]>
Commit | Line | Data |
---|---|---|
ab8f306d | 1 | { lib, pkgs, config, ... }: |
22149d17 | 2 | let |
8d213e2b | 3 | cfg = config.myServices.tasks; |
2977fd8f | 4 | server_vardir = config.services.taskserver.dataDir; |
22149d17 IB |
5 | fqdn = "task.immae.eu"; |
6 | user = config.services.taskserver.user; | |
ab8f306d | 7 | env = config.myEnv.tools.task; |
22149d17 | 8 | group = config.services.taskserver.group; |
99b0b74a IB |
9 | taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} '' |
10 | mkdir -p $out/bin | |
11 | cat > $out/bin/taskserver-user-certs <<"EOF" | |
12 | #!/usr/bin/env bash | |
13 | ||
14 | user=$1 | |
15 | ||
16 | silent_certtool() { | |
17 | if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then | |
18 | echo "GNUTLS certtool invocation failed with output:" >&2 | |
19 | echo "$output" >&2 | |
20 | fi | |
21 | } | |
22 | ||
23 | silent_certtool -p \ | |
24 | --bits 4096 \ | |
2977fd8f IB |
25 | --outfile "${server_vardir}/userkeys/$user.key.pem" |
26 | ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${server_vardir}/userkeys/$user.key.pem" | |
99b0b74a IB |
27 | |
28 | silent_certtool -c \ | |
29 | --template "${pkgs.writeText "taskserver-ca.template" '' | |
30 | tls_www_client | |
31 | encryption_key | |
32 | signing_key | |
33 | expiration_days = 3650 | |
34 | ''}" \ | |
2977fd8f IB |
35 | --load-ca-certificate "${server_vardir}/keys/ca.cert" \ |
36 | --load-ca-privkey "${server_vardir}/keys/ca.key" \ | |
37 | --load-privkey "${server_vardir}/userkeys/$user.key.pem" \ | |
38 | --outfile "${server_vardir}/userkeys/$user.cert.pem" | |
99b0b74a IB |
39 | EOF |
40 | chmod a+x $out/bin/taskserver-user-certs | |
41 | patchShebangs $out/bin/taskserver-user-certs | |
42 | ''; | |
2977fd8f IB |
43 | taskwarrior-web = pkgs.webapps.taskwarrior-web; |
44 | socketsDir = "/run/taskwarrior-web"; | |
45 | varDir = "/var/lib/taskwarrior-web"; | |
99b0b74a IB |
46 | taskwebPages = let |
47 | uidPages = lib.attrsets.zipAttrs ( | |
48 | lib.lists.flatten | |
49 | (lib.attrsets.mapAttrsToList (k: c: map (v: { "${v}" = k; }) c.uid) env.taskwarrior-web) | |
50 | ); | |
51 | pages = lib.attrsets.mapAttrs (uid: items: | |
52 | if lib.lists.length items == 1 then | |
53 | '' | |
54 | <html> | |
55 | <head> | |
56 | <meta http-equiv="refresh" content="0; url=/taskweb/${lib.lists.head items}/" /> | |
57 | </head> | |
58 | <body></body> | |
59 | </html> | |
60 | '' | |
61 | else | |
62 | '' | |
63 | <html> | |
64 | <head> | |
65 | <title>To-do list disponibles</title> | |
66 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> | |
67 | <meta name="viewport" content="width=device-width, initial-scale=1" /> | |
68 | </head> | |
69 | <body> | |
70 | <ul> | |
71 | ${builtins.concatStringsSep "\n" (map (item: "<li><a href='/taskweb/${item}'>${item}</a></li>") items)} | |
72 | </ul> | |
73 | </body> | |
74 | </html> | |
75 | '' | |
76 | ) uidPages; | |
77 | in | |
78 | pkgs.runCommand "taskwerver-pages" {} '' | |
79 | mkdir -p $out/ | |
80 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (k: v: "cp ${pkgs.writeText k v} $out/${k}.html") pages)} | |
81 | echo "Please login" > $out/index.html | |
82 | ''; | |
22149d17 | 83 | in { |
8d213e2b | 84 | options.myServices.tasks = { |
22149d17 IB |
85 | enable = lib.mkEnableOption "my tasks service"; |
86 | }; | |
87 | ||
88 | config = lib.mkIf cfg.enable { | |
d2e703c5 | 89 | services.duplyBackup.profiles.tasks = { |
6a8252b1 IB |
90 | rootDir = "/var/lib"; |
91 | excludeFile = '' | |
92 | + /var/lib/taskserver | |
93 | + /var/lib/taskwarrior-web | |
94 | - /var/lib | |
95 | ''; | |
96 | }; | |
97 | ||
4c4652aa IB |
98 | secrets.keys = { |
99 | "webapps/tools-taskwarrior-web" = { | |
afde6c32 IB |
100 | user = "wwwrun"; |
101 | group = "wwwrun"; | |
102 | permissions = "0400"; | |
103 | text = '' | |
104 | SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}" | |
105 | SetEnv TASKD_VARDIR "${server_vardir}" | |
