4 files changed, 239 insertions, 199 deletions
diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix
index 3200181..01a130c 100644
--- a/nixops/modules/databases/default.nix
+++ b/nixops/modules/databases/default.nix
@@ -3,208 +3,12 @@ let
    cfg = config.services.myDatabases;
 in {
  imports = [
+    ./mysql.nix
    ./openldap.nix
+    ./postgresql.nix
+    ./redis.nix
  ];
  options.services.myDatabases = {
    enable = lib.mkEnableOption "my databases service";
-    postgresql = {
-      enable = lib.mkOption {
-        default = cfg.enable;
-        example = true;
-        description = "Whether to enable postgresql database";
-        type = lib.types.bool;
-      };
-    };
-    mariadb = {
-      enable = lib.mkOption {
-        default = cfg.enable;
-        example = true;
-        description = "Whether to enable mariadb database";
-        type = lib.types.bool;
-      };
-    };
-    redis = {
-      enable = lib.mkOption {
-        default = cfg.enable;
-        example = true;
-        description = "Whether to enable redis database";
-        type = lib.types.bool;
-      };
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    nixpkgs.config.packageOverrides = oldpkgs: rec {
-      postgresql = postgresql111;
-      postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
-        passthru = old.passthru // { psqlSchema = "11.0"; };
-        name = "postgresql-11.1";
-        src = pkgs.fetchurl {
-          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
-          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
-        };
-        configureFlags = old.configureFlags ++ [ "--with-pam" ];
-        buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
-        patches = old.patches ++ [
-          ./postgresql_run_socket_path.patch
-        ];
-      });
-      mariadb = mariadbPAM;
-      mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
-        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
-        buildInputs = old.buildInputs ++ [ pkgs.pam ];
-      });
-    };
-    networking.firewall.allowedTCPPorts = [ 3306 5432 ];
-    # for adminer, ssl is implemented with mysqli only, which is
-    # currently disabled because it’s not compatible with pam.
-    # Thus we need to generate two users for each 'remote': one remote
-    # with SSL, and one localhost without SSL.
-    # User identified by LDAP:
-    # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
-    # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
-    services.mysql = rec {
-      enable = cfg.mariadb.enable;
-      package = pkgs.mariadb;
-      extraOptions = ''
-        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
-        ssl_key = /var/lib/acme/mysql/key.pem
-        ssl_cert = /var/lib/acme/mysql/fullchain.pem
-        '';
-    };
-    security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
-      user = "postgres";
-      group = "postgres";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
-      domain = "db-1.immae.eu";
-      postRun = ''
-        systemctl reload postgresql.service
-      '';
-    };
-    security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
-      user = "mysql";
-      group = "mysql";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
-      domain = "db-1.immae.eu";
-      postRun = ''
-        systemctl restart mysql.service
-      '';
-    };
-    system.activationScripts.postgresql = ''
-      install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
-      '';
-    services.postgresql = rec {
-      enable = cfg.postgresql.enable;
-      package = pkgs.postgresql;
-      enableTCPIP = true;
-      extraConfig = ''
-        max_connections = 100
-        wal_level = logical
-        shared_buffers = 512MB
-        work_mem = 10MB
-        max_wal_size = 1GB
-        min_wal_size = 80MB
-        log_timezone = 'Europe/Paris'
-        datestyle = 'iso, mdy'
-        timezone = 'Europe/Paris'
-        lc_messages = 'en_US.UTF-8'
-        lc_monetary = 'en_US.UTF-8'
-        lc_numeric = 'en_US.UTF-8'
-        lc_time = 'en_US.UTF-8'
-        default_text_search_config = 'pg_catalog.english'
-        ssl = on
