]>
Commit | Line | Data |
---|---|---|
75489e72 IB |
1 | { pkgs, config, lib, ... }: |
2 | { | |
3 | config = let | |
4 | serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; | |
da30ae4f | 5 | phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; |
75489e72 IB |
6 | in { |
7 | services.postgresql.enable = true; | |
8 | services.postgresql.package = pkgs.postgresql_12; | |
e64a4968 IB |
9 | services.postgresql.ensureUsers = [ |
10 | { name = "naemon"; } | |
11 | ]; | |
4c4652aa IB |
12 | secrets.keys = { |
13 | "ldap/password" = { | |
75489e72 IB |
14 | permissions = "0400"; |
15 | user = "openldap"; | |
16 | group = "openldap"; | |
e34b3079 | 17 | text = "${serverSpecificConfig.ldap_root_pw}"; |
4c4652aa IB |
18 | }; |
19 | "webapps/tools-ldap" = { | |
75489e72 IB |
20 | user = "wwwrun"; |
21 | group = "wwwrun"; | |
22 | permissions = "0400"; | |
23 | text = '' | |
24 | <?php | |
25 | $config->custom->appearance['show_clear_password'] = true; | |
26 | $config->custom->appearance['hide_template_warning'] = true; | |
27 | $config->custom->appearance['theme'] = "tango"; | |
28 | $config->custom->appearance['minimalMode'] = false; | |
29 | $config->custom->appearance['tree'] = 'AJAXTree'; | |
30 | ||
31 | $servers = new Datastore(); | |
32 | ||
33 | $servers->newServer('ldap_pla'); | |
34 | $servers->setValue('server','name','LDAP'); | |
35 | $servers->setValue('server','host','ldap://localhost'); | |
36 | $servers->setValue('login','auth_type','cookie'); | |
37 | $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}'); | |
38 | $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}'); | |
39 | $servers->setValue('appearance','pla_password_hash','ssha'); | |
40 | $servers->setValue('login','attr','uid'); | |
41 | $servers->setValue('login','fallback_dn',true); | |
42 | ''; | |
4c4652aa IB |
43 | }; |
44 | }; | |
75489e72 IB |
45 | |
46 | users.users.openldap.extraGroups = [ "keys" ]; | |
47 | services.openldap = { | |
48 | enable = true; | |
75489e72 | 49 | urlList = [ "ldap://localhost" ]; |
e34b3079 IB |
50 | settings = { |
51 | attrs = { | |
52 | olcPidFile = "/run/slapd/slapd.pid"; | |
53 | olcArgsFile = "/run/slapd/slapd.args"; | |
54 | olcLogLevel = "none"; | |
55 | }; | |
56 | children = { | |
57 | "cn=module{0}" = { | |
58 | attrs = { | |
59 | cn = "module{0}"; | |
60 | objectClass = [ "olcModuleList" ]; | |
61 | olcModuleLoad = [ "{0}back_hdb" "{1}memberof" "{2}syncprov" ]; | |
62 | }; | |
63 | }; | |
64 | "cn=schema".includes = map (schema: | |
65 | "${config.services.openldap.package}/etc/schema/${schema}.ldif" | |
66 | ) [ "core" "cosine" "inetorgperson" "nis" ]; | |
67 | "olcDatabase={0}config" = { | |
68 | attrs = { | |
69 | objectClass = "olcDatabaseConfig"; | |
70 | olcDatabase = "{0}config"; | |
71 | olcAccess = ["{0}to * by * none"]; | |
72 | }; | |
73 | }; | |
74 | "olcDatabase={1}hdb" = { | |
75 | attrs = { | |
76 | objectClass = [ "olcDatabaseConfig" "olcHdbConfig" ]; | |
77 | olcDatabase = "{1}hdb"; | |
78 | olcAccess = let | |
79 | join = builtins.replaceStrings ["\n"] [" "]; | |
80 | in [ | |
81 | (join ''{0}to attrs=description | |
