From 182ae57f53731be220075bc87aff4d47a35563b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 17 May 2019 00:49:27 +0200 Subject: Move databases configs to modules --- nixops/modules/databases/default.nix | 14 --- nixops/modules/databases/immae.schema | 167 -------------------------------- nixops/modules/databases/mysql.nix | 99 ------------------- nixops/modules/databases/openldap.nix | 104 -------------------- nixops/modules/databases/postgresql.nix | 120 ----------------------- nixops/modules/databases/redis.nix | 35 ------- 6 files changed, 539 deletions(-) delete mode 100644 nixops/modules/databases/default.nix delete mode 100644 nixops/modules/databases/immae.schema delete mode 100644 nixops/modules/databases/mysql.nix delete mode 100644 nixops/modules/databases/openldap.nix delete mode 100644 nixops/modules/databases/postgresql.nix delete mode 100644 nixops/modules/databases/redis.nix (limited to 'nixops/modules/databases') diff --git a/nixops/modules/databases/default.nix b/nixops/modules/databases/default.nix deleted file mode 100644 index be549b1..0000000 --- a/nixops/modules/databases/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ lib, pkgs, config, myconfig, ... }: -let - cfg = config.services.myDatabases; -in { - imports = [ - ./mysql.nix - ./openldap.nix - ./postgresql.nix - ./redis.nix - ]; - options.services.myDatabases = { - enable = lib.mkEnableOption "my databases service"; - }; -} diff --git a/nixops/modules/databases/immae.schema b/nixops/modules/databases/immae.schema deleted file mode 100644 index f5ee5d5..0000000 --- a/nixops/modules/databases/immae.schema +++ /dev/null @@ -1,167 +0,0 @@ -# vim: set filetype=slapd: -objectIdentifier Immaeroot 1.3.6.1.4.1.50071 - -objectIdentifier Immae Immaeroot:2 -objectIdentifier ImmaeattributeType Immae:3 -objectIdentifier ImmaeobjectClass Immae:4 - -# TT-RSS -attributetype ( ImmaeattributeType:1 NAME 'immaeTtrssLogin' - DESC 'login for TTRSS' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) - -objectclass ( ImmaeobjectClass:1 NAME 'immaeTtrssClass' - DESC 'Expansion of the existing object classes for ttrss' - SUP top AUXILIARY - MUST ( immaeTtrssLogin ) ) - -# FTP -attributetype ( ImmaeattributeType:2 NAME 'immaeFtpDirectory' - DESC 'home directory for ftp' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( ImmaeattributeType:3 NAME 'immaeFtpUid' - DESC 'user id for ftp' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - -attributetype ( ImmaeattributeType:4 NAME 'immaeFtpGid' - DESC 'group id for ftp' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - -objectclass ( ImmaeobjectClass:2 NAME 'immaeFtpClass' - DESC 'Expansion of the existing object classes for ftp' - SUP top AUXILIARY - MUST ( immaeFtpDirectory $ immaeFtpGid $ immaeFtpUid ) ) - - -# SSH keys -attributetype ( ImmaeattributeType:5 NAME 'immaeSshKey' - DESC 'OpenSSH Public key' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) - -objectClass ( ImmaeobjectClass:3 NAME 'immaeSshClass' - DESC 'OpenSSH class' - SUP top AUXILIARY - MAy ( immaeSSHKey ) ) - -# Specific access -attributetype (ImmaeattributeType:6 NAME 'immaeAccessDn' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) - -attributetype (ImmaeattributeType:17 NAME 'immaeAccessWriteDn' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) - -attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree' - EQUALITY distinguishedNameMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) - -objectClass ( ImmaeobjectClass:4 NAME 'immaeAccessClass' - DESC 'Access class' - SUP top AUXILIARY - MAY ( immaeAccessDn $ immaeAccessWriteDn $ immaeAccessReadSubtree ) ) - -# Xmpp uid -attributetype ( ImmaeattributeType:7 NAME 'immaeXmppUid' - DESC 'user part for Xmpp' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) - -objectclass ( ImmaeobjectClass:5 NAME 'immaeXmppClass' - DESC 'Expansion of the existing object classes for XMPP' - SUP top AUXILIARY - MUST ( immaeXmppUid ) ) - -# Postfix accounts -attributetype ( ImmaeattributeType:8 NAME 