1 { pkgs, config, lib, ... }:
4 serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
5 phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
7 services.postgresql.enable = true;
8 services.postgresql.package = pkgs.postgresql_12;
9 services.postgresql.ensureUsers = [
14 dest = "ldap/password";
18 text = "rootpw ${serverSpecificConfig.ldap_root_pw}";
21 dest = "webapps/tools-ldap";
27 $config->custom->appearance['show_clear_password'] = true;
28 $config->custom->appearance['hide_template_warning'] = true;
29 $config->custom->appearance['theme'] = "tango";
30 $config->custom->appearance['minimalMode'] = false;
31 $config->custom->appearance['tree'] = 'AJAXTree';
33 $servers = new Datastore();
35 $servers->newServer('ldap_pla');
36 $servers->setValue('server','name','LDAP');
37 $servers->setValue('server','host','ldap://localhost');
38 $servers->setValue('login','auth_type','cookie');
39 $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
40 $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
41 $servers->setValue('appearance','pla_password_hash','ssha');
42 $servers->setValue('login','attr','uid');
43 $servers->setValue('login','fallback_dn',true);
48 users.users.openldap.extraGroups = [ "keys" ];
51 dataDir = "/var/lib/openldap";
52 urlList = [ "ldap://localhost" ];
55 pidfile /run/slapd/slapd.pid
56 argsfile /run/slapd/slapd.args
62 extraDatabaseConfig = ''
68 syncprov-checkpoint 100 10
72 #index uidMember pres,eq
73 index mail pres,sub,eq
80 # No one must access that information except root
81 access to attrs=description
84 access to attrs=entry,uid filter="(uid=*)"
85 by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
88 access to dn.subtree="ou=users,dc=salle-s,dc=org"
89 by dn.subtree="ou=services,dc=salle-s,dc=org" read
97 rootpwFile = "${config.secrets.location}/ldap/password";
98 suffix = "dc=salle-s,dc=org";
99 rootdn = "cn=root,dc=salle-s,dc=org";
103 services.websites.env.production.modules = [ "proxy_fcgi" ];
104 services.websites.env.production.vhostConfs.tools.extraConfig = [
106 Alias /ldap "${phpLdapAdmin}/htdocs"
107 <Directory "${phpLdapAdmin}/htdocs">
108 DirectoryIndex index.php
109 <FilesMatch "\.php$">
110 SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost"
118 services.phpfpm.pools.ldap = {
123 basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ];
125 "listen.owner" = "wwwrun";
126 "listen.group" = "wwwrun";
128 "pm.max_children" = "60";
129 "pm.process_idle_timeout" = "60";
131 # Needed to avoid clashes in browser cookies (same domain)
132 "php_value[session.name]" = "LdapPHPSESSID";
133 "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
134 "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
136 phpPackage = pkgs.php72;
138 system.activationScripts.ldap = {
141 install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
144 systemd.services.phpfpm-ldap = {
145 after = lib.mkAfter [ "openldap.service" ];
146 wants = [ "openldap.service" ];