82 | by * none | |
83 | '') | |
84 | (join ''{1}to filter="(uid=*)" attrs=entry,uid | |
85 | by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read | |
86 | by * break | |
87 | '') | |
88 | (join ''{2}to dn.subtree="ou=users,dc=salle-s,dc=org" | |
89 | by dn.subtree="ou=services,dc=salle-s,dc=org" read | |
90 | by * break | |
91 | '') | |
92 | (join ''{3}to * | |
93 | by self read | |
94 | by anonymous auth | |
95 | by * break | |
96 | '') | |
97 | ]; | |
98 | olcDbIndex = [ | |
99 | "objectClass eq" | |
100 | "uid pres,eq" | |
101 | #"uidMember pres,eq" | |
102 | "mail pres,eq,sub" | |
103 | "cn pres,eq,sub" | |
104 | "sn pres,eq,sub" | |
105 | "dc eq" | |
106 | "member eq" | |
107 | "memberOf eq" | |
108 | ]; | |
109 | olcDbDirectory = "/var/lib/openldap"; | |
110 | olcRootDN = "cn=root,dc=salle-s,dc=org"; | |
111 | olcRootPW.path = config.secrets.fullPaths."ldap/password"; | |
112 | olcSuffix = "dc=salle-s,dc=org"; | |
113 | }; | |
114 | children = { | |
115 | "olcOverlay={0}memberof" = { | |
116 | attrs = { | |
117 | objectClass = [ "olcOverlayConfig" "olcMemberOf" ]; | |
118 | olcOverlay = "{0}memberof"; | |
119 | }; | |
120 | }; | |
121 | "olcOverlay={1}syncprov" = { | |
122 | attrs = { | |
123 | objectClass = [ "olcOverlayConfig" "olcSyncProvConfig" ]; | |
124 | olcOverlay = "{1}syncprov"; | |
125 | olcSpCheckpoint = "100 10"; | |
126 | }; | |
127 | }; | |
128 | }; | |
129 | }; | |
130 | }; | |
131 | }; | |
75489e72 IB |
132 | }; |
133 | ||
134 | services.websites.env.production.modules = [ "proxy_fcgi" ]; | |
135 | services.websites.env.production.vhostConfs.tools.extraConfig = [ | |
136 | '' | |
137 | Alias /ldap "${phpLdapAdmin}/htdocs" | |
138 | <Directory "${phpLdapAdmin}/htdocs"> | |
139 | DirectoryIndex index.php | |
140 | <FilesMatch "\.php$"> | |
141 | SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost" | |
142 | </FilesMatch> | |
143 | ||
144 | AllowOverride None | |
145 | Require all granted | |
146 | </Directory> | |
147 | '' | |
148 | ]; | |
149 | services.phpfpm.pools.ldap = { | |
150 | user = "wwwrun"; | |
151 | group = "wwwrun"; | |
152 | settings = | |
153 | let | |
da30ae4f | 154 | basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ]; |
75489e72 IB |
155 | in { |
156 | "listen.owner" = "wwwrun"; | |
157 | "listen.group" = "wwwrun"; | |
158 | "pm" = "ondemand"; | |
159 | "pm.max_children" = "60"; | |
160 | "pm.process_idle_timeout" = "60"; | |
161 | ||
162 | # Needed to avoid clashes in browser cookies (same domain) | |
163 | "php_value[session.name]" = "LdapPHPSESSID"; | |
164 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; | |
165 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; | |
166 | }; | |
167 | phpPackage = pkgs.php72; | |
168 | }; | |
169 | system.activationScripts.ldap = { | |
170 | deps = [ "users" ]; | |
171 | text = '' | |
172 | install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin | |
173 | ''; | |
174 | }; | |
175 | systemd.services.phpfpm-ldap = { | |
176 | after = lib.mkAfter [ "openldap.service" ]; | |
177 | wants = [ "openldap.service" ]; | |
178 | }; | |
179 | }; | |
180 | } |