]>
Commit | Line | Data |
---|---|---|
1 | { pkgs, config, lib, ... }: | |
2 | { | |
3 | config = let | |
4 | serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; | |
5 | phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; | |
6 | in { | |
7 | services.postgresql.enable = true; | |
8 | services.postgresql.package = pkgs.postgresql_12; | |
9 | services.postgresql.ensureUsers = [ | |
10 | { name = "naemon"; } | |
11 | ]; | |
12 | secrets.keys = { | |
13 | "ldap/password" = { | |
14 | permissions = "0400"; | |
15 | user = "openldap"; | |
16 | group = "openldap"; | |
17 | text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; | |
18 | }; | |
19 | "webapps/tools-ldap" = { | |
20 | user = "wwwrun"; | |
21 | group = "wwwrun"; | |
22 | permissions = "0400"; | |
23 | text = '' | |
24 | <?php | |
25 | $config->custom->appearance['show_clear_password'] = true; | |
26 | $config->custom->appearance['hide_template_warning'] = true; | |
27 | $config->custom->appearance['theme'] = "tango"; | |
28 | $config->custom->appearance['minimalMode'] = false; | |
29 | $config->custom->appearance['tree'] = 'AJAXTree'; | |
30 | ||
31 | $servers = new Datastore(); | |
32 | ||
33 | $servers->newServer('ldap_pla'); | |
34 | $servers->setValue('server','name','LDAP'); | |
35 | $servers->setValue('server','host','ldap://localhost'); | |
36 | $servers->setValue('login','auth_type','cookie'); | |
37 | $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}'); | |
38 | $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}'); | |
39 | $servers->setValue('appearance','pla_password_hash','ssha'); | |
40 | $servers->setValue('login','attr','uid'); | |
41 | $servers->setValue('login','fallback_dn',true); | |
42 | ''; | |
43 | }; | |
44 | }; | |
45 | ||
46 | users.users.openldap.extraGroups = [ "keys" ]; | |
47 | services.openldap = { | |
48 | enable = true; | |
49 | dataDir = "/var/lib/openldap"; | |
50 | urlList = [ "ldap://localhost" ]; | |
51 | logLevel = "none"; | |
52 | extraConfig = '' | |
53 | pidfile /run/slapd/slapd.pid | |
54 | argsfile /run/slapd/slapd.args | |
55 | ||
56 | moduleload back_hdb | |
57 | backend hdb | |
58 | ''; | |
59 | ||
60 | extraDatabaseConfig = '' | |
61 | moduleload memberof | |
62 | overlay memberof | |
63 | ||
64 | moduleload syncprov | |
65 | overlay syncprov | |
66 | syncprov-checkpoint 100 10 | |
67 | ||
68 | index objectClass eq | |
69 | index uid pres,eq | |
70 | #index uidMember pres,eq | |
71 | index mail pres,sub,eq | |
72 | index cn pres,sub,eq | |
73 | index sn pres,sub,eq | |
74 | index dc eq | |
75 | index member eq | |
76 | index memberOf eq | |
77 | ||
78 | # No one must access that information except root | |
79 | access to attrs=description | |
80 | by * none | |
81 | ||
82 | access to attrs=entry,uid filter="(uid=*)" | |
83 | by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read | |
84 | by * break | |
85 | ||
86 | access to dn.subtree="ou=users,dc=salle-s,dc=org" | |
87 | by dn.subtree="ou=services,dc=salle-s,dc=org" read | |
88 | by * break | |
89 | ||
90 | access to * | |
91 | by self read | |
92 | by anonymous auth | |
93 | by * break | |
94 | ''; | |
95 | rootpwFile = config.secrets.fullPaths."ldap/password"; | |
96 | suffix = "dc=salle-s,dc=org"; | |
97 | rootdn = "cn=root,dc=salle-s,dc=org"; | |
98 | database = "hdb"; | |
99 | }; | |
100 | ||
101 | services.websites.env.production.modules = [ "proxy_fcgi" ]; | |
102 | services.websites.env.production.vhostConfs.tools.extraConfig = [ | |
103 | '' | |
104 | Alias /ldap "${phpLdapAdmin}/htdocs" | |
105 | <Directory "${phpLdapAdmin}/htdocs"> | |
106 | DirectoryIndex index.php | |
107 | <FilesMatch "\.php$"> | |
108 | SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost" | |
109 | </FilesMatch> | |
110 | ||
111 | AllowOverride None | |
112 | Require all granted | |
113 | </Directory> | |
114 | '' | |
115 | ]; | |
116 | services.phpfpm.pools.ldap = { | |
117 | user = "wwwrun"; | |
118 | group = "wwwrun"; | |
119 | settings = | |
120 | let | |
121 | basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ]; | |
122 | in { | |
123 | "listen.owner" = "wwwrun"; | |
124 | "listen.group" = "wwwrun"; | |
125 | "pm" = "ondemand"; | |
126 | "pm.max_children" = "60"; | |
127 | "pm.process_idle_timeout" = "60"; | |
128 | ||
129 | # Needed to avoid clashes in browser cookies (same domain) | |
130 | "php_value[session.name]" = "LdapPHPSESSID"; | |
131 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; | |
132 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; | |
133 | }; | |
134 | phpPackage = pkgs.php72; | |
135 | }; | |
136 | system.activationScripts.ldap = { | |
137 | deps = [ "users" ]; | |
138 | text = '' | |
139 | install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin | |
140 | ''; | |
141 | }; | |
142 | systemd.services.phpfpm-ldap = { | |
143 | after = lib.mkAfter [ "openldap.service" ]; | |
144 | wants = [ "openldap.service" ]; | |
145 | }; | |
146 | }; | |
147 | } |