X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;ds=sidebyside;f=modules%2Fprivate%2Fsystem%2Fquatresaisons%2Fdatabases.nix;fp=modules%2Fprivate%2Fsystem%2Fquatresaisons%2Fdatabases.nix;h=0000000000000000000000000000000000000000;hb=1a64deeb894dc95e2645a75771732c6cc53a79ad;hp=f7b27e0911bcf342c1f24b89321ddfabe054de61;hpb=fa25ffd4583cc362075cd5e1b4130f33306103f0;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix deleted file mode 100644 index f7b27e0..0000000 --- a/modules/private/system/quatresaisons/databases.nix +++ /dev/null @@ -1,147 +0,0 @@ -{ pkgs, config, lib, ... }: -{ - config = let - serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; - phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; - in { - services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql_12; - services.postgresql.ensureUsers = [ - { name = "naemon"; } - ]; - secrets.keys = { - "ldap/password" = { - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; - }; - "webapps/tools-ldap" = { - user = "wwwrun"; - group = "wwwrun"; - permissions = "0400"; - text = '' - custom->appearance['show_clear_password'] = true; - $config->custom->appearance['hide_template_warning'] = true; - $config->custom->appearance['theme'] = "tango"; - $config->custom->appearance['minimalMode'] = false; - $config->custom->appearance['tree'] = 'AJAXTree'; - - $servers = new Datastore(); - - $servers->newServer('ldap_pla'); - $servers->setValue('server','name','LDAP'); - $servers->setValue('server','host','ldap://localhost'); - $servers->setValue('login','auth_type','cookie'); - $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}'); - $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}'); - $servers->setValue('appearance','pla_password_hash','ssha'); - $servers->setValue('login','attr','uid'); - $servers->setValue('login','fallback_dn',true); - ''; - }; - }; - - users.users.openldap.extraGroups = [ "keys" ]; - services.openldap = { - enable = true; - dataDir = "/var/lib/openldap"; - urlList = [ "ldap://localhost" ]; - logLevel = "none"; - extraConfig = '' - pidfile /run/slapd/slapd.pid - argsfile /run/slapd/slapd.args - - moduleload back_hdb - backend hdb - ''; - - extraDatabaseConfig = '' - moduleload memberof - overlay memberof - - moduleload syncprov - overlay syncprov - syncprov-checkpoint 100 10 - - index objectClass eq - index uid pres,eq - #index uidMember pres,eq - index mail pres,sub,eq - index cn pres,sub,eq - index sn pres,sub,eq - index dc eq - index member eq - index memberOf eq - - # No one must access that information except root - access to attrs=description - by * none - - access to attrs=entry,uid filter="(uid=*)" - by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read - by * break - - access to dn.subtree="ou=users,dc=salle-s,dc=org" - by dn.subtree="ou=services,dc=salle-s,dc=org" read - by * break - - access to * - by self read - by anonymous auth - by * break - ''; - rootpwFile = config.secrets.fullPaths."ldap/password"; - suffix = "dc=salle-s,dc=org"; - rootdn = "cn=root,dc=salle-s,dc=org"; - database = "hdb"; - }; - - services.websites.env.production.modules = [ "proxy_fcgi" ]; - services.websites.env.production.vhostConfs.tools.extraConfig = [ - '' - Alias /ldap "${phpLdapAdmin}/htdocs" - - DirectoryIndex index.php - - SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost" - - - AllowOverride None - Require all granted - - '' - ]; - services.phpfpm.pools.ldap = { - user = "wwwrun"; - group = "wwwrun"; - settings = - let - basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ]; - in { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; - "pm" = "ondemand"; - "pm.max_children" = "60"; - "pm.process_idle_timeout" = "60"; - - # Needed to avoid clashes in browser cookies (same domain) - "php_value[session.name]" = "LdapPHPSESSID"; - "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; - "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; - }; - phpPackage = pkgs.php72; - }; - system.activationScripts.ldap = { - deps = [ "users" ]; - text = '' - install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin - ''; - }; - systemd.services.phpfpm-ldap = { - after = lib.mkAfter [ "openldap.service" ]; - wants = [ "openldap.service" ]; - }; - }; -}