Use LDAPConnect
Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
<FilesMatch "\.php$">
- SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
+ SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost"
</FilesMatch>
Include /var/secrets/webapps/tools-taskwarrior-web
</Directory>
};
services.phpfpm.pools = {
tasks = {
- listen = "/var/run/phpfpm/task.sock";
- extraConfig = ''
- user = ${user}
- group = ${group}
- listen.owner = wwwrun
- listen.group = wwwrun
- pm = dynamic
- pm.max_children = 60
- pm.start_servers = 2
- pm.min_spare_servers = 1
- pm.max_spare_servers = 10
+ user = user;
+ group = group;
+ settings = {
+ "listen.owner" = "wwwrun";
+ "listen.group" = "wwwrun";
+ "pm" = "dynamic";
+ "pm.max_children" = "60";
+ "pm.start_servers" = "2";
+ "pm.min_spare_servers" = "1";
+ "pm.max_spare_servers" = "10";
- ; Needed to avoid clashes in browser cookies (same domain)
- env[PATH] = "/etc/profiles/per-user/${user}/bin"
- php_value[session.name] = TaskPHPSESSID
- php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"
- '';
+ # Needed to avoid clashes in browser cookies (same domain)
+ "php_value[session.name]" = "TaskPHPSESSID";
+ "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/";
+ };
+ phpEnv = {
+ PATH = "/etc/profiles/per-user/${user}/bin";
+ };
+ phpPackage = pkgs.php72;
};
};
- myServices.websites.webappDirs._task = ./www;
+ services.websites.webappDirs._task = ./www;
- security.acme2.certs."task" = config.myServices.certificates.certConfig // {
+ security.acme.certs."task" = config.myServices.certificates.certConfig // {
inherit user group;
- plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
domain = fqdn;
postRun = ''
systemctl restart taskserver.service
inherit fqdn;
listenHost = "::";
pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
- pki.manual.server.cert = "${config.security.acme2.certs.task.directory}/fullchain.pem";
- pki.manual.server.crl = "${config.security.acme2.certs.task.directory}/invalid.crl";
- pki.manual.server.key = "${config.security.acme2.certs.task.directory}/key.pem";
+ pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem";
+ pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl";
+ pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem";
requestLimit = 104857600;
};
'';
};
+ systemd.slices.taskwarrior = {
+ description = "Taskwarrior slice";
+ };
+
systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
let
credentials = "${userConfig.org}/${name}/${userConfig.key}";
'';
serviceConfig = {
+ Slice = "taskwarrior.slice";
User = user;
PrivateTmp = true;
Restart = "always";
chown :${group} "${server_vardir}/keys/ca.key"
chmod g+r "${server_vardir}/keys/ca.key"
'';
+ taskserver-ca.serviceConfig.Slice = "taskwarrior.slice";
+ taskserver-init.serviceConfig.Slice = "taskwarrior.slice";
+ taskserver.serviceConfig.Slice = "taskwarrior.slice";
};
};