Add quatresaisons server

[perso/Immae/Config/Nix.git] / modules / private / system / quatresaisons / databases.nix

diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix
new file mode 100644 (file)
index 0000000..3491ae4
--- /dev/null
+++ b/modules/private/system/quatresaisons/databases.nix
@@ -0,0 +1,146 @@
+{ pkgs, config, lib, ... }:
+{
+  config = let
+    serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
+    phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
+  in {
+    services.postgresql.enable = true;
+    services.postgresql.package = pkgs.postgresql_12;
+    secrets.keys = [
+      {
+        dest = "ldap/password";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = "rootpw      ${serverSpecificConfig.ldap_root_pw}";
+      }
+      {
+        dest = "webapps/tools-ldap";
+        user = "wwwrun";
+        group = "wwwrun";
+        permissions = "0400";
+        text = ''
+          <?php
+          $config->custom->appearance['show_clear_password'] = true;
+          $config->custom->appearance['hide_template_warning'] = true;
+          $config->custom->appearance['theme'] = "tango";
+          $config->custom->appearance['minimalMode'] = false;
+          $config->custom->appearance['tree'] = 'AJAXTree';
+
+          $servers = new Datastore();
+
+          $servers->newServer('ldap_pla');
+          $servers->setValue('server','name','LDAP');
+          $servers->setValue('server','host','ldap://localhost');
+          $servers->setValue('login','auth_type','cookie');
+          $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
+          $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
+          $servers->setValue('appearance','pla_password_hash','ssha');
+          $servers->setValue('login','attr','uid');
+          $servers->setValue('login','fallback_dn',true);
+        '';
+      }
+    ];
+
+    users.users.openldap.extraGroups = [ "keys" ];
+    services.openldap = {
+      enable = true;
+      dataDir = "/var/lib/openldap";
+      urlList = [ "ldap://localhost" ];
+      logLevel = "none";
+      extraConfig = ''
+        pidfile     /run/slapd/slapd.pid
+        argsfile    /run/slapd/slapd.args
+
+        moduleload  back_hdb
+        backend     hdb
+      '';
+
+      extraDatabaseConfig = ''
+        moduleload  memberof
+        overlay     memberof
+
+        moduleload  syncprov
+        overlay     syncprov
+        syncprov-checkpoint 100 10
+
+        index   objectClass       eq
+        index   uid               pres,eq
+        #index   uidMember         pres,eq
+        index   mail              pres,sub,eq
+        index   cn                pres,sub,eq
+        index   sn                pres,sub,eq
+        index   dc                eq
+        index   member            eq
+        index   memberOf          eq
+
+        # No one must access that information except root
+        access to attrs=description
+          by * none
+
+        access to attrs=entry,uid filter="(uid=*)"
+          by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
+          by * break
+
+        access to dn.subtree="ou=users,dc=salle-s,dc=org"
+          by dn.subtree="ou=services,dc=salle-s,dc=org" read
+          by * break
+
+        access to *
+          by self read
+          by anonymous auth
+          by * break
+      '';
+      rootpwFile = "${config.secrets.location}/ldap/password";
+      suffix = "dc=salle-s,dc=org";
+      rootdn = "cn=root,dc=salle-s,dc=org";
+      database = "hdb";
+    };
+
+    services.websites.env.production.modules = [ "proxy_fcgi" ];
+    services.websites.env.production.vhostConfs.tools.extraConfig = [
+      ''
+        Alias /ldap "${phpLdapAdmin}/htdocs"
+        <Directory "${phpLdapAdmin}/htdocs">
+          DirectoryIndex index.php
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost"
+          </FilesMatch>
+
+          AllowOverride None
+          Require all granted
+        </Directory>
+      ''
+    ];
+    services.phpfpm.pools.ldap = {
+      user = "wwwrun";
+      group = "wwwrun";
+      settings =
+        let
+          basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ];
+        in {
+          "listen.owner" = "wwwrun";
+          "listen.group" = "wwwrun";
+          "pm" = "ondemand";
+          "pm.max_children" = "60";
+          "pm.process_idle_timeout" = "60";
+
+          # Needed to avoid clashes in browser cookies (same domain)
+          "php_value[session.name]" = "LdapPHPSESSID";
+          "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
+          "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
+        };
+      phpPackage = pkgs.php72;
+    };
+    system.activationScripts.ldap = {
+      deps = [ "users" ];
+      text = ''
+        install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
+        '';
+    };
+    systemd.services.phpfpm-ldap = {
+      after = lib.mkAfter [ "openldap.service" ];
+      wants = [ "openldap.service" ];
+    };
+  };
+}