'immaePostfixAddress' - DESC 'the dovecot address to match as username' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) - -attributetype ( ImmaeattributeType:9 NAME 'immaePostfixHome' - DESC 'the postfix home directory' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( ImmaeattributeType:10 NAME 'immaePostfixMail' - DESC 'the dovecot mail location' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( ImmaeattributeType:11 NAME 'immaePostfixUid' - DESC 'the dovecot uid' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( ImmaeattributeType:12 NAME 'immaePostfixGid' - DESC 'the dovecot gid' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -objectclass ( ImmaeobjectClass:6 NAME 'immaePostfixClass' - DESC 'Expansion of the existing object classes for Postfix' - SUP top AUXILIARY - MUST ( immaePostfixAddress $ immaePostfixHome $ - immaePostfixMail $ immaePostfixUid $ immaePostfixGid ) - ) - -# Tinc informations -# Domaine = une classe a part ou une partie du dn ? -# attributetype ( ImmaeattributeType:13 NAME 'immaeTincIpSegment' -# DESC 'the internal ip segment in tinc' -# EQUALITY caseIgnoreIA5Match -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) -# -# attributetype ( ImmaeattributeType:14 NAME 'immaeTincSubdomain' -# DESC 'the host subdomain' -# EQUALITY caseIgnoreIA5Match -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) -# -# attributetype ( ImmaeattributeType:15 NAME 'immaeTincHostname' -# DESC 'the host name' -# EQUALITY caseIgnoreIA5Match -# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) -# -# objectclass ( ImmaeobjectClass:7 NAME 'immaeTincHostClass' -# DESC 'Expansion of the existing object classes for Tinc' -# SUP top AUXILIARY -# MUST ( immaeTincInternalIp $ immaeTincSubdomain $ -# immaeTincHostname ) -# ) - -attributetype (ImmaeattributeType:16 NAME 'immaePuppetJson' - DESC 'Puppet hiera json' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) - -objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass' - DESC 'Expansion of the existing object classes for Puppet' - SUP top AUXILIARY - MUST ( immaePuppetJson ) - ) - -attributetype (ImmaeattributeType:19 NAME 'immaeTaskId' - DESC 'Taskwarrior server Org:Name:Key' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) - -objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass' - DESC 'Expansion of the existing object classes for Task' - SUP top AUXILIARY - MUST ( immaeTaskId ) - ) - -# Last: -# attributetype (ImmaeattributeType:19 NAME 'immaeTaskId' -# objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass' - diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix deleted file mode 100644 index 6739aaa..0000000 --- a/nixops/modules/databases/mysql.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ lib, pkgs, config, myconfig, ... }: -let - cfg = config.services.myDatabases; -in { - options.services.myDatabases = { - mariadb = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable mariadb database"; - type = lib.types.bool; - }; - }; - }; - - config = lib.mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [ 3306 ]; - - # for adminer, ssl is implemented with mysqli only, which is - # currently disabled because it’s not compatible with pam. - # Thus we need to generate two users for each 'remote': one remote - # with SSL, and one localhost without SSL. - # User identified by LDAP: - # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL; - # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql'; - services.mysql = rec { - enable = cfg.mariadb.enable; - package = pkgs.mariadb; - extraOptions = '' - ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ssl_key = /var/lib/acme/mysql/key.pem - ssl_cert = /var/lib/acme/mysql/fullchain.pem - ''; - }; - - users.users.mysql.extraGroups = [ "keys" ]; - security.acme.certs."mysql" = config.services.myCertificates.certConfig // { - user = "mysql"; - group = "mysql"; - plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; - domain = "db-1.immae.eu"; - postRun = '' - systemctl restart mysql.service - ''; - }; - - secrets.keys = [ - { - dest = "mysql/mysqldump"; - permissions = "0400"; - user = "root"; - group = "root"; - text = '' - [mysqldump] - user = root - password = ${myconfig.env.databases.mysql.systemUsers.root} - ''; - } - { - dest = "mysql/pam"; - permissions = "0400"; - user = "mysql"; - group = "mysql"; - text = with myconfig.env.databases.mysql.pam; '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${dn} - bindpw ${password} - pam_filter ${filter} - ssl start_tls - ''; - } - ]; - - services.cron = { - enable = true; - systemCronJobs = [ - '' - 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/var/secrets/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql - '' - ]; - }; - - security.pam.services = let - pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; - in [ - { - name = "mysql"; - text = '' - # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ - auth required ${pam_ldap} config=/var/secrets/mysql/pam - account required ${pam_ldap} config=/var/secrets/mysql/pam - ''; - } - ]; - - }; -} - diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix deleted file mode 100644 index ff97fb3..0000000 --- a/nixops/modules/databases/openldap.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ lib, pkgs, config, myconfig, ... }: -let - cfg = config.services.myDatabases; - ldapConfig = let - kerberosSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"; - sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww"; - }; - puppetSchema = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema"; - sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; - }; - in '' - include ${pkgs.openldap}/etc/schema/core.schema - include ${pkgs.openldap}/etc/schema/cosine.schema - include ${pkgs.openldap}/etc/schema/inetorgperson.schema - include ${pkgs.openldap}/etc/schema/nis.schema - include ${puppetSchema} - include ${kerberosSchema} - include ${./immae.schema} - - pidfile /run/slapd/slapd.pid - argsfile /run/slapd/slapd.args - - moduleload back_hdb - backend hdb - - moduleload memberof - database hdb - suffix "${myconfig.env.ldap.base}" - rootdn "${myconfig.env.ldap.root_dn}" - include /var/secrets/ldap/password - directory /var/lib/openldap - overlay memberof - - TLSCertificateFile /var/lib/acme/ldap/cert.pem - TLSCertificateKeyFile /var/lib/acme/ldap/key.pem - TLSCACertificateFile /var/lib/acme/ldap/fullchain.pem - TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ - #This makes openldap crash - #TLSCipherSuite DEFAULT - - sasl-host kerberos.immae.eu - include /var/secrets/ldap/access - ''; -in { - options.services.myDatabases = { - ldap = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable ldap"; - type = lib.types.bool; - }; - }; - }; - - config = lib.mkIf cfg.enable { - secrets.keys = [ - { - dest = "ldap/password"; - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = "rootpw ${myconfig.env.ldap.root_pw}"; - } - { - dest = "ldap/access "; - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; - } - ]; - users.users.openldap.extraGroups = [ "keys" ]; - networking.firewall.allowedTCPPorts = [ 636 389 ]; - - services.cron = { - systemCronJobs = [ - '' - 35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l /var/lib/openldap/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$" - '' - ]; - }; - - security.acme.certs."ldap" = config.services.myCertificates.certConfig // { - user = "openldap"; - group = "openldap"; - plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; - domain = "ldap.immae.eu"; - postRun = '' - systemctl restart openldap.service - ''; - }; - - services.openldap = { - enable = config.services.myDatabases.ldap.enable; - dataDir = "/var/lib/openldap"; - urlList = [ "ldap://" "ldaps://" ]; - extraConfig = ldapConfig; - }; - }; -} - diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix deleted file mode 100644 index de0820f..0000000 --- a/nixops/modules/databases/postgresql.nix +++ /dev/null @@ -1,120 +0,0 @@ -{ lib, pkgs, config, myconfig, ... }: -let - cfg = config.services.myDatabases; -in { - options.services.myDatabases = { - postgresql = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable postgresql database"; - type = lib.types.bool; - }; - }; - }; - - config = lib.mkIf cfg.enable { - nixpkgs.overlays = [ (self: super: rec { - postgresql = self.postgresql_11_custom; - }) ]; - - networking.firewall.allowedTCPPorts = [ 5432 ]; - - security.acme.certs."postgresql" = config.services.myCertificates.certConfig // { - user = "postgres"; - group = "postgres"; - plugins = [ "fullchain.pem" "key.pem" "account_key.json" ]; - domain = "db-1.immae.eu"; - postRun = '' - systemctl reload postgresql.service - ''; - }; - - systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys"; - systemd.services.postgresql.serviceConfig.RuntimeDirectory = "postgresql"; - services.postgresql = rec { - enable = cfg.postgresql.enable; - package = pkgs.postgresql; - enableTCPIP = true; - extraConfig = '' - max_connections = 100 - wal_level = logical - shared_buffers = 512MB - work_mem = 10MB - max_wal_size = 1GB - min_wal_size = 80MB - log_timezone = 'Europe/Paris' - datestyle = 'iso, mdy' - timezone = 'Europe/Paris' - lc_messages = 'en_US.UTF-8' - lc_monetary = 'en_US.UTF-8' - lc_numeric = 'en_US.UTF-8' - lc_time = 'en_US.UTF-8' - default_text_search_config = 'pg_catalog.english' - ssl = on - ssl_cert_file = '/var/lib/acme/postgresql/fullchain.pem' - ssl_key_file = '/var/lib/acme/postgresql/key.pem' - ''; - authentication = '' - local all postgres ident - local all all md5 - hostssl all all 188.165.209.148/32 md5 - hostssl all all 178.33.252.96/32 md5 - hostssl all all all pam - hostssl replication backup-1 2001:41d0:302:1100::9:e5a9/128 pam pamservice=postgresql_replication - hostssl replication backup-1 54.37.151.137/32 pam pamservice=postgresql_replication - ''; - }; - - secrets.keys = [ - { - dest = "postgresql/pam"; - permissions = "0400"; - group = "postgres"; - user = "postgres"; - text = with myconfig.env.databases.postgresql.pam; '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${dn} - bindpw ${password} - pam_filter ${filter} - ssl start_tls - ''; - } - { - dest = "postgresql/pam_replication"; - permissions = "0400"; - group = "postgres"; - user = "postgres"; - text = '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${myconfig.env.ldap.host_dn} - bindpw ${myconfig.env.ldap.password} - pam_login_attribute cn - ssl start_tls - ''; - } - ]; - - security.pam.services = let - pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; - in [ - { - name = "postgresql"; - text = '' - auth required ${pam_ldap} config=/var/secrets/postgresql/pam - account required ${pam_ldap} config=/var/secrets/postgresql/pam - ''; - } - { - name = "postgresql_replication"; - text = '' - auth required ${pam_ldap} config=/var/secrets/postgresql/pam_replication - account required ${pam_ldap} config=/var/secrets/postgresql/pam_replication - ''; - } - ]; - }; -} - diff --git a/nixops/modules/databases/redis.nix b/nixops/modules/databases/redis.nix deleted file mode 100644 index 75c69a6..0000000 --- a/nixops/modules/databases/redis.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ lib, pkgs, config, myconfig, ... }: -let - cfg = config.services.myDatabases; -in { - options.services.myDatabases = { - redis = { - enable = lib.mkOption { - default = cfg.enable; - example = true; - description = "Whether to enable redis database"; - type = lib.types.bool; - }; - }; - }; - - config = lib.mkIf cfg.enable { - ids.uids.redis = myconfig.env.users.redis.uid; - ids.gids.redis = myconfig.env.users.redis.gid; - users.users.redis.uid = config.ids.uids.redis; - users.groups.redis.gid = config.ids.gids.redis; - services.redis = rec { - enable = config.services.myDatabases.redis.enable; - bind = "127.0.0.1"; - unixSocket = myconfig.env.databases.redis.socket; - extraConfig = '' - unixsocketperm 777 - maxclients 1024 - ''; - }; - systemd.services.redis.serviceConfig.RuntimeDirectory = - assert myconfig.env.databases.redis.socket == "/run/redis/redis.sock"; - "redis"; - }; -} - -- cgit v1.2.3