-        ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
-        ssl_key_file = '/var/lib/acme/postgresql/key.pem'
-        '';
-      authentication = ''
-        local   all     postgres                                ident
-        local   all     all                                     md5
-        hostssl all     all     188.165.209.148/32              md5
-        hostssl all     all     178.33.252.96/32                md5
-        hostssl all     all     all                             pam
-        hostssl replication     backup-1        2001:41d0:302:1100::9:e5a9/128  pam pamservice=postgresql_replication
-        hostssl replication     backup-1        54.37.151.137/32                pam pamservice=postgresql_replication
-      '';
-    };
-    security.pam.services = let
-      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-      pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
-        pkgs.writeText "mysql.conf" ''
-        host ${myconfig.env.ldap.host}
-        base ${myconfig.env.ldap.base}
-        binddn ${dn}
-        bindpw ${password}
-        pam_filter ${filter}
-        ssl start_tls
-        '';
-      pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
-        pkgs.writeText "postgresql.conf" ''
-        host ${myconfig.env.ldap.host}
-        base ${myconfig.env.ldap.base}
-        binddn ${dn}
-        bindpw ${password}
-        pam_filter ${filter}
-        ssl start_tls
-        '';
-      pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
-        host ${myconfig.env.ldap.host}
-        base ${myconfig.env.ldap.base}
-        binddn ${myconfig.env.ldap.host_dn}
-        bindpw ${myconfig.env.ldap.password}
-        pam_login_attribute cn
-        ssl start_tls
-        '';
-    in [
-      {
-        name = "mysql";
-        text = ''
-          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap} config=${pam_ldap_mysql}
-          account required ${pam_ldap} config=${pam_ldap_mysql}
-          '';
-      }
-      {
-        name = "postgresql";
-        text = ''
-          auth    required ${pam_ldap} config=${pam_ldap_postgresql}
-          account required ${pam_ldap} config=${pam_ldap_postgresql}
-          '';
-      }
-      {
-        name = "postgresql_replication";
-        text = ''
-          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
-          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
-          '';
-      }
-    ];
-    ids.uids.redis = myconfig.env.users.redis.uid;
-    ids.gids.redis = myconfig.env.users.redis.gid;
-    users.users.redis.uid = config.ids.uids.redis;
-    users.groups.redis.gid = config.ids.gids.redis;
-    services.redis = rec {
-      enable = config.services.myDatabases.redis.enable;
-      bind = "127.0.0.1";
-      unixSocket = myconfig.env.databases.redis.socket;
-      extraConfig = ''
-        unixsocketperm 777
-        maxclients 1024
-        '';
-    };
-    system.activationScripts.redis = ''
-      mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
-      chown redis $(dirname ${myconfig.env.databases.redis.socket})
-    '';
  };
 }
diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix
new file mode 100644
index 0000000..acf4750
--- /dev/null
+++ b/nixops/modules/databases/mysql.nix
@@ -0,0 +1,78 @@
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+    cfg = config.services.myDatabases;
+in {
+  options.services.myDatabases = {
+    mariadb = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable mariadb database";
+        type = lib.types.bool;
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    nixpkgs.config.packageOverrides = oldpkgs: rec {
+      mariadb = mariadbPAM;
+      mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
+        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
+        buildInputs = old.buildInputs ++ [ pkgs.pam ];
+      });
+    };
+    networking.firewall.allowedTCPPorts = [ 3306 ];
+    # for adminer, ssl is implemented with mysqli only, which is
+    # currently disabled because it’s not compatible with pam.
+    # Thus we need to generate two users for each 'remote': one remote
+    # with SSL, and one localhost without SSL.
