diff options
author | Austin Seipp <aseipp@pobox.com> | 2018-05-01 00:35:10 -0500 |
---|---|---|
committer | Austin Seipp <aseipp@pobox.com> | 2018-05-01 15:47:36 -0500 |
commit | 55eec81118574b607ad7cfe9c26919134bcc2365 (patch) | |
tree | a02c0edacb50fd3ab5e302b458a7b107d37a5bc9 /nixos/modules/services/databases/foundationdb.xml | |
parent | ed5cbbbc44c83e3891f907342aace7c13134f59b (diff) | |
download | nixpkgs-55eec81118574b607ad7cfe9c26919134bcc2365.tar nixpkgs-55eec81118574b607ad7cfe9c26919134bcc2365.tar.gz nixpkgs-55eec81118574b607ad7cfe9c26919134bcc2365.tar.bz2 nixpkgs-55eec81118574b607ad7cfe9c26919134bcc2365.tar.lz nixpkgs-55eec81118574b607ad7cfe9c26919134bcc2365.tar.xz nixpkgs-55eec81118574b607ad7cfe9c26919134bcc2365.tar.zst nixpkgs-55eec81118574b607ad7cfe9c26919134bcc2365.zip |
nixos: add TLS support to FoundationDB module, and tweak setup a bit
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'nixos/modules/services/databases/foundationdb.xml')
-rw-r--r-- | nixos/modules/services/databases/foundationdb.xml | 41 |
1 files changed, 38 insertions, 3 deletions
diff --git a/nixos/modules/services/databases/foundationdb.xml b/nixos/modules/services/databases/foundationdb.xml index 0a96203e055..045193f4b75 100644 --- a/nixos/modules/services/databases/foundationdb.xml +++ b/nixos/modules/services/databases/foundationdb.xml @@ -192,6 +192,44 @@ to a new node in order to connect, if it is not part of the cluster.</para> </section> +<section><title>Client authorization and TLS</title> + +<para>By default, any user who can connect to a FoundationDB process with the +correct cluster configuration can access anything. FoundationDB uses a +pluggable design to transport security, and out of the box it supports a +LibreSSL-based plugin for TLS support. This plugin not only does in-flight +encryption, but also performs client authorization based on the given +endpoint's certificate chain. For example, a FoundationDB server may be +configured to only accept client connections over TLS, where the client TLS +certificate is from organization <emphasis>Acme Co</emphasis> in the +<emphasis>Research and Development</emphasis> unit.</para> + +<para>Configuring TLS with FoundationDB is done using the +<option>services.foundationdb.tls</option> options in order to control the peer +verification string, as well as the certificate and its private key.</para> + +<para>Note that the certificate and its private key must be accessible to the +FoundationDB user account that the server runs under. These files are also NOT +managed by NixOS, as putting them into the store may reveal private +information.</para> + +<para>After you have a key and certificate file in place, it is not enough to +simply set the NixOS module options -- you must also configure the +<command>fdb.cluster</command> file to specify that a given set of coordinators +use TLS. This is as simple as adding the suffix <command>:tls</command> to your +cluster coordinator configuration, after the port number. For example, assuming +you have a coordinator on localhost with the default configuration, simply +specifying:</para> + +<programlisting> +XXXXXX:XXXXXX@127.0.0.1:4500:tls +</programlisting> + +<para>will configure all clients and server processes to use TLS from now +on.</para> + +</section> + <section><title>Backups and Disaster Recovery</title> <para>The usual rules for doing FoundationDB backups apply on NixOS as written @@ -245,9 +283,6 @@ FoundationDB is not new software, but the NixOS compilation and integration has only undergone fairly basic testing of all the available functionality.</para> <itemizedlist> - <listitem><para>TLS plugin support is compiled in, but it's currently not - possible to specify the set of TLS certificate options in - <command>services.foundationdb</command></para></listitem> <listitem><para>There is no way to specify individual parameters for individual <command>fdbserver</command> processes. Currently, all server processes inherit all the global <command>fdbmonitor</command> settings. |