106 | SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}" | |
107 | SetEnv TASKD_LDAP_DN "${env.ldap.dn}" | |
108 | SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}" | |
109 | SetEnv TASKD_LDAP_BASE "${env.ldap.base}" | |
110 | SetEnv TASKD_LDAP_FILTER "${env.ldap.filter}" | |
111 | ''; | |
4c4652aa IB |
112 | }; |
113 | } // (lib.mapAttrs' (name: userConfig: lib.nameValuePair "webapps/tools-taskwarrior/${name}-taskrc" { | |
afde6c32 | 114 | inherit user group; |
cd85801d | 115 | permissions = "0400"; |
afde6c32 IB |
116 | text = let |
117 | credentials = "${userConfig.org}/${name}/${userConfig.key}"; | |
118 | dateFormat = userConfig.date; | |
119 | in '' | |
120 | data.location=${varDir}/${name} | |
121 | taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem | |
122 | taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem | |
123 | # IdenTrust DST Root CA X3 | |
124 | # obtained here: https://letsencrypt.org/fr/certificates/ | |
125 | taskd.ca=${pkgs.writeText "ca.cert" '' | |
126 | -----BEGIN CERTIFICATE----- | |
619c894a IB |
127 | MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw |
128 | TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh | |
129 | cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 | |
130 | WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu | |
131 | ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY | |
132 | MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc | |
133 | h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ | |
134 | 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U | |
135 | A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW | |
136 | T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH | |
137 | B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC | |
138 | B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv | |
139 | KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn | |
140 | OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn | |
141 | jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw | |
142 | qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI | |
143 | rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV | |
144 | HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq | |
145 | hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL | |
146 | ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ | |
147 | 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK | |
148 | NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 | |
149 | ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur | |
150 | TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC | |
151 | jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc | |
152 | oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq | |
153 | 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA | |
154 | mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d | |
155 | emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= | |
afde6c32 IB |
156 | -----END CERTIFICATE-----''} |
157 | taskd.server=${fqdn}:${toString config.services.taskserver.listenPort} | |
158 | taskd.credentials=${credentials} | |
159 | dateformat=${dateFormat} | |
160 | ''; | |
161 | }) env.taskwarrior-web); | |
da30ae4f | 162 | services.websites.env.tools.watchPaths = [ config.secrets.fullPaths."webapps/tools-taskwarrior-web" ]; |
29f8cb85 IB |
163 | services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ]; |
164 | services.websites.env.tools.vhostConfs.task = { | |
22149d17 | 165 | certName = "eldiron"; |
7df420c2 | 166 | addToCerts = true; |
22149d17 IB |
167 | hosts = [ "task.immae.eu" ]; |
168 | root = "/run/current-system/webapps/_task"; | |
169 | extraConfig = [ '' | |
170 | <Directory /run/current-system/webapps/_task> | |
171 | DirectoryIndex index.php | |
172 | Use LDAPConnect | |
173 | Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu | |
174 | <FilesMatch "\.php$"> | |
