-{ env, kanboard }:
+{ env, kanboard, config }:
rec {
- backups = {
- rootDir = varDir;
- };
varDir = "/var/lib/kanboard";
activationScript = {
deps = [ "wrappers" ];
text = ''
install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/data
- install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
install -TDm644 ${webRoot}/dataold/.htaccess ${varDir}/data/.htaccess
install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
'';
};
- keys = [{
- dest = "webapps/tools-kanboard";
+ keys."webapps/tools-kanboard" = {
user = apache.user;
group = apache.group;
permissions = "0400";
text = ''
- <?php
- define('MAIL_FROM', 'kanboard@tools.immae.eu');
+ SetEnv MAIL_FROM "kanboard@tools.immae.eu"
- define('DB_DRIVER', 'postgres');
- define('DB_USERNAME', '${env.postgresql.user}');
- define('DB_PASSWORD', '${env.postgresql.password}');
- define('DB_HOSTNAME', '${env.postgresql.socket}');
- define('DB_NAME', '${env.postgresql.database}');
+ SetEnv DB_DRIVER "postgres"
+ SetEnv DB_USERNAME "${env.postgresql.user}"
+ SetEnv DB_PASSWORD "${env.postgresql.password}"
+ SetEnv DB_HOSTNAME "${env.postgresql.socket}"
+ SetEnv DB_NAME "${env.postgresql.database}"
- define('DATA_DIR', '${varDir}');
- define('LDAP_AUTH', true);
- define('LDAP_SERVER', '${env.ldap.host}');
- define('LDAP_START_TLS', true);
+ SetEnv DATA_DIR "${varDir}"
+ SetEnv LDAP_AUTH "true"
+ SetEnv LDAP_SERVER "${env.ldap.host}"
+ SetEnv LDAP_START_TLS "true"
- define('LDAP_BIND_TYPE', 'proxy');
- define('LDAP_USERNAME', '${env.ldap.dn}');
- define('LDAP_PASSWORD', '${env.ldap.password}');
- define('LDAP_USER_BASE_DN', '${env.ldap.base}');
- define('LDAP_USER_FILTER', '${env.ldap.filter}');
- define('LDAP_GROUP_ADMIN_DN', '${env.ldap.admin_dn}');
- ?>
+ SetEnv LDAP_BIND_TYPE "proxy"
+ SetEnv LDAP_USERNAME "${env.ldap.dn}"
+ SetEnv LDAP_PASSWORD "${env.ldap.password}"
+ SetEnv LDAP_USER_BASE_DN "${env.ldap.base}"
+ SetEnv LDAP_USER_FILTER "${env.ldap.filter}"
+ SetEnv LDAP_GROUP_ADMIN_DN "${env.ldap.admin_dn}"
'';
- }];
- webRoot = kanboard { kanboard_config = "/var/secrets/webapps/tools-kanboard"; };
+ };
+ webRoot = kanboard;
apache = rec {
user = "wwwrun";
group = "wwwrun";
modules = [ "proxy_fcgi" ];
- webappName = "tools_kanboard";
- root = "/run/current-system/webapps/${webappName}";
- vhostConf = ''
+ root = webRoot;
+ vhostConf = socket: ''
Alias /kanboard "${root}"
+ <Location /kanboard>
+ Include ${config.secrets.fullPaths."webapps/tools-kanboard"}
+ </Location>
<Directory "${root}">
DirectoryIndex index.php
AllowOverride All
Require all granted
<FilesMatch "\.php$">
- SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+ SetHandler "proxy:unix:${socket}|fcgi://localhost"
</FilesMatch>
</Directory>
<DirectoryMatch "${root}/data">
};
phpFpm = rec {
serviceDeps = [ "postgresql.service" "openldap.service" ];
- basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ];
- socket = "/var/run/phpfpm/kanboard.sock";
- pool = ''
- listen = ${socket}
- user = ${apache.user}
- group = ${apache.group}
- listen.owner = ${apache.user}
- listen.group = ${apache.group}
- pm = ondemand
- pm.max_children = 60
- pm.process_idle_timeout = 60
+ basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
+ pool = {
+ "listen.owner" = apache.user;
+ "listen.group" = apache.group;
+ "pm" = "ondemand";
+ "pm.max_children" = "60";
+ "pm.process_idle_timeout" = "60";
- ; Needed to avoid clashes in browser cookies (same domain)
- php_value[session.name] = KanboardPHPSESSID
- php_admin_value[open_basedir] = "${basedir}:/tmp"
- php_admin_value[session.save_path] = "${varDir}/phpSessions"
- '';
+ # Needed to avoid clashes in browser cookies (same domain)
+ "php_value[session.name]" = "KanboardPHPSESSID";
+ "php_admin_value[open_basedir]" = "${basedir}:/tmp";
+ "php_admin_value[session.save_handler]" = "redis";
+ "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Kanboard:'";
+ };
};
}