+    # User identified by LDAP:
+    # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
+    # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
+    services.mysql = rec {
+      enable = cfg.mariadb.enable;
+      package = pkgs.mariadb;
+      extraOptions = ''
+        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+        ssl_key = /var/lib/acme/mysql/key.pem
+        ssl_cert = /var/lib/acme/mysql/fullchain.pem
+        '';
+    };
+    security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
+      user = "mysql";
+      group = "mysql";
+      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+      domain = "db-1.immae.eu";
+      postRun = ''
+        systemctl restart mysql.service
+      '';
+    };
+    security.pam.services = let
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+      pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
+        pkgs.writeText "mysql.conf" ''
+        host ${myconfig.env.ldap.host}
+        base ${myconfig.env.ldap.base}
+        binddn ${dn}
+        bindpw ${password}
+        pam_filter ${filter}
+        ssl start_tls
+        '';
+    in [
+      {
+        name = "mysql";
+        text = ''
+          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
+          auth    required ${pam_ldap} config=${pam_ldap_mysql}
+          account required ${pam_ldap} config=${pam_ldap_mysql}
+          '';
+      }
+    ];
+  };
+}
diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix
new file mode 100644
index 0000000..2e658f8
--- /dev/null
+++ b/nixops/modules/databases/postgresql.nix
@@ -0,0 +1,121 @@
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+    cfg = config.services.myDatabases;
+in {
+  options.services.myDatabases = {
+    postgresql = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable postgresql database";
+        type = lib.types.bool;
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    nixpkgs.config.packageOverrides = oldpkgs: rec {
+      postgresql = postgresql111;
+      postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
+        passthru = old.passthru // { psqlSchema = "11.0"; };
+        name = "postgresql-11.1";
+        src = pkgs.fetchurl {
+          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
+          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
+        };
+        configureFlags = old.configureFlags ++ [ "--with-pam" ];
+        buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
+        patches = old.patches ++ [
+          ./postgresql_run_socket_path.patch
+        ];
+      });
+    };
+    networking.firewall.allowedTCPPorts = [ 5432 ];
+    security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
+      user = "postgres";
+      group = "postgres";
+      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+      domain = "db-1.immae.eu";
+      postRun = ''
+        systemctl reload postgresql.service
+      '';
+    };
+    system.activationScripts.postgresql = ''
+      install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
+      '';
+    services.postgresql = rec {
+      enable = cfg.postgresql.enable;
+      package = pkgs.postgresql;
+      enableTCPIP = true;
+      extraConfig = ''
+        max_connections = 100
+        wal_level = logical
+        shared_buffers = 512MB
+        work_mem = 10MB
+        max_wal_size = 1GB
+        min_wal_size = 80MB
+        log_timezone = 'Europe/Paris'
+        datestyle = 'iso, mdy'
+        timezone = 'Europe/Paris'
+        lc_messages = 'en_US.UTF-8'
+        lc_monetary = 'en_US.UTF-8'
+        lc_numeric = 'en_US.UTF-8'
+        lc_time = 'en_US.UTF-8'
+        default_text_search_config = 'pg_catalog.english'
+        ssl = on
+        ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
+        ssl_key_file = '/var/lib/acme/postgresql/key.pem'
+        '';
+      authentication = ''
+        local   all     postgres                                ident
+        local   all     all                                     md5
+        hostssl all     all     188.165.209.148/32              md5
+        hostssl all     all     178.33.252.96/32                md5
+        hostssl all     all     all                             pam
+        hostssl replication     backup-1        2001:41d0:302:1100::9:e5a9/128  pam pamservice=postgresql_replication
+        hostssl replication     backup-1        54.37.151.137/32                pam pamservice=postgresql_replication
+      '';
+    };
+    security.pam.services = let