5400b9b6 | 175 | SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost" |
22149d17 | 176 | </FilesMatch> |
da30ae4f | 177 | Include ${config.secrets.fullPaths."webapps/tools-taskwarrior-web"} |
22149d17 | 178 | </Directory> |
99b0b74a IB |
179 | '' |
180 | '' | |
181 | <Macro Taskwarrior %{folderName}> | |
2977fd8f IB |
182 | ProxyPass "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/" |
183 | ProxyPassReverse "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/" | |
99b0b74a IB |
184 | ProxyPassReverse http://${fqdn}/ |
185 | ||
186 | SetOutputFilter Sed | |
187 | OutputSed "s|/ajax|/taskweb/%{folderName}/ajax|g" | |
188 | OutputSed "s|\([^x]\)/tasks|\1/taskweb/%{folderName}/tasks|g" | |
189 | OutputSed "s|\([^x]\)/projects|\1/taskweb/%{folderName}/projects|g" | |
190 | OutputSed "s|http://${fqdn}/|/taskweb/%{folderName}/|g" | |
191 | OutputSed "s|/img/relax.jpg|/taskweb/%{folderName}/img/relax.jpg|g" | |
192 | </Macro> | |
193 | '' | |
194 | '' | |
195 | Alias /taskweb ${taskwebPages} | |
196 | <Directory "${taskwebPages}"> | |
197 | DirectoryIndex index.html | |
198 | Require all granted | |
199 | </Directory> | |
200 | ||
201 | RewriteEngine on | |
202 | RewriteRule ^/taskweb$ /taskweb/ [R=301,L] | |
203 | RedirectMatch permanent ^/taskweb/([^/]+)$ /taskweb/$1/ | |
204 | ||
205 | RewriteCond %{LA-U:REMOTE_USER} !="" | |
206 | RewriteCond ${taskwebPages}/%{LA-U:REMOTE_USER}.html -f | |
207 | RewriteRule ^/taskweb/?$ ${taskwebPages}/%{LA-U:REMOTE_USER}.html [L] | |
208 | ||
209 | <Location /taskweb/> | |
210 | Use LDAPConnect | |
211 | Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu | |
212 | </Location> | |
213 | '' | |
214 | ] ++ (lib.attrsets.mapAttrsToList (k: v: '' | |
215 | <Location /taskweb/${k}/> | |
216 | ${builtins.concatStringsSep "\n" (map (uid: "Require ldap-attribute uid=${uid}") v.uid)} | |
217 | ||
218 | Use Taskwarrior ${k} | |
219 | </Location> | |
220 | '') env.taskwarrior-web); | |
22149d17 | 221 | }; |
441da8aa IB |
222 | services.phpfpm.pools = { |
223 | tasks = { | |
5400b9b6 IB |
224 | user = user; |
225 | group = group; | |
226 | settings = { | |
227 | "listen.owner" = "wwwrun"; | |
228 | "listen.group" = "wwwrun"; | |
229 | "pm" = "dynamic"; | |
230 | "pm.max_children" = "60"; | |
231 | "pm.start_servers" = "2"; | |
232 | "pm.min_spare_servers" = "1"; | |
233 | "pm.max_spare_servers" = "10"; | |
234 | ||
235 | # Needed to avoid clashes in browser cookies (same domain) | |
236 | "php_value[session.name]" = "TaskPHPSESSID"; | |
237 | "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"; | |
238 | }; | |
239 | phpEnv = { | |
240 | PATH = "/etc/profiles/per-user/${user}/bin"; | |
241 | }; | |
dcac3ec7 | 242 | phpPackage = pkgs.php72; |
441da8aa | 243 | }; |
22149d17 IB |
244 | }; |
245 | ||
d3452fc5 | 246 | services.websites.webappDirs._task = ./www; |
22149d17 | 247 | |
5400b9b6 | 248 | security.acme.certs."task" = config.myServices.certificates.certConfig // { |
22149d17 | 249 | inherit user group; |
22149d17 IB |
250 | domain = fqdn; |
251 | postRun = '' | |
252 | systemctl restart taskserver.service | |
253 | ''; | |
254 | }; | |
255 | ||
afde6c32 IB |
256 | users.users.${user} = { |
257 | extraGroups = [ "keys" ]; | |
258 | packages = [ taskserver-user-certs ]; | |
259 | }; | |
22149d17 IB |
260 | |
261 | system.activationScripts.taskserver = { | |
262 | deps = [ "users" ]; | |
263 | text = '' | |
2977fd8f IB |
264 | install -m 0750 -o ${user} -g ${group} -d ${server_vardir} |
265 | install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/userkeys | |
266 | install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/keys | |
c92933bf | 267 | |
2977fd8f | 268 | if [ ! -e "${server_vardir}/keys/ca.key" ]; then |
c92933bf IB |
269 | silent_certtool() { |
270 | if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then | |
271 | echo "GNUTLS certtool invocation failed with output:" >&2 | |
