]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - modules/private/websites/tools/dav/davical.nix
Move websites/tools to modules
[perso/Immae/Config/Nix.git] / modules / private / websites / tools / dav / davical.nix
diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix
new file mode 100644 (file)
index 0000000..98cebee
--- /dev/null
@@ -0,0 +1,139 @@
+{ stdenv, fetchurl, gettext, writeText, env, awl, davical }:
+rec {
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical
+      '';
+  };
+  keys = [{
+    dest = "webapps/dav-davical";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+      $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
+
+      $c->readonly_webdav_collections = false;
+
+      $c->admin_email ='davical@tools.immae.eu';
+
+      $c->restrict_setup_to_admin = true;
+
+      $c->collections_always_exist = false;
+
+      $c->external_refresh = 60;
+
+      $c->enable_scheduling = true;
+
+      $c->iMIP = (object) array("send_email" => true);
+
+      $c->authenticate_hook['optional'] = false;
+      $c->authenticate_hook['call'] = 'LDAP_check';
+      $c->authenticate_hook['config'] = array(
+          'host' => 'ldap.immae.eu',
+          'port' => '389',
+          'startTLS' => 'yes',
+          'bindDN'=> 'cn=davical,ou=services,dc=immae,dc=eu',
+          'passDN'=> '${env.ldap.password}',
+          'protocolVersion' => '3',
+          'baseDNUsers'=> array('ou=users,dc=immae,dc=eu', 'ou=group_users,dc=immae,dc=eu'),
+          'filterUsers' => 'memberOf=cn=users,cn=davical,ou=services,dc=immae,dc=eu',
+          'baseDNGroups' => 'ou=groups,dc=immae,dc=eu',
+          'filterGroups' => 'memberOf=cn=groups,cn=davical,ou=services,dc=immae,dc=eu',
+          'mapping_field' => array(
+            "username" => "uid",
+            "fullname" => "cn",
+            "email"    => "mail",
+            "modified" => "modifyTimestamp",
+          ),
+          'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)),
+            /** used to set default value for all users, will be overcharged by ldap if defined also in mapping_field **/
+      //    'default_value' => array("date_format_type" => "E","locale" => "fr_FR"),
+          'group_mapping_field' => array(
+            "username"    => "cn",
+            "updated"     => "modifyTimestamp",
+            "fullname"    => "givenName",
+            "displayname" => "givenName",
+            "members"     => "memberUid",
+            "email"       => "mail",
+          ),
+        );
+
+      $c->do_not_sync_from_ldap = array('admin' => true);
+      include('drivers_ldap.php');
+    '';
+  }];
+  webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; };
+  webRoot = "${webapp}/htdocs";
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_davical";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /davical "${root}"
+      Alias /caldav.php  "${root}/caldav.php"
+      <Directory "${root}">
+        DirectoryIndex index.php index.html
+        AcceptPathInfo On
+        AllowOverride None
+        Require all granted
+
+        <FilesMatch "\.php$">
+          CGIPassAuth on
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+
+        RewriteEngine On
+        <IfModule mod_headers.c>
+                Header unset Access-Control-Allow-Origin
+                Header unset Access-Control-Allow-Methods
+                Header unset Access-Control-Allow-Headers
+                Header unset Access-Control-Allow-Credentials
+                Header unset Access-Control-Expose-Headers
+
+                Header always set Access-Control-Allow-Origin "*"
+                Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK"
+                Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With"
+                Header always set Access-Control-Allow-Credentials false
+                Header always set Access-Control-Expose-Headers "Etag,Preference-Applied"
+
+                RewriteCond %{HTTP:Access-Control-Request-Method} !^$
+                RewriteCond %{REQUEST_METHOD} OPTIONS
+                RewriteRule ^(.*)$ $1 [R=200,L]
+        </IfModule>
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "postgresql.service" "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ];
+    socket = "/var/run/phpfpm/davical.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = dynamic
+      pm.max_children = 60
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 10
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = DavicalPHPSESSID
+      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/davical"
+      php_admin_value[include_path] = "${awl}/inc:${webapp}/inc"
+      php_admin_value[session.save_path] = "/var/lib/php/sessions/davical"
+      php_flag[magic_quotes_gpc] = Off
+      php_flag[register_globals] = Off
+      php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE"
+      php_admin_value[default_charset] = "utf-8"
+      php_flag[magic_quotes_runtime] = Off
+      '';
+  };
+}