From e1da84b06c408ea5d4d093de39efdda71ad6dc95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 20 Apr 2019 23:40:37 +0200 Subject: Move database credentials to secure location Related issue: https://git.immae.eu/mantisbt/view.php?id=122 --- nixops/modules/databases/mysql.nix | 48 +++++++++++++++++---------- nixops/modules/databases/openldap.nix | 21 ++++++++++-- nixops/modules/databases/postgresql.nix | 57 +++++++++++++++++++++------------ 3 files changed, 86 insertions(+), 40 deletions(-) (limited to 'nixops/modules') diff --git a/nixops/modules/databases/mysql.nix b/nixops/modules/databases/mysql.nix index 635f212..95de972 100644 --- a/nixops/modules/databases/mysql.nix +++ b/nixops/modules/databases/mysql.nix @@ -41,6 +41,7 @@ in { ''; }; + users.users.mysql.extraGroups = [ "keys" ]; security.acme.certs."mysql" = config.services.myCertificates.certConfig // { user = "mysql"; group = "mysql"; @@ -51,39 +52,52 @@ in { ''; }; - services.cron = { - enable = true; - systemCronJobs = let - mycnf = pkgs.writeText "my.cnf" '' + deployment.keys = { + mysqldump = { + destDir = "/run/keys/mysql"; + permissions = "0400"; + user = "root"; + group = "root"; + text = '' [mysqldump] user = root password = ${myconfig.env.databases.mysql.systemUsers.root} + ''; + }; + mysql-pam = { + destDir = "/run/keys/mysql"; + permissions = "0400"; + user = "mysql"; + group = "mysql"; + text = with myconfig.env.databases.mysql.pam; '' + host ${myconfig.env.ldap.host} + base ${myconfig.env.ldap.base} + binddn ${dn} + bindpw ${password} + pam_filter ${filter} + ssl start_tls ''; - in [ + }; + }; + + services.cron = { + enable = true; + systemCronJobs = [ '' - 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${mycnf} --all-databases > /var/lib/mysql/backup.sql + 30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=/run/keys/mysql/mysqldump --all-databases > /var/lib/mysql/backup.sql '' ]; }; security.pam.services = let pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; - pam_ldap_mysql = with myconfig.env.databases.mysql.pam; - pkgs.writeText "mysql.conf" '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${dn} - bindpw ${password} - pam_filter ${filter} - ssl start_tls - ''; in [ { name = "mysql"; text = '' # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ - auth required ${pam_ldap} config=${pam_ldap_mysql} - account required ${pam_ldap} config=${pam_ldap_mysql} + auth required ${pam_ldap} config=/run/keys/mysql/mysql-pam + account required ${pam_ldap} config=/run/keys/mysql/mysql-pam ''; } ]; diff --git a/nixops/modules/databases/openldap.nix b/nixops/modules/databases/openldap.nix index 165a029..7ed4bc0 100644 --- a/nixops/modules/databases/openldap.nix +++ b/nixops/modules/databases/openldap.nix @@ -29,7 +29,7 @@ let database hdb suffix "${myconfig.env.ldap.base}" rootdn "${myconfig.env.ldap.root_dn}" - rootpw ${myconfig.env.ldap.root_pw} + include /run/keys/ldap/ldap-password directory /var/lib/openldap overlay memberof @@ -41,7 +41,7 @@ let #TLSCipherSuite DEFAULT sasl-host kerberos.immae.eu - ${builtins.readFile "${myconfig.privateFiles}/ldap.conf"} + include /run/keys/ldap/ldap-access ''; in { options.services.myDatabases = { @@ -56,6 +56,23 @@ in { }; config = lib.mkIf cfg.enable { + deployment.keys = { + ldap-password = { + destDir = "/run/keys/ldap"; + permissions = "0400"; + user = "openldap"; + group = "openldap"; + text = "rootpw ${myconfig.env.ldap.root_pw}"; + }; + ldap-access = { + destDir = "/run/keys/ldap"; + permissions = "0400"; + user = "openldap"; + group = "openldap"; + text = builtins.readFile "${myconfig.privateFiles}/ldap.conf"; + }; + }; + users.users.openldap.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 636 389 ]; services.cron = { diff --git a/nixops/modules/databases/postgresql.nix b/nixops/modules/databases/postgresql.nix index 673ced8..7e2f4e6 100644 --- a/nixops/modules/databases/postgresql.nix +++ b/nixops/modules/databases/postgresql.nix @@ -42,6 +42,7 @@ in { install -m 0755 -o postgres -g postgres -d ${myconfig.env.databases.postgresql.socket} ''; + systemd.services.postgresql.serviceConfig.SupplementaryGroups = "keys"; services.postgresql = rec { enable = cfg.postgresql.enable; package = pkgs.postgresql; @@ -76,38 +77,52 @@ in { ''; }; - security.pam.services = let - pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; - pam_ldap_postgresql = with myconfig.env.databases.postgresql.pam; - pkgs.writeText "postgresql.conf" '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${dn} - bindpw ${password} - pam_filter ${filter} - ssl start_tls + deployment.keys = { + postgresql-pam = { + destDir = "/run/keys/postgresql"; + permissions = "0400"; + group = "postgres"; + user = "postgres"; + text = with myconfig.env.databases.postgresql.pam; '' + host ${myconfig.env.ldap.host} + base ${myconfig.env.ldap.base} + binddn ${dn} + bindpw ${password} + pam_filter ${filter} + ssl start_tls ''; - pam_ldap_postgresql_replication = pkgs.writeText "postgresql.conf" '' - host ${myconfig.env.ldap.host} - base ${myconfig.env.ldap.base} - binddn ${myconfig.env.ldap.host_dn} - bindpw ${myconfig.env.ldap.password} - pam_login_attribute cn - ssl start_tls + }; + postgresql-pam_replication = { + destDir = "/run/keys/postgresql"; + permissions = "0400"; + group = "postgres"; + user = "postgres"; + text = '' + host ${myconfig.env.ldap.host} + base ${myconfig.env.ldap.base} + binddn ${myconfig.env.ldap.host_dn} + bindpw ${myconfig.env.ldap.password} + pam_login_attribute cn + ssl start_tls ''; + }; + }; + + security.pam.services = let + pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so"; in [ { name = "postgresql"; text = '' - auth required ${pam_ldap} config=${pam_ldap_postgresql} - account required ${pam_ldap} config=${pam_ldap_postgresql} + auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam + account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam ''; } { name = "postgresql_replication"; text = '' - auth required ${pam_ldap} config=${pam_ldap_postgresql_replication} - account required ${pam_ldap} config=${pam_ldap_postgresql_replication} + auth required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication + account required ${pam_ldap} config=/run/keys/postgresql/postgresql-pam_replication ''; } ]; -- cgit v1.2.3