--- /dev/null
+{ pkgs, config, lib, ... }:
+{
+ config = let
+ serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
+ phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
+ in {
+ services.postgresql.enable = true;
+ services.postgresql.package = pkgs.postgresql_12;
+ secrets.keys = [
+ {
+ dest = "ldap/password";
+ permissions = "0400";
+ user = "openldap";
+ group = "openldap";
+ text = "rootpw ${serverSpecificConfig.ldap_root_pw}";
+ }
+ {
+ dest = "webapps/tools-ldap";
+ user = "wwwrun";
+ group = "wwwrun";
+ permissions = "0400";
+ text = ''
+ <?php
+ $config->custom->appearance['show_clear_password'] = true;
+ $config->custom->appearance['hide_template_warning'] = true;
+ $config->custom->appearance['theme'] = "tango";
+ $config->custom->appearance['minimalMode'] = false;
+ $config->custom->appearance['tree'] = 'AJAXTree';
+
+ $servers = new Datastore();
+
+ $servers->newServer('ldap_pla');
+ $servers->setValue('server','name','LDAP');
+ $servers->setValue('server','host','ldap://localhost');
+ $servers->setValue('login','auth_type','cookie');
+ $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
+ $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
+ $servers->setValue('appearance','pla_password_hash','ssha');
+ $servers->setValue('login','attr','uid');
+ $servers->setValue('login','fallback_dn',true);
+ '';
+ }
+ ];
+
+ users.users.openldap.extraGroups = [ "keys" ];
+ services.openldap = {
+ enable = true;
+ dataDir = "/var/lib/openldap";
+ urlList = [ "ldap://localhost" ];
+ logLevel = "none";
+ extraConfig = ''
+ pidfile /run/slapd/slapd.pid
+ argsfile /run/slapd/slapd.args
+
+ moduleload back_hdb
+ backend hdb
+ '';
+
+ extraDatabaseConfig = ''
+ moduleload memberof
+ overlay memberof
+
+ moduleload syncprov
+ overlay syncprov
+ syncprov-checkpoint 100 10
+
+ index objectClass eq
+ index uid pres,eq
+ #index uidMember pres,eq
+ index mail pres,sub,eq
+ index cn pres,sub,eq
+ index sn pres,sub,eq
+ index dc eq
+ index member eq
+ index memberOf eq
+
+ # No one must access that information except root
+ access to attrs=description
+ by * none
+
+ access to attrs=entry,uid filter="(uid=*)"
+ by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
+ by * break
+
+ access to dn.subtree="ou=users,dc=salle-s,dc=org"
+ by dn.subtree="ou=services,dc=salle-s,dc=org" read
+ by * break
+
+ access to *
+ by self read
+ by anonymous auth
+ by * break
+ '';
+ rootpwFile = "${config.secrets.location}/ldap/password";
+ suffix = "dc=salle-s,dc=org";
+ rootdn = "cn=root,dc=salle-s,dc=org";
+ database = "hdb";
+ };
+
+ services.websites.env.production.modules = [ "proxy_fcgi" ];
+ services.websites.env.production.vhostConfs.tools.extraConfig = [
+ ''
+ Alias /ldap "${phpLdapAdmin}/htdocs"
+ <Directory "${phpLdapAdmin}/htdocs">
+ DirectoryIndex index.php
+ <FilesMatch "\.php$">
+ SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost"
+ </FilesMatch>
+
+ AllowOverride None
+ Require all granted
+ </Directory>
+ ''
+ ];
+ services.phpfpm.pools.ldap = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings =
+ let
+ basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ];
+ in {
+ "listen.owner" = "wwwrun";
+ "listen.group" = "wwwrun";
+ "pm" = "ondemand";
+ "pm.max_children" = "60";
+ "pm.process_idle_timeout" = "60";
+
+ # Needed to avoid clashes in browser cookies (same domain)
+ "php_value[session.name]" = "LdapPHPSESSID";
+ "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
+ "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
+ };
+ phpPackage = pkgs.php72;
+ };
+ system.activationScripts.ldap = {
+ deps = [ "users" ];
+ text = ''
+ install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
+ '';
+ };
+ systemd.services.phpfpm-ldap = {
+ after = lib.mkAfter [ "openldap.service" ];
+ wants = [ "openldap.service" ];
+ };
+ };
+}