From 4aac110f17f0528d90510eec00c9a8df60bcf04f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 17 May 2019 10:26:33 +0200 Subject: Remove direct dependency to myconfig in database modules --- modules/private/databases/default.nix | 53 ++++++++++- modules/private/databases/mariadb.nix | 40 +++++++-- modules/private/databases/openldap/default.nix | 36 ++++++-- modules/private/databases/postgresql.nix | 119 ++++++++++++++++++++----- modules/private/databases/redis.nix | 2 +- 5 files changed, 211 insertions(+), 39 deletions(-) (limited to 'modules') diff --git a/modules/private/databases/default.nix b/modules/private/databases/default.nix index 78d91dc..3f7a44b 100644 --- a/modules/private/databases/default.nix +++ b/modules/private/databases/default.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ lib, config, myconfig, ... }: let cfg = config.myServices.databases; in @@ -9,10 +9,55 @@ in description = "Default databases configurations for certificates as accepted by acme"; }; }; + + config.nixpkgs.overlays = lib.mkIf cfg.enable [ (self: super: { + postgresql = self.postgresql_11_custom; + }) ]; + config.myServices.databases = lib.mkIf cfg.enable { - mariadb.enable = true; - openldap.enable = true; - postgresql.enable = true; + mariadb = { + enable = true; + ldapConfig = { + inherit (myconfig.env.ldap) host base; + inherit (myconfig.env.databases.mysql.pam) dn filter password; + }; + credentials.root = myconfig.env.databases.mysql.systemUsers.root; + }; + + openldap = { + accessFile = "${myconfig.privateFiles}/ldap.conf"; + baseDn = myconfig.env.ldap.base; + rootDn = myconfig.env.ldap.root_dn; + rootPw = myconfig.env.ldap.root_pw; + enable = true; + }; + + postgresql = { + ldapConfig = { + inherit (myconfig.env.ldap) host base; + inherit (myconfig.env.databases.postgresql.pam) dn filter password; + }; + replicationLdapConfig = { + inherit (myconfig.env.ldap) host base password; + dn = myconfig.env.ldap.host_dn; + }; + authorizedHosts = { + immaeEu = [{ + ip4 = [ + myconfig.env.servers.immaeEu.ips.main.ip4 + myconfig.env.servers.immaeEu.ips.alt.ip4 + ]; + }]; + }; + replicationHosts = { + backup-1 = { + ip4 = [myconfig.env.servers.backup-1.ips.main.ip4]; + ip6 = myconfig.env.servers.backup-1.ips.main.ip6; + }; + }; + enable = true; + }; + redis.enable = true; }; } diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index cc99c3c..a7239c0 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.databases.mariadb; in { @@ -10,6 +10,30 @@ in { description = "Whether to enable mariadb database"; type = lib.types.bool; }; + package = lib.mkOption { + type = lib.types.package; + default = pkgs.mariadb; + description = '' + Mariadb package to use. + ''; + }; + credentials = lib.mkOption { + default = {}; + description = "Credentials"; + type = lib.types.attrsOf lib.types.str; + }; + ldapConfig = lib.mkOption { + description = "LDAP configuration to allow PAM identification via LDAP"; + type = lib.types.submodule { + options = { + host = lib.mkOption { type = lib.types.str; }; + base = lib.mkOption { type = lib.types.str; }; + dn = lib.mkOption { type = lib.types.str; }; + password = lib.mkOption { type = lib.types.str; }; + filter = lib.mkOption { type = lib.types.str; }; + }; + }; + }; dataDir = lib.mkOption { type = lib.types.path; default = "/var/lib/mysql"; @@ -50,7 +74,7 @@ in { # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; services.mysql = { enable = true; - package = pkgs.mariadb; + package = cfg.package; dataDir = cfg.dataDir; extraOptions = '' ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt @@ -79,7 +103,7 @@ in { text = '' [mysqldump] user = root - password = ${myconfig.env.databases.mysql.systemUsers.root} + password = ${cfg.credentials.root} ''; } { @@ -87,14 +111,14 @@ in { permissions = "0400"; user = "mysql"; group = "mysql"; - text = with myconfig.env.databases.mysql.pam; '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} + text = with cfg.ldapConfig; '' + host ${host} + base ${base} binddn ${dn} bindpw ${password} pam_filter ${filter} ssl start_tls - ''; + ''; } ]; @@ -102,7 +126,7 @@ in { enable = true; systemCronJobs = [ '' - 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql + 30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql '' ]; }; diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index 46f85d2..e048d56 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.databases.openldap; ldapConfig = let @@ -27,8 +27,8 @@ let moduleload memberof database hdb - suffix "${myconfig.env.ldap.base}" - rootdn "${myconfig.env.ldap.root_dn}" + suffix "${cfg.baseDn}" + rootdn "${cfg.rootDn}" include ${config.secrets.location}/ldap/password directory ${cfg.dataDir} overlay memberof @@ -53,6 +53,30 @@ in description = "Whether to enable ldap"; type = lib.types.bool; }; + baseDn = lib.mkOption { + type = lib.types.str; + description = '' + Base DN for LDAP + ''; + }; + rootDn = lib.mkOption { + type = lib.types.str; + description = '' + Root DN + ''; + }; + rootPw = lib.mkOption { + type = lib.types.str; + description = '' + Root (Hashed) password + ''; + }; + accessFile = lib.mkOption { + type = lib.types.path; + description = '' + The file path that defines the access + ''; + }; dataDir = lib.mkOption { type = lib.types.path; default = "/var/lib/openldap"; @@ -89,14 +113,14 @@ in permissions = "0400"; user = "openldap"; group = "openldap"; - text = "rootpw ${myconfig.env.ldap.root_pw}"; + text = "rootpw ${cfg.rootPw}"; } { - dest = "ldap/access "; + dest = "ldap/access"; permissions = "0400"; user = "openldap"; group = "openldap"; - text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; + text = builtins.readFile "${cfg.accessFile}"; } ]; users.users.openldap.extraGroups = [ "keys" ]; diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index 8c36d84..911a6d1 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, myconfig, ... }: +{ lib, pkgs, config, ... }: let cfg = config.myServices.databases.postgresql; in { @@ -10,6 +10,78 @@ in { description = "Whether to enable postgresql database"; type = lib.types.bool; }; + package = lib.mkOption { + type = lib.types.package; + default = pkgs.postgresql; + description = '' + Postgresql package to use. + ''; + }; + ldapConfig = lib.mkOption { + description = "LDAP configuration to allow PAM identification via LDAP"; + type = lib.types.submodule { + options = { + host = lib.mkOption { type = lib.types.str; }; + base = lib.mkOption { type = lib.types.str; }; + dn = lib.mkOption { type = lib.types.str; }; + password = lib.mkOption { type = lib.types.str; }; + filter = lib.mkOption { type = lib.types.str; }; + }; + }; + }; + replicationLdapConfig = lib.mkOption { + description = "LDAP configuration to allow replication"; + type = lib.types.submodule { + options = { + host = lib.mkOption { type = lib.types.str; }; + base = lib.mkOption { type = lib.types.str; }; + dn = lib.mkOption { type = lib.types.str; }; + password = lib.mkOption { type = lib.types.str; }; + }; + }; + }; + authorizedHosts = lib.mkOption { + default = {}; + description = "Hosts to allow connections from"; + type = lib.types.attrsOf (lib.types.listOf (lib.types.submodule { + options = { + method = lib.mkOption { + default = "md5"; + type = lib.types.str; + }; + username = lib.mkOption { + default = "all"; + type = lib.types.str; + }; + database = lib.mkOption { + default = "all"; + type = lib.types.str; + }; + ip4 = lib.mkOption { + default = []; + type = lib.types.listOf lib.types.str; + }; + ip6 = lib.mkOption { + default = []; + type = lib.types.listOf lib.types.str; + }; + }; + })); + }; + replicationHosts = lib.mkOption { + default = {}; + description = "Hosts to allow replication from"; + type = lib.types.attrsOf (lib.types.submodule { + options = { + ip4 = lib.mkOption { + type = lib.types.listOf lib.types.str; + }; + ip6 = lib.mkOption { + type = lib.types.listOf lib.types.str; + }; + }; + }); + }; # Output variables socketsDir = lib.mkOption { type = lib.types.path; @@ -33,10 +105,6 @@ in { }; config = lib.mkIf cfg.enable { - nixpkgs.overlays = [ (self: super: rec { - postgresql = self.postgresql_11_custom; - }) ]; - networking.firewall.allowedTCPPorts = [ 5432 ]; security.acme.certs."postgresql" = config.myServices.databasesCerts // { @@ -53,9 +121,9 @@ in { SupplementaryGroups = "keys"; RuntimeDirectory = cfg.systemdRuntimeDirectory; }; - services.postgresql = rec { + services.postgresql = { enable = true; - package = pkgs.postgresql; + package = cfg.package; enableTCPIP = true; extraConfig = '' max_connections = 100 @@ -76,14 +144,25 @@ in { ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem' ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem' ''; - authentication = '' + authentication = let + hosts = builtins.concatStringsSep "\n" ( + lib.lists.flatten (lib.mapAttrsToList (k: vs: map (v: + map (ip6: "hostssl ${v.database} ${v.username} ${ip6}/128 ${v.method}") v.ip6 + ++ map (ip4: "hostssl ${v.database} ${v.username} ${ip4}/32 ${v.method}") v.ip4 + ) vs) cfg.authorizedHosts + )); + replication = builtins.concatStringsSep "\n" ( + lib.lists.flatten (lib.mapAttrsToList (k: v: + map (ip6: "hostssl replication ${k} ${ip6}/128 pam pamservice=postgresql_replication") v.ip6 + ++ map (ip4: "hostssl replication ${k} ${ip4}/32 pam pamservice=postgresql_replication") v.ip4 + ) cfg.replicationHosts + )); + in '' local all postgres ident local all all md5 - hostssl all all 188.165.209.148/32 md5 - hostssl all all 178.33.252.96/32 md5 + ${hosts} hostssl all all all pam - hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication - hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication + ${replication} ''; }; @@ -93,9 +172,9 @@ in { permissions = "0400"; group = "postgres"; user = "postgres"; - text = with myconfig.env.databases.postgresql.pam; '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} + text = with cfg.ldapConfig; '' + host ${host} + base ${base} binddn ${dn} bindpw ${password} pam_filter ${filter} @@ -107,11 +186,11 @@ in { permissions = "0400"; group = "postgres"; user = "postgres"; - text = '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${myconfig.env.ldap.host_dn} - bindpw ${myconfig.env.ldap.password} + text = with cfg.replicationLdapConfig; '' + host ${host} + base ${base} + binddn ${dn} + bindpw ${password} pam_login_attribute cn ssl start_tls ''; diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index a1c2c75..1ba6eed 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix @@ -1,4 +1,4 @@ -{ lib, config, myconfig, ... }: +{ lib, config, ... }: let cfg = config.myServices.databases.redis; in { -- cgit v1.2.3