X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Ftasks%2Fdefault.nix;h=42cc8d282588e4778bdcc76973146e3b27dfb1a2;hb=5400b9b6f65451d41a9106fae6fc00f97d83f4ef;hp=30f49ee933e11b6f49e458c87f69a5d5d53c135c;hpb=8d213e2b1c934f6861f76aad5eb7c11097fa97de;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index 30f49ee..42cc8d2 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -1,10 +1,10 @@
-{ lib, pkgs, config, myconfig,  ... }:
+{ lib, pkgs, config,  ... }:
 let
   cfg = config.myServices.tasks;
   server_vardir = config.services.taskserver.dataDir;
   fqdn = "task.immae.eu";
   user = config.services.taskserver.user;
-  env = myconfig.env.tools.task;
+  env = config.myEnv.tools.task;
   group = config.services.taskserver.group;
   taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} ''
     mkdir -p $out/bin
@@ -86,6 +86,15 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    services.duplyBackup.profiles.tasks = {
+      rootDir = "/var/lib";
+      excludeFile = ''
+        + /var/lib/taskserver
+        + /var/lib/taskwarrior-web
+        - /var/lib
+        '';
+    };
+
     secrets.keys = [{
       dest = "webapps/tools-taskwarrior-web";
       user = "wwwrun";
@@ -98,11 +107,12 @@ in {
           SetEnv TASKD_LDAP_DN       "${env.ldap.dn}"
           SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
           SetEnv TASKD_LDAP_BASE     "${env.ldap.base}"
-          SetEnv TASKD_LDAP_FILTER   "${env.ldap.search}"
+          SetEnv TASKD_LDAP_FILTER   "${env.ldap.filter}"
         '';
     }];
-    services.websites.tools.modules = [ "proxy_fcgi" "sed" ];
-    services.websites.tools.vhostConfs.task = {
+    services.websites.env.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ];
+    services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ];
+    services.websites.env.tools.vhostConfs.task = {
       certName    = "eldiron";
       addToCerts  = true;
       hosts       = [ "task.immae.eu" ];
@@ -113,7 +123,7 @@ in {
           Use LDAPConnect
           Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
           <FilesMatch "\.php$">
-            SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
+            SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost"
           </FilesMatch>
           Include /var/secrets/webapps/tools-taskwarrior-web
         </Directory>
@@ -160,31 +170,34 @@ in {
         </Location>
         '') env.taskwarrior-web);
     };
-    services.phpfpm.poolConfigs = {
-      tasks = ''
-        listen = /var/run/phpfpm/task.sock
-        user = ${user}
-        group = ${group}
-        listen.owner = wwwrun
-        listen.group = wwwrun
-        pm = dynamic
-        pm.max_children = 60
-        pm.start_servers = 2
-        pm.min_spare_servers = 1
-        pm.max_spare_servers = 10
+    services.phpfpm.pools = {
+      tasks = {
+        user = user;
+        group = group;
+        settings = {
+          "listen.owner" = "wwwrun";
+          "listen.group" = "wwwrun";
+          "pm" = "dynamic";
+          "pm.max_children" = "60";
+          "pm.start_servers" = "2";
+          "pm.min_spare_servers" = "1";
+          "pm.max_spare_servers" = "10";
 
-        ; Needed to avoid clashes in browser cookies (same domain)
-        env[PATH] = "/etc/profiles/per-user/${user}/bin"
-        php_value[session.name] = TaskPHPSESSID
-        php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"
-      '';
+          # Needed to avoid clashes in browser cookies (same domain)
+          "php_value[session.name]" = "TaskPHPSESSID";
+          "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/";
+        };
+        phpEnv = {
+          PATH = "/etc/profiles/per-user/${user}/bin";
+        };
+      };
     };
 
     myServices.websites.webappDirs._task = ./www;
 
-    security.acme.certs."task" = config.services.myCertificates.certConfig // {
+    security.acme.certs."task" = config.myServices.certificates.certConfig // {
       inherit user group;
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
       domain = fqdn;
       postRun = ''
         systemctl restart taskserver.service
@@ -234,9 +247,9 @@ in {
       inherit fqdn;
       listenHost = "::";
       pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
-      pki.manual.server.cert = "${config.security.acme.directory}/task/fullchain.pem";
-      pki.manual.server.crl = "${config.security.acme.directory}/task/invalid.crl";
-      pki.manual.server.key = "${config.security.acme.directory}/task/key.pem";
+      pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem";
+      pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl";
+      pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem";
       requestLimit = 104857600;
     };