = [ 5432 ]; |
| 109 | 99 | ||
| 110 | security.acme2.certs."postgresql" = config.myServices.databasesCerts // { | 100 | security.acme.certs."postgresql" = config.myServices.databasesCerts // { |
| 111 | user = "postgres"; | 101 | user = "postgres"; |
| 112 | group = "postgres"; | 102 | group = "postgres"; |
| 113 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | 103 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; |
| @@ -119,7 +109,6 @@ in { | |||
| 119 | 109 | ||
| 120 | systemd.services.postgresql.serviceConfig = { | 110 | systemd.services.postgresql.serviceConfig = { |
| 121 | SupplementaryGroups = "keys"; | 111 | SupplementaryGroups = "keys"; |
| 122 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
| 123 | }; | 112 | }; |
| 124 | systemd.services.postgresql.postStart = lib.mkAfter '' | 113 | systemd.services.postgresql.postStart = lib.mkAfter '' |
| 125 | # This line is already defined in 19.09 | 114 | # This line is already defined in 19.09 |
| @@ -165,8 +154,8 @@ in { | |||
| 165 | # makes it order of magnitudes quicker | 154 | # makes it order of magnitudes quicker |
| 166 | synchronous_commit = off | 155 | synchronous_commit = off |
| 167 | ssl = on | 156 | ssl = on |
| 168 | ssl_cert_file = '${config.security.acme2.certs.postgresql.directory}/fullchain.pem' | 157 | ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem' |
| 169 | ssl_key_file = '${config.security.acme2.certs.postgresql.directory}/key.pem' | 158 | ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem' |
| 170 | ''; | 159 | ''; |
| 171 | authentication = let | 160 | authentication = let |
| 172 | hosts = builtins.concatStringsSep "\n" ( | 161 | hosts = builtins.concatStringsSep "\n" ( |
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 4b26283..4602510 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix | |||
| @@ -17,16 +17,6 @@ in { | |||
| 17 | ''; | 17 | ''; |
| 18 | }; | 18 | }; |
| 19 | # Output variables | 19 | # Output variables |
| 20 | systemdRuntimeDirectory = lib.mkOption { | ||
| 21 | type = lib.types.str; | ||
| 22 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
| 23 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
| 24 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
| 25 | description = '' | ||
| 26 | Adjusted redis sockets directory for systemd | ||
| 27 | ''; | ||
| 28 | readOnly = true; | ||
| 29 | }; | ||
| 30 | sockets = lib.mkOption { | 20 | sockets = lib.mkOption { |
| 31 | type = lib.types.attrsOf lib.types.path; | 21 | type = lib.types.attrsOf lib.types.path; |
| 32 | default = { | 22 | default = { |
| @@ -51,7 +41,6 @@ in { | |||
| 51 | maxclients 1024 | 41 | maxclients 1024 |
| 52 | ''; | 42 | ''; |
| 53 | }; | 43 | }; |
| 54 | systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
| 55 | 44 | ||
| 56 | services.spiped = { | 45 | services.spiped = { |
| 57 | enable = true; | 46 | enable = true; |