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+      pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
+        pkgs.writeText "postgresql.conf" ''
+        host ${myconfig.env.ldap.host}
+        base ${myconfig.env.ldap.base}
+        binddn ${dn}
+        bindpw ${password}
+        pam_filter ${filter}
+        ssl start_tls
+        '';
+      pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
+        host ${myconfig.env.ldap.host}
+        base ${myconfig.env.ldap.base}
+        binddn ${myconfig.env.ldap.host_dn}
+        bindpw ${myconfig.env.ldap.password}
+        pam_login_attribute cn
+        ssl start_tls
+        '';
+    in [
+      {
+        name = "postgresql";
+        text = ''
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql}
+          account required ${pam_ldap} config=${pam_ldap_postgresql}
+          '';
+      }
+      {
+        name = "postgresql_replication";
+        text = ''
+          auth    required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
+          '';
+      }
+    ];
+  };
+}
diff --git a/nixops/modules/databases/redis.nix b/nixops/modules/databases/redis.nix
new file mode 100644
index 0000000..7379685
--- /dev/null
+++ b/nixops/modules/databases/redis.nix
@@ -0,0 +1,37 @@
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+    cfg = config.services.myDatabases;
+in {
+  options.services.myDatabases = {
+    redis = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable redis database";
+        type = lib.types.bool;
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    ids.uids.redis = myconfig.env.users.redis.uid;
+    ids.gids.redis = myconfig.env.users.redis.gid;
+    users.users.redis.uid = config.ids.uids.redis;
+    users.groups.redis.gid = config.ids.gids.redis;
+    services.redis = rec {
+      enable = config.services.myDatabases.redis.enable;
+      bind = "127.0.0.1";
+      unixSocket = myconfig.env.databases.redis.socket;
+      extraConfig = ''
+        unixsocketperm 777
+        maxclients 1024
+        '';
+    };
+    system.activationScripts.redis = ''
+      mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
+      chown redis $(dirname ${myconfig.env.databases.redis.socket})
+    '';
+  };
+}

diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix index 3200181..01a130c 100644 --- a/nixops/modules/databases/default.nix +++ b/nixops/modules/databases/default.nix
@@ -3,208 +3,12 @@ let
3	cfg = config.services.myDatabases;	3	cfg = config.services.myDatabases;
4	in {	4	in {
5	imports = [	5	imports = [
		6	./mysql.nix
6	./openldap.nix	7	./openldap.nix
		8	./postgresql.nix
		9	./redis.nix
7	];	10	];
8	options.services.myDatabases = {	11	options.services.myDatabases = {
9	enable = lib.mkEnableOption "my databases service";	12	enable = lib.mkEnableOption "my databases service";
10	postgresql = {
11	enable = lib.mkOption {
12	default = cfg.enable;
13	example = true;
14	description = "Whether to enable postgresql database";
15	type = lib.types.bool;
16	};
17	};
18
19	mariadb = {
20	enable = lib.mkOption {
21	default = cfg.enable;
22	example = true;
23	description = "Whether to enable mariadb database";
24	type = lib.types.bool;
25	};
26	};
27
28	redis = {
29	enable = lib.mkOption {
30	default = cfg.enable;
31	example = true;
32	description = "Whether to enable redis database";
33	type = lib.types.bool;
34	};
35	};
36	};
37
38	config = lib.mkIf cfg.enable {
39	nixpkgs.config.packageOverrides = oldpkgs: rec {
40	postgresql = postgresql111;
41	postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
42	passthru = old.passthru // { psqlSchema = "11.0"; };
43	name = "postgresql-11.1";
44	src = pkgs.fetchurl {
45	url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
46	sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
47	};
48	configureFlags = old.configureFlags ++ [ "--with-pam" ];
49	buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
50	patches = old.patches ++ [
51	./postgresql_run_socket_path.patch
52	];
53	});
54	mariadb = mariadbPAM;
55	mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
56	cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
57	buildInputs = old.buildInputs ++ [ pkgs.pam ];
58	});
59	};
60
61	networking.firewall.allowedTCPPorts = [ 3306 5432 ];
62
63	# for adminer, ssl is implemented with mysqli only, which is
64	# currently disabled because it’s not compatible with pam.
65	# Thus we need to generate two users for each 'remote': one remote
66	# with SSL, and one localhost without SSL.
