nixos: add TLS support to FoundationDB module, and tweak setup a bit

Signed-off-by: Austin Seipp <aseipp@pobox.com>

1 files changed, 38 insertions, 3 deletions

diff --git a/nixos/modules/services/databases/foundationdb.xml b/nixos/modules/services/databases/foundationdb.xml
index 0a96203e055..045193f4b75 100644
--- a/nixos/modules/services/databases/foundationdb.xml
+++ b/nixos/modules/services/databases/foundationdb.xml
@@ -192,6 +192,44 @@ to a new node in order to connect, if it is not part of the cluster.</para>
 
 </section>
 
+<section><title>Client authorization and TLS</title>
+
+<para>By default, any user who can connect to a FoundationDB process with the
+correct cluster configuration can access anything. FoundationDB uses a
+pluggable design to transport security, and out of the box it supports a
+LibreSSL-based plugin for TLS support. This plugin not only does in-flight
+encryption, but also performs client authorization based on the given
+endpoint's certificate chain. For example, a FoundationDB server may be
+configured to only accept client connections over TLS, where the client TLS
+certificate is from organization <emphasis>Acme Co</emphasis> in the
+<emphasis>Research and Development</emphasis> unit.</para>
+
+<para>Configuring TLS with FoundationDB is done using the
+<option>services.foundationdb.tls</option> options in order to control the peer
+verification string, as well as the certificate and its private key.</para>
+
+<para>Note that the certificate and its private key must be accessible to the
+FoundationDB user account that the server runs under. These files are also NOT
+managed by NixOS, as putting them into the store may reveal private
+information.</para>
+
+<para>After you have a key and certificate file in place, it is not enough to
+simply set the NixOS module options -- you must also configure the
+<command>fdb.cluster</command> file to specify that a given set of coordinators
+use TLS. This is as simple as adding the suffix <command>:tls</command> to your
+cluster coordinator configuration, after the port number. For example, assuming
+you have a coordinator on localhost with the default configuration, simply
+specifying:</para>
+
+<programlisting>
+XXXXXX:XXXXXX@127.0.0.1:4500:tls
+</programlisting>
+
+<para>will configure all clients and server processes to use TLS from now
+on.</para>
+
+</section>
+
 <section><title>Backups and Disaster Recovery</title>
 
 <para>The usual rules for doing FoundationDB backups apply on NixOS as written
@@ -245,9 +283,6 @@ FoundationDB is not new software, but the NixOS compilation and integration has
 only undergone fairly basic testing of all the available functionality.</para>
 
 <itemizedlist>
-  <listitem><para>TLS plugin support is compiled in, but it's currently not
-      possible to specify the set of TLS certificate options in
-      <command>services.foundationdb</command></para></listitem>
   <listitem><para>There is no way to specify individual parameters for
       individual <command>fdbserver</command> processes. Currently, all server
       processes inherit all the global <command>fdbmonitor</command> settings.