--- /dev/null
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+ cfg = config.services.myTasks;
+ vardir = config.services.taskserver.dataDir;
+ fqdn = "task.immae.eu";
+ user = config.services.taskserver.user;
+ env = myconfig.env.tools.task;
+ group = config.services.taskserver.group;
+in {
+ options.services.myTasks = {
+ enable = lib.mkEnableOption "my tasks service";
+ };
+
+ config = lib.mkIf cfg.enable {
+ security.acme.certs."eldiron".extraDomains.${fqdn} = null;
+ services.myWebsites.tools.modules = [ "proxy_fcgi" ];
+ services.myWebsites.tools.vhostConfs.task = {
+ certName = "eldiron";
+ hosts = [ "task.immae.eu" ];
+ root = "/run/current-system/webapps/_task";
+ extraConfig = [ ''
+ <Directory /run/current-system/webapps/_task>
+ DirectoryIndex index.php
+ Use LDAPConnect
+ Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
+ <FilesMatch "\.php$">
+ SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
+ </FilesMatch>
+ SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
+ SetEnv TASKD_VARDIR "${vardir}"
+ SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
+ SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
+ SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
+ SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
+ SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
+ </Directory>
+ '' ];
+ };
+ services.myPhpfpm.poolConfigs = {
+ tasks = ''
+ listen = /var/run/phpfpm/task.sock
+ user = ${user}
+ group = ${group}
+ listen.owner = wwwrun
+ listen.group = wwwrun
+ pm = dynamic
+ pm.max_children = 60
+ pm.start_servers = 2
+ pm.min_spare_servers = 1
+ pm.max_spare_servers = 10
+
+ ; Needed to avoid clashes in browser cookies (same domain)
+ env[PATH] = "/etc/profiles/per-user/${user}/bin"
+ php_value[session.name] = TaskPHPSESSID
+ php_admin_value[open_basedir] = "${./www}:/tmp:${vardir}:/etc/profiles/per-user/${user}/bin/"
+ '';
+ };
+
+ system.extraSystemBuilderCmds = ''
+ ln -s ${./www} $out/webapps/_task
+ '';
+
+ security.acme.certs."task" = config.services.myCertificates.certConfig // {
+ inherit user group;
+ plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+ domain = fqdn;
+ postRun = ''
+ systemctl restart taskserver.service
+ '';
+ };
+
+ users.users.${user}.packages = [
+ (pkgs.runCommand "taskserver-user-certs" {} ''
+ mkdir -p $out/bin
+ cat > $out/bin/taskserver-user-certs <<"EOF"
+ #!/usr/bin/env bash
+
+ user=$1
+
+ silent_certtool() {
+ if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
+ echo "GNUTLS certtool invocation failed with output:" >&2
+ echo "$output" >&2
+ fi
+ }
+
+ silent_certtool -p \
+ --bits 4096 \
+ --outfile "${vardir}/userkeys/$user.key.pem"
+ ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${vardir}/userkeys/$user.key.pem"
+
+ silent_certtool -c \
+ --template "${pkgs.writeText "taskserver-ca.template" ''
+ tls_www_client
+ encryption_key
+ signing_key
+ expiration_days = 3650
+ ''}" \
+ --load-ca-certificate "${vardir}/keys/ca.cert" \
+ --load-ca-privkey "${vardir}/keys/ca.key" \
+ --load-privkey "${vardir}/userkeys/$user.key.pem" \
+ --outfile "${vardir}/userkeys/$user.cert.pem"
+ EOF
+ chmod a+x $out/bin/taskserver-user-certs
+ patchShebangs $out/bin/taskserver-user-certs
+ '')
+ ];
+
+ systemd.services.taskserver-ca.postStart = ''
+ chown :${group} "${vardir}/keys/ca.key"
+ chmod g+r "${vardir}/keys/ca.key"
+ '';
+
+ system.activationScripts.taskserver = {
+ deps = [ "users" ];
+ text = ''
+ install -m 0750 -o ${user} -g ${group} -d ${vardir}
+ install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
+ install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
+ '';
+ };
+
+ services.taskserver = {
+ enable = true;
+ allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
+ inherit fqdn;
+ listenHost = "::";
+ requestLimit = 104857600;
+ };
+ };
+}