67	# User identified by LDAP:
68	# CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
69	# CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
70	services.mysql = rec {
71	enable = cfg.mariadb.enable;
72	package = pkgs.mariadb;
73	extraOptions = ''
74	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
75	ssl_key = /var/lib/acme/mysql/key.pem
76	ssl_cert = /var/lib/acme/mysql/fullchain.pem
77	'';
78	};
79
80	security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
81	user = "postgres";
82	group = "postgres";
83	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
84	domain = "db-1.immae.eu";
85	postRun = ''
86	systemctl reload postgresql.service
87	'';
88	};
89
90	security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
91	user = "mysql";
92	group = "mysql";
93	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
94	domain = "db-1.immae.eu";
95	postRun = ''
96	systemctl restart mysql.service
97	'';
98	};
99
100	system.activationScripts.postgresql = ''
101	install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
102	'';
103
104	services.postgresql = rec {
105	enable = cfg.postgresql.enable;
106	package = pkgs.postgresql;
107	enableTCPIP = true;
108	extraConfig = ''
109	max_connections = 100
110	wal_level = logical
111	shared_buffers = 512MB
112	work_mem = 10MB
113	max_wal_size = 1GB
114	min_wal_size = 80MB
115	log_timezone = 'Europe/Paris'
116	datestyle = 'iso, mdy'
117	timezone = 'Europe/Paris'
118	lc_messages = 'en_US.UTF-8'
119	lc_monetary = 'en_US.UTF-8'
120	lc_numeric = 'en_US.UTF-8'
121	lc_time = 'en_US.UTF-8'
122	default_text_search_config = 'pg_catalog.english'
123	ssl = on
124	ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
125	ssl_key_file = '/var/lib/acme/postgresql/key.pem'
126	'';
127	authentication = ''
128	local all postgres ident
129	local all all md5
130	hostssl all all 188.165.209.148/32 md5
131	hostssl all all 178.33.252.96/32 md5
132	hostssl all all all pam
133	hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
134	hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
135	'';
136	};
137
138	security.pam.services = let
139	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
140	pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
141	pkgs.writeText "mysql.conf" ''
142	host ${myconfig.env.ldap.host}
143	base ${myconfig.env.ldap.base}
144	binddn ${dn}
145	bindpw ${password}
146	pam_filter ${filter}
147	ssl start_tls
148	'';
149	pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
150	pkgs.writeText "postgresql.conf" ''
151	host ${myconfig.env.ldap.host}
152	base ${myconfig.env.ldap.base}
153	binddn ${dn}
154	bindpw ${password}
155	pam_filter ${filter}
156	ssl start_tls
157	'';
158	pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
159	host ${myconfig.env.ldap.host}
160	base ${myconfig.env.ldap.base}
161	binddn ${myconfig.env.ldap.host_dn}
162	bindpw ${myconfig.env.ldap.password}
163	pam_login_attribute cn
164	ssl start_tls
165	'';
166	in [
167	{
168	name = "mysql";
169	text = ''
170	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
171	auth required ${pam_ldap} config=${pam_ldap_mysql}
172	account required ${pam_ldap} config=${pam_ldap_mysql}
173	'';
174	}
175	{
176	name = "postgresql";
177	text = ''
178	auth required ${pam_ldap} config=${pam_ldap_postgresql}
179	account required ${pam_ldap} config=${pam_ldap_postgresql}
180	'';
181	}
182	{
183	name = "postgresql_replication";
184	text = ''
185	auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
186	account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
187	'';
188	}
189	];
190
191	ids.uids.redis = myconfig.env.users.redis.uid;
192	ids.gids.redis = myconfig.env.users.redis.gid;
193	users.users.redis.uid = config.ids.uids.redis;
194	users.groups.redis.gid = config.ids.gids.redis;
195	services.redis = rec {
196	enable = config.services.myDatabases.redis.enable;
197	bind = "127.0.0.1";
198	unixSocket = myconfig.env.databases.redis.socket;
199	extraConfig = ''
200	unixsocketperm 777
201	maxclients 1024
202	'';
203	};
204	system.activationScripts.redis = ''
205	mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
206	chown redis $(dirname ${myconfig.env.databases.redis.socket})
207	'';
208
209	};	13	};
210	}	14	}


diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix new file mode 100644 index 0000000..acf4750 --- /dev/null +++ b/nixops/modules/databases/mysql.nix
@@ -0,0 +1,78 @@
		1	{ lib, pkgs, config, myconfig, mylibs, ... }:
		2	let
		3	cfg = config.services.myDatabases;
		4	in {
		5	options.services.myDatabases = {
		6	mariadb = {
		7	enable = lib.mkOption {
		8	default = cfg.enable;
		9	example = true;
		10	description = "Whether to enable mariadb database";
		11	type = lib.types.bool;
		12	};
		13	};
		14	};
		15
		16	config = lib.mkIf cfg.enable {
		17	nixpkgs.config.packageOverrides = oldpkgs: rec {
		18	mariadb = mariadbPAM;
		19	mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
		20	cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
		21	buildInputs = old.buildInputs ++ [ pkgs.pam ];
		22	});
		23	};
		24
		25	networking.firewall.allowedTCPPorts = [ 3306 ];
		26
		27	# for adminer, ssl is implemented with mysqli only, which is
		28	# currently disabled because it’s not compatible with pam.
