modules/private/websites/tools/dav/davical.nix

   1 { stdenv, fetchurl, gettext, writeText, env, awl, davical }:
   2 rec {
   3   activationScript = {
   4     deps = [ "httpd" ];
   5     text = ''
   6       install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical
   7       '';
   8   };
   9   keys = [{
  10     dest = "webapps/dav-davical";
  11     user = apache.user;
  12     group = apache.group;
  13     permissions = "0400";
  14     text = ''
  15       <?php
  16       $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
  17
  18       $c->readonly_webdav_collections = false;
  19
  20       $c->admin_email ='davical@tools.immae.eu';
  21
  22       $c->restrict_setup_to_admin = true;
  23
  24       $c->collections_always_exist = false;
  25
  26       $c->external_refresh = 60;
  27
  28       $c->enable_scheduling = true;
  29
  30       $c->iMIP = (object) array("send_email" => true);
  31
  32       $c->authenticate_hook['optional'] = false;
  33       $c->authenticate_hook['call'] = 'LDAP_check';
  34       $c->authenticate_hook['config'] = array(
  35           'host' => '${env.ldap.host}',
  36           'port' => '389',
  37           'startTLS' => 'yes',
  38           'bindDN'=> '${env.ldap.dn}',
  39           'passDN'=> '${env.ldap.password}',
  40           'protocolVersion' => '3',
  41           'baseDNUsers'=> array('ou=users,${env.ldap.base}', 'ou=group_users,${env.ldap.base}'),
  42           'filterUsers' => '${env.ldap.filter}',
  43           'baseDNGroups' => 'ou=groups,${env.ldap.base}',
  44           'filterGroups' => 'memberOf=cn=groups,${env.ldap.dn}',
  45           'mapping_field' => array(
  46             "username" => "uid",
  47             "fullname" => "cn",
  48             "email"    => "mail",
  49             "modified" => "modifyTimestamp",
  50           ),
  51           'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)),
  52             /** used to set default value for all users, will be overcharged by ldap if defined also in mapping_field **/
  53       //    'default_value' => array("date_format_type" => "E","locale" => "fr_FR"),
  54           'group_mapping_field' => array(
  55             "username"    => "cn",
  56             "updated"     => "modifyTimestamp",
  57             "fullname"    => "givenName",
  58             "displayname" => "givenName",
  59             "members"     => "memberUid",
  60             "email"       => "mail",
  61           ),
  62         );
  63
  64       $c->do_not_sync_from_ldap = array('admin' => true);
  65       include('drivers_ldap.php');
  66     '';
  67   }];
  68   webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; };
  69   webRoot = "${webapp}/htdocs";
  70   apache = rec {
  71     user = "wwwrun";
  72     group = "wwwrun";
  73     modules = [ "proxy_fcgi" ];
  74     webappName = "tools_davical";
  75     root = "/run/current-system/webapps/${webappName}";
  76     vhostConf = ''
  77       Alias /davical "${root}"
  78       Alias /caldav.php  "${root}/caldav.php"
  79       <Directory "${root}">
  80         DirectoryIndex index.php index.html
  81         AcceptPathInfo On
  82         AllowOverride None
  83         Require all granted
  84
  85         <FilesMatch "\.php$">
  86           CGIPassAuth on
  87           SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
  88         </FilesMatch>
  89
  90         RewriteEngine On
  91         <IfModule mod_headers.c>
  92                 Header unset Access-Control-Allow-Origin
  93                 Header unset Access-Control-Allow-Methods
  94                 Header unset Access-Control-Allow-Headers
  95                 Header unset Access-Control-Allow-Credentials
  96                 Header unset Access-Control-Expose-Headers
  97
  98                 Header always set Access-Control-Allow-Origin "*"
  99                 Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK"
 100                 Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With"
 101                 Header always set Access-Control-Allow-Credentials false
 102                 Header always set Access-Control-Expose-Headers "Etag,Preference-Applied"
 103
 104                 RewriteCond %{HTTP:Access-Control-Request-Method} !^$
 105                 RewriteCond %{REQUEST_METHOD} OPTIONS
 106                 RewriteRule ^(.*)$ $1 [R=200,L]
 107         </IfModule>
 108       </Directory>
 109       '';
 110   };
 111   phpFpm = rec {
 112     serviceDeps = [ "postgresql.service" "openldap.service" ];
 113     basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ];
 114     socket = "/var/run/phpfpm/davical.sock";
 115     pool = ''
 116       listen = ${socket}
 117       user = ${apache.user}
 118       group = ${apache.group}
 119       listen.owner = ${apache.user}
 120       listen.group = ${apache.group}
 121       pm = dynamic
 122       pm.max_children = 60
 123       pm.start_servers = 2
 124       pm.min_spare_servers = 1
 125       pm.max_spare_servers = 10
 126
 127       ; Needed to avoid clashes in browser cookies (same domain)
 128       php_value[session.name] = DavicalPHPSESSID
 129       php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/davical"
 130       php_admin_value[include_path] = "${awl}/inc:${webapp}/inc"
 131       php_admin_value[session.save_path] = "/var/lib/php/sessions/davical"
 132       php_flag[magic_quotes_gpc] = Off
 133       php_flag[register_globals] = Off
 134       php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE"
 135       php_admin_value[default_charset] = "utf-8"
 136       php_flag[magic_quotes_runtime] = Off
 137       '';
 138   };
 139 }