272 | echo "$output" >&2 | |
273 | fi | |
274 | } | |
275 | ||
276 | silent_certtool -p \ | |
277 | --bits 4096 \ | |
2977fd8f | 278 | --outfile "${server_vardir}/keys/ca.key" |
c92933bf IB |
279 | |
280 | silent_certtool -s \ | |
281 | --template "${pkgs.writeText "taskserver-ca.template" '' | |
282 | cn = ${fqdn} | |
283 | expiration_days = -1 | |
284 | cert_signing_key | |
285 | ca | |
286 | ''}" \ | |
2977fd8f IB |
287 | --load-privkey "${server_vardir}/keys/ca.key" \ |
288 | --outfile "${server_vardir}/keys/ca.cert" | |
c92933bf | 289 | |
2977fd8f IB |
290 | chown :${group} "${server_vardir}/keys/ca.key" |
291 | chmod g+r "${server_vardir}/keys/ca.key" | |
c92933bf | 292 | fi |
22149d17 IB |
293 | ''; |
294 | }; | |
295 | ||
296 | services.taskserver = { | |
297 | enable = true; | |
298 | allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ]; | |
299 | inherit fqdn; | |
300 | listenHost = "::"; | |
2977fd8f | 301 | pki.manual.ca.cert = "${server_vardir}/keys/ca.cert"; |
5400b9b6 IB |
302 | pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem"; |
303 | pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl"; | |
304 | pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem"; | |
22149d17 IB |
305 | requestLimit = 104857600; |
306 | }; | |
99b0b74a IB |
307 | |
308 | system.activationScripts.taskwarrior-web = { | |
309 | deps = [ "users" ]; | |
310 | text = '' | |
2977fd8f | 311 | if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then |
99b0b74a | 312 | ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web |
2977fd8f | 313 | chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem |
99b0b74a IB |
314 | fi |
315 | ''; | |
316 | }; | |
317 | ||
850adcf4 IB |
318 | systemd.slices.taskwarrior = { |
319 | description = "Taskwarrior slice"; | |
320 | }; | |
321 | ||
99b0b74a | 322 | systemd.services = (lib.attrsets.mapAttrs' (name: userConfig: |
afde6c32 | 323 | lib.attrsets.nameValuePair "taskwarrior-web-${name}" { |
99b0b74a IB |
324 | description = "Taskwarrior webapp for ${name}"; |
325 | wantedBy = [ "multi-user.target" ]; | |
326 | after = [ "network.target" ]; | |
327 | path = [ pkgs.taskwarrior ]; | |
328 | ||
da30ae4f | 329 | environment.TASKRC = config.secrets.fullPaths."webapps/tools-taskwarrior/${name}-taskrc"; |
450e8ce0 | 330 | environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}"; |
99b0b74a IB |
331 | environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile"; |
332 | environment.LC_ALL = "fr_FR.UTF-8"; | |
333 | ||
334 | script = '' | |
2977fd8f | 335 | exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${socketsDir}/${name}.sock |
99b0b74a IB |
336 | ''; |
337 | ||
338 | serviceConfig = { | |
850adcf4 | 339 | Slice = "taskwarrior.slice"; |
99b0b74a IB |
340 | User = user; |
341 | PrivateTmp = true; | |
342 | Restart = "always"; | |
343 | TimeoutSec = 60; | |
344 | Type = "simple"; | |
2977fd8f | 345 | WorkingDirectory = taskwarrior-web; |
81b9ff89 IB |
346 | StateDirectoryMode = 0750; |
347 | StateDirectory = assert lib.strings.hasPrefix "/var/lib/" varDir; | |
348 | (lib.strings.removePrefix "/var/lib/" varDir + "/${name}"); | |
349 | RuntimeDirectoryPreserve = "yes"; | |
350 | RuntimeDirectory = assert lib.strings.hasPrefix "/run/" socketsDir; | |
351 | lib.strings.removePrefix "/run/" socketsDir; | |
99b0b74a IB |
352 | }; |
353 | ||
2977fd8f | 354 | unitConfig.RequiresMountsFor = varDir; |
99b0b74a IB |
355 | }) env.taskwarrior-web) // { |
356 | taskserver-ca.postStart = '' | |
2977fd8f IB |
357 | chown :${group} "${server_vardir}/keys/ca.key" |
358 | chmod g+r "${server_vardir}/keys/ca.key" | |
99b0b74a | 359 | ''; |
850adcf4 IB |
360 | taskserver-ca.serviceConfig.Slice = "taskwarrior.slice"; |
361 | taskserver-init.serviceConfig.Slice = "taskwarrior.slice"; | |
362 | taskserver.serviceConfig.Slice = "taskwarrior.slice"; | |
99b0b74a IB |
363 | }; |
364 | ||
22149d17 IB |
365 | }; |
366 | } |