		29	# Thus we need to generate two users for each 'remote': one remote
		30	# with SSL, and one localhost without SSL.
		31	# User identified by LDAP:
		32	# CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
		33	# CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
		34	services.mysql = rec {
		35	enable = cfg.mariadb.enable;
		36	package = pkgs.mariadb;
		37	extraOptions = ''
		38	ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
		39	ssl_key = /var/lib/acme/mysql/key.pem
		40	ssl_cert = /var/lib/acme/mysql/fullchain.pem
		41	'';
		42	};
		43
		44	security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
		45	user = "mysql";
		46	group = "mysql";
		47	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
		48	domain = "db-1.immae.eu";
		49	postRun = ''
		50	systemctl restart mysql.service
		51	'';
		52	};
		53
		54	security.pam.services = let
		55	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
		56	pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
		57	pkgs.writeText "mysql.conf" ''
		58	host ${myconfig.env.ldap.host}
		59	base ${myconfig.env.ldap.base}
		60	binddn ${dn}
		61	bindpw ${password}
		62	pam_filter ${filter}
		63	ssl start_tls
		64	'';
		65	in [
		66	{
		67	name = "mysql";
		68	text = ''
		69	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
		70	auth required ${pam_ldap} config=${pam_ldap_mysql}
		71	account required ${pam_ldap} config=${pam_ldap_mysql}
		72	'';
		73	}
		74	];
		75
		76	};
		77	}
		78


diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix new file mode 100644 index 0000000..2e658f8 --- /dev/null +++ b/nixops/modules/databases/postgresql.nix
@@ -0,0 +1,121 @@
		1	{ lib, pkgs, config, myconfig, mylibs, ... }:
		2	let
		3	cfg = config.services.myDatabases;
		4	in {
		5	options.services.myDatabases = {
		6	postgresql = {
		7	enable = lib.mkOption {
		8	default = cfg.enable;
		9	example = true;
		10	description = "Whether to enable postgresql database";
		11	type = lib.types.bool;
		12	};
		13	};
		14	};
		15
		16	config = lib.mkIf cfg.enable {
		17	nixpkgs.config.packageOverrides = oldpkgs: rec {
		18	postgresql = postgresql111;
		19	postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
		20	passthru = old.passthru // { psqlSchema = "11.0"; };
		21	name = "postgresql-11.1";
		22	src = pkgs.fetchurl {
		23	url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
		24	sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
		25	};
		26	configureFlags = old.configureFlags ++ [ "--with-pam" ];
		27	buildInputs = (old.buildInputs or []) ++ [ pkgs.pam ];
		28	patches = old.patches ++ [
		29	./postgresql_run_socket_path.patch
		30	];
		31	});
		32	};
		33
		34	networking.firewall.allowedTCPPorts = [ 5432 ];
		35
		36	security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
		37	user = "postgres";
		38	group = "postgres";
		39	plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
		40	domain = "db-1.immae.eu";
		41	postRun = ''
		42	systemctl reload postgresql.service
		43	'';
		44	};
		45
		46	system.activationScripts.postgresql = ''
		47	install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket}
		48	'';
		49
		50	services.postgresql = rec {
		51	enable = cfg.postgresql.enable;
		52	package = pkgs.postgresql;
		53	enableTCPIP = true;
		54	extraConfig = ''
