]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - modules/private/websites/tools/tools/ldap.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Move websites/tools to modules
[perso/Immae/Config/Nix.git] / modules / private / websites / tools / tools / ldap.nix
diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix
new file mode 100644 (file)
index 0000000..4585ee3
--- /dev/null
+++ b/modules/private/websites/tools/tools/ldap.nix
@@ -0,0 +1,74 @@
+{ lib, php, env, writeText, phpldapadmin }:
+rec {
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/phpldapadmin
+      '';
+  };
+  keys = [{
+    dest = "webapps/tools-ldap";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+      $config->custom->appearance['show_clear_password'] = true;
+      $config->custom->appearance['hide_template_warning'] = true;
+      $config->custom->appearance['theme'] = "tango";
+      $config->custom->appearance['minimalMode'] = true;
+
+      $servers = new Datastore();
+
+      $servers->newServer('ldap_pla');
+      $servers->setValue('server','name','Immae&#x2019;s LDAP');
+      $servers->setValue('server','host','ldaps://${env.ldap.host}');
+      $servers->setValue('login','auth_type','cookie');
+      $servers->setValue('login','bind_id','${env.ldap.dn}');
+      $servers->setValue('login','bind_pass','${env.ldap.password}');
+      $servers->setValue('appearance','password_hash','ssha');
+      $servers->setValue('login','attr','uid');
+      $servers->setValue('login','fallback_dn',true);
+      '';
+  }];
+  webRoot = phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_ldap";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /ldap "${root}"
+      <Directory "${root}">
+        DirectoryIndex index.php
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+
+        AllowOverride None
+        Require all granted
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ];
+    socket = "/var/run/phpfpm/ldap.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = LdapPHPSESSID
+      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"
+      php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin"
+      '';
+  };
+}
My infrastructure configuration