1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
# This is for NixOps (https://nixos.org/nixops/)
{ config, pkgs, lib, ... }:
let
inherit (config.nixsap) apps;
inherit (lib) mkForce mkDefault mkIf;
inherit (pkgs) writeText;
memorySize = config.deployment.virtualbox.memorySize * 1024 * 1024;
in {
deployment.targetEnv = "virtualbox";
deployment.virtualbox = {
memorySize = mkDefault 1024; # megabytes
disks = {
sdb = { port = 1; size = 30000; };
sdc = { port = 2; size = 30000; };
sdd = { port = 4; size = 2000; };
};
};
swapDevices = [{ device = "/dev/sdd"; randomEncryption = true; }];
nixsap.system.lvm.raid0.apps = {
stripes = 2;
units = "g";
physical = [ "/dev/sdb" "/dev/sdc" ];
fileSystems."${apps.icinga2.stateDir}" = mkIf apps.icinga2.enable 1;
fileSystems."${apps.icingaweb2.configDir}" = mkIf apps.icingaweb2.enable 1;
fileSystems."${apps.mysqlbackup.dumpDir}" = mkIf (apps.mysqlbackup.servers != {}) 10;
fileSystems."${apps.nginx.stateDir}" = mkIf (apps.nginx.http.servers != {}) 1;
fileSystems."/mariadb" = mkIf apps.mariadb.enable 30;
fileSystems."/postgresql" = mkIf (apps.postgresql != {}) 2;
fileSystems."/tmp" = 1;
};
nixsap.apps.filebackup.s3uri = mkForce null;
nixsap.apps.icinga2.notifications = mkForce false;
nixsap.apps.mysqlbackup.s3uri = mkForce null;
nixsap.apps.pgbackup.s3uri = mkForce null;
nixsap.apps.mariadb.mysqld = {
datadir = mkForce "/mariadb/db";
innodb_buffer_pool_size = (40 * memorySize) / 100;
log_bin = mkForce "/mariadb/binlog/binlog";
relay_log = mkForce "/mariadb/relay/relay";
server_id = mkForce 1;
ssl_cert = mkForce "${pkgs.fakeSSL}/cert.pem";
ssl_key = mkForce "${pkgs.fakeSSL}/key.pem";
};
nixsap.apps.sproxy = {
sslCert = mkForce "${pkgs.fakeSSL}/cert.pem";
sslKey = mkForce "${pkgs.fakeSSL}/key.pem";
cookieName = mkForce "sproxy_vbox";
logLevel = mkForce "debug";
database = mkForce "user=sproxy-readonly dbname=sproxy port=${toString apps.postgresql.fcebkl.server.port}";
};
nixsap.apps.sproxy-web = {
connectionString = mkForce "user=sproxy dbname=sproxy port=${toString apps.postgresql.fcebkl.server.port}";
};
nixsap.apps.mediawiki.localSettings = {
wgDBerrorLog = "/tmp/wiki-db.log";
wgDebugLogFile = "/tmp/wiki.log";
wgShowDBErrorBacktrace = true;
wgShowExceptionDetails = true;
};
security.sudo.wheelNeedsPassword = mkForce false;
environment.systemPackages = with pkgs; [
atop curl file htop iftop iotop jq lsof mc mtr ncdu netcat nmap openssl
pigz pv pwgen pxz sysstat tcpdump telnet tmux traceroute tree vim wget
];
programs.bash.enableCompletion = mkForce true;
services.openssh.authorizedKeysFiles = mkForce [
"/etc/ssh/authorized_keys.d/%u"
"/root/.ssh/authorized_keys"
"/root/.vbox-nixops-client-key"
];
nixsap.apps.postgresql.fcebkl = mkIf apps.sproxy.enable {
package = pkgs.postgresql95;
server = {
data_directory = "/postgresql/9.5/fcebkl";
port = 9999;
hba_file = ''
local sproxy all peer map=sproxymap
'';
ident_file = ''
sproxymap ${apps.sproxy.user} sproxy-readonly
sproxymap ${apps.sproxy-web.user} sproxy
'';
};
roles = [ "sproxy" "sproxy-readonly" ];
databases = [ "sproxy" ];
configure = ''
ALTER ROLE sproxy LOGIN;
ALTER ROLE "sproxy-readonly" LOGIN;
ALTER DATABASE sproxy OWNER TO sproxy;
\c sproxy;
SET ROLE sproxy;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "sproxy-readonly";
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO "sproxy-readonly";
BEGIN;
CREATE TABLE IF NOT EXISTS "group" (
"group" TEXT NOT NULL PRIMARY KEY
);
CREATE TABLE IF NOT EXISTS group_member (
"group" TEXT REFERENCES "group" ("group") ON UPDATE CASCADE ON DELETE CASCADE NOT NULL,
email TEXT NOT NULL,
PRIMARY KEY ("group", email)
);
CREATE TABLE IF NOT EXISTS domain (
domain TEXT NOT NULL PRIMARY KEY
);
CREATE TABLE IF NOT EXISTS privilege (
"domain" TEXT REFERENCES domain (domain) ON UPDATE CASCADE ON DELETE CASCADE NOT NULL,
privilege TEXT NOT NULL,
PRIMARY KEY ("domain", privilege)
);
CREATE TABLE IF NOT EXISTS privilege_rule (
"domain" TEXT NOT NULL,
privilege TEXT NOT NULL,
"path" TEXT NOT NULL,
"method" TEXT NOT NULL,
FOREIGN KEY ("domain", privilege) REFERENCES privilege ("domain", privilege) ON UPDATE CASCADE ON DELETE CASCADE,
PRIMARY KEY ("domain", "path", "method")
);
CREATE TABLE IF NOT EXISTS group_privilege (
"group" TEXT REFERENCES "group" ("group") ON UPDATE CASCADE ON DELETE CASCADE NOT NULL,
"domain" TEXT NOT NULL,
privilege TEXT NOT NULL,
FOREIGN KEY ("domain", privilege) REFERENCES privilege ("domain", privilege) ON UPDATE CASCADE ON DELETE CASCADE,
PRIMARY KEY ("group", "domain", privilege)
);
COMMIT;
BEGIN;
INSERT INTO domain (domain) VALUES ('%') ON CONFLICT DO NOTHING;
INSERT INTO "group" ("group") VALUES ('all') ON CONFLICT DO NOTHING;
INSERT INTO "group" ("group") VALUES ('devops') ON CONFLICT DO NOTHING;
INSERT INTO "group" ("group") VALUES ('foo') ON CONFLICT DO NOTHING;
INSERT INTO group_member ("group", email) VALUES ('all', '%') ON CONFLICT DO NOTHING;
INSERT INTO group_member ("group", email) VALUES ('devops', '%') ON CONFLICT DO NOTHING;
INSERT INTO group_member ("group", email) VALUES ('foo', '%') ON CONFLICT DO NOTHING;
INSERT INTO privilege (domain, privilege) VALUES ('%', 'full') ON CONFLICT DO NOTHING;
INSERT INTO group_privilege ("group", domain, privilege) VALUES ('all', '%', 'full') ON CONFLICT DO NOTHING;
INSERT INTO group_privilege ("group", domain, privilege) VALUES ('devops', '%', 'full') ON CONFLICT DO NOTHING;
INSERT INTO group_privilege ("group", domain, privilege) VALUES ('foo', '%', 'full') ON CONFLICT DO NOTHING;
INSERT INTO privilege_rule (domain, privilege, path, method) VALUES ('%', 'full', '%', '%') ON CONFLICT DO NOTHING;
COMMIT;
RESET ROLE;
\c postgres;
'';
};
}
|