blob: 635f212c2d49a48ccb62d06d1376ca0281162a62 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
{ lib, pkgs, config, myconfig, mylibs, ... }:
let
cfg = config.services.myDatabases;
in {
options.services.myDatabases = {
mariadb = {
enable = lib.mkOption {
default = cfg.enable;
example = true;
description = "Whether to enable mariadb database";
type = lib.types.bool;
};
};
};
config = lib.mkIf cfg.enable {
nixpkgs.overlays = [ (self: super: rec {
mariadb = mariadbPAM;
mariadbPAM = super.mariadb.overrideAttrs(old: rec {
cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
buildInputs = old.buildInputs ++ [ self.pam ];
});
}) ];
networking.firewall.allowedTCPPorts = [ 3306 ];
# for adminer, ssl is implemented with mysqli only, which is
# currently disabled because it’s not compatible with pam.
# Thus we need to generate two users for each 'remote': one remote
# with SSL, and one localhost without SSL.
# User identified by LDAP:
# CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
# CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
services.mysql = rec {
enable = cfg.mariadb.enable;
package = pkgs.mariadb;
extraOptions = ''
ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
ssl_key = /var/lib/acme/mysql/key.pem
ssl_cert = /var/lib/acme/mysql/fullchain.pem
'';
};
security.acme.certs."mysql" = config.services.myCertificates.certConfig // {
user = "mysql";
group = "mysql";
plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
domain = "db-1.immae.eu";
postRun = ''
systemctl restart mysql.service
'';
};
services.cron = {
enable = true;
systemCronJobs = let
mycnf = pkgs.writeText "my.cnf" ''
[mysqldump]
user = root
password = ${myconfig.env.databases.mysql.systemUsers.root}
'';
in [
''
30 1,13 * * * root ${pkgs.mariadb}/bin/mysqldump --defaults-file=${mycnf} --all-databases > /var/lib/mysql/backup.sql
''
];
};
security.pam.services = let
pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
pam_ldap_mysql = with myconfig.env.databases.mysql.pam;
pkgs.writeText "mysql.conf" ''
host ${myconfig.env.ldap.host}
base ${myconfig.env.ldap.base}
binddn ${dn}
bindpw ${password}
pam_filter ${filter}
ssl start_tls
'';
in [
{
name = "mysql";
text = ''
# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
auth required ${pam_ldap} config=${pam_ldap_mysql}
account required ${pam_ldap} config=${pam_ldap_mysql}
'';
}
];
};
}
|