1 files changed, 35 insertions, 1 deletions
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index 04b11b8..cfbb464 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -8,7 +8,7 @@
    networking = {
      firewall = {
        enable = true;
-        allowedTCPPorts = [ 22 80 443 5432 ];
+        allowedTCPPorts = [ 22 80 443 3306 5432 ];
      };
    };
@@ -62,7 +62,41 @@
      };
    };
+    # FIXME: environment variables ?
+    security.pam.services = let
+      pam_ldap = pkgs.pam_ldap;
+      pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
+        host ldap.immae.eu
+        base dc=immae,dc=eu
+        binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
+        bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
+        pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
+        '';
+    in [
+      {
+        name = "mysql";
+        text = ''
+          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
+          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          '';
+      }
+    ];
+    # FIXME: initial sync
+    # FIXME: backup
+    # FIXME: restart after pam
+    # FIXME: pam access doesn’t work (because of php module)
+    services.mysql = rec {
+      enable = true;
+      package = pkgs.mariadb.overrideAttrs(old: rec {
+        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
+        buildInputs = old.buildInputs ++ [ pkgs.pam ];
+      });
+    };
    # FIXME: initial sync
+    # FIXME: backup
    services.postgresql = rec {
      enable = true;
      package = pkgs.postgresql100.overrideAttrs(old: rec {

diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 04b11b8..cfbb464 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix
@@ -8,7 +8,7 @@
8	networking = {	8	networking = {
9	firewall = {	9	firewall = {
10	enable = true;	10	enable = true;
11	allowedTCPPorts = [ 22 80 443 5432 ];	11	allowedTCPPorts = [ 22 80 443 3306 5432 ];
12	};	12	};
13	};	13	};
14		14
@@ -62,7 +62,41 @@
62	};	62	};
63	};	63	};
64		64
		65	# FIXME: environment variables ?
		66	security.pam.services = let
		67	pam_ldap = pkgs.pam_ldap;
		68	pam_ldap_mysql = pkgs.writeText "mysql.conf" ''
		69	host ldap.immae.eu
		70	base dc=immae,dc=eu
		71	binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
		72	bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
		73	pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
		74	'';
		75	in [
		76	{
		77	name = "mysql";
		78	text = ''
		79	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
		80	auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
		81	account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
		82	'';
		83	}
		84	];
		85
		86	# FIXME: initial sync
		87	# FIXME: backup
		88	# FIXME: restart after pam
		89	# FIXME: pam access doesn’t work (because of php module)
		90	services.mysql = rec {
		91	enable = true;
		92	package = pkgs.mariadb.overrideAttrs(old: rec {
		93	cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
		94	buildInputs = old.buildInputs ++ [ pkgs.pam ];
		95	});
		96	};
		97
65	# FIXME: initial sync	98	# FIXME: initial sync
		99	# FIXME: backup
66	services.postgresql = rec {	100	services.postgresql = rec {
67	enable = true;	101	enable = true;
68	package = pkgs.postgresql100.overrideAttrs(old: rec {	102	package = pkgs.postgresql100.overrideAttrs(old: rec {