		55	max_connections = 100
		56	wal_level = logical
		57	shared_buffers = 512MB
		58	work_mem = 10MB
		59	max_wal_size = 1GB
		60	min_wal_size = 80MB
		61	log_timezone = 'Europe/Paris'
		62	datestyle = 'iso, mdy'
		63	timezone = 'Europe/Paris'
		64	lc_messages = 'en_US.UTF-8'
		65	lc_monetary = 'en_US.UTF-8'
		66	lc_numeric = 'en_US.UTF-8'
		67	lc_time = 'en_US.UTF-8'
		68	default_text_search_config = 'pg_catalog.english'
		69	ssl = on
		70	ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem'
		71	ssl_key_file = '/var/lib/acme/postgresql/key.pem'
		72	'';
		73	authentication = ''
		74	local all postgres ident
		75	local all all md5
		76	hostssl all all 188.165.209.148/32 md5
		77	hostssl all all 178.33.252.96/32 md5
		78	hostssl all all all pam
		79	hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication
		80	hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication
		81	'';
		82	};
		83
		84	security.pam.services = let
		85	pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
		86	pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam;
		87	pkgs.writeText "postgresql.conf" ''
		88	host ${myconfig.env.ldap.host}
		89	base ${myconfig.env.ldap.base}
		90	binddn ${dn}
		91	bindpw ${password}
		92	pam_filter ${filter}
		93	ssl start_tls
		94	'';
		95	pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" ''
		96	host ${myconfig.env.ldap.host}
		97	base ${myconfig.env.ldap.base}
		98	binddn ${myconfig.env.ldap.host_dn}
		99	bindpw ${myconfig.env.ldap.password}
		100	pam_login_attribute cn
		101	ssl start_tls
		102	'';
		103	in [
		104	{
		105	name = "postgresql";
		106	text = ''
		107	auth required ${pam_ldap} config=${pam_ldap_postgresql}
		108	account required ${pam_ldap} config=${pam_ldap_postgresql}
		109	'';
		110	}
		111	{
		112	name = "postgresql_replication";
		113	text = ''
		114	auth required ${pam_ldap} config=${pam_ldap_postgresql_replication}
		115	account required ${pam_ldap} config=${pam_ldap_postgresql_replication}
		116	'';
		117	}
		118	];
		119	};
		120	}
		121


diff --git a/nixops/modules/databases/redis.nix b/nixops/modules/databases/redis.nix new file mode 100644 index 0000000..7379685 --- /dev/null +++ b/nixops/modules/databases/redis.nix
@@ -0,0 +1,37 @@
		1	{ lib, pkgs, config, myconfig, mylibs, ... }:
		2	let
		3	cfg = config.services.myDatabases;
		4	in {
		5	options.services.myDatabases = {
		6	redis = {
		7	enable = lib.mkOption {
		8	default = cfg.enable;
		9	example = true;
		10	description = "Whether to enable redis database";
		11	type = lib.types.bool;
		12	};
		13	};
		14	};
		15
		16	config = lib.mkIf cfg.enable {
		17	ids.uids.redis = myconfig.env.users.redis.uid;
		18	ids.gids.redis = myconfig.env.users.redis.gid;
		19	users.users.redis.uid = config.ids.uids.redis;
		20	users.groups.redis.gid = config.ids.gids.redis;
		21	services.redis = rec {
		22	enable = config.services.myDatabases.redis.enable;
		23	bind = "127.0.0.1";
		24	unixSocket = myconfig.env.databases.redis.socket;
		25	extraConfig = ''
		26	unixsocketperm 777
		27	maxclients 1024
		28	'';
		29	};
		30	system.activationScripts.redis = ''
		31	mkdir -p $(dirname ${myconfig.env.databases.redis.socket})
		32	chown redis $(dirname ${myconfig.env.databases.redis.socket})
		33	'';
		34
		35	};
		36	}
		37