[perso/Immae/Config/Nix.git] / modules / private / system / quatresaisons / databases.nix

{ pkgs, config, lib, ... }:
{
  config = let
    serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
    phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
  in {
    services.postgresql.enable = true;
    services.postgresql.package = pkgs.postgresql_12;
    services.postgresql.ensureUsers = [
      { name = "naemon"; }
    ];
    secrets.keys = {
      "ldap/password" = {
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = "rootpw      ${serverSpecificConfig.ldap_root_pw}";
      };
      "webapps/tools-ldap" = {
        user = "wwwrun";
        group = "wwwrun";
        permissions = "0400";
        text = ''
          <?php
          $config->custom->appearance['show_clear_password'] = true;
          $config->custom->appearance['hide_template_warning'] = true;
          $config->custom->appearance['theme'] = "tango";
          $config->custom->appearance['minimalMode'] = false;
          $config->custom->appearance['tree'] = 'AJAXTree';

          $servers = new Datastore();

          $servers->newServer('ldap_pla');
          $servers->setValue('server','name','LDAP');
          $servers->setValue('server','host','ldap://localhost');
          $servers->setValue('login','auth_type','cookie');
          $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
          $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
          $servers->setValue('appearance','pla_password_hash','ssha');
          $servers->setValue('login','attr','uid');
          $servers->setValue('login','fallback_dn',true);
        '';
      };
    };

    users.users.openldap.extraGroups = [ "keys" ];
    services.openldap = {
      enable = true;
      dataDir = "/var/lib/openldap";
      urlList = [ "ldap://localhost" ];
      logLevel = "none";
      extraConfig = ''
        pidfile     /run/slapd/slapd.pid
        argsfile    /run/slapd/slapd.args

        moduleload  back_hdb
        backend     hdb
      '';

      extraDatabaseConfig = ''
        moduleload  memberof
        overlay     memberof

        moduleload  syncprov
        overlay     syncprov
        syncprov-checkpoint 100 10

        index   objectClass       eq
        index   uid               pres,eq
        #index   uidMember         pres,eq
        index   mail              pres,sub,eq
        index   cn                pres,sub,eq
        index   sn                pres,sub,eq
        index   dc                eq
        index   member            eq
        index   memberOf          eq

        # No one must access that information except root
        access to attrs=description
          by * none

        access to attrs=entry,uid filter="(uid=*)"
          by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
          by * break

        access to dn.subtree="ou=users,dc=salle-s,dc=org"
          by dn.subtree="ou=services,dc=salle-s,dc=org" read
          by * break

        access to *
          by self read
          by anonymous auth
          by * break
      '';
      rootpwFile = config.secrets.fullPaths."ldap/password";
      suffix = "dc=salle-s,dc=org";
      rootdn = "cn=root,dc=salle-s,dc=org";
      database = "hdb";
    };

    services.websites.env.production.modules = [ "proxy_fcgi" ];
    services.websites.env.production.vhostConfs.tools.extraConfig = [
      ''
        Alias /ldap "${phpLdapAdmin}/htdocs"
        <Directory "${phpLdapAdmin}/htdocs">
          DirectoryIndex index.php
          <FilesMatch "\.php$">
            SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost"
          </FilesMatch>

          AllowOverride None
          Require all granted
        </Directory>
      ''
    ];
    services.phpfpm.pools.ldap = {
      user = "wwwrun";
      group = "wwwrun";
      settings =
        let
          basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ];
        in {
          "listen.owner" = "wwwrun";
          "listen.group" = "wwwrun";
          "pm" = "ondemand";
          "pm.max_children" = "60";
          "pm.process_idle_timeout" = "60";

          # Needed to avoid clashes in browser cookies (same domain)
          "php_value[session.name]" = "LdapPHPSESSID";
          "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
          "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
        };
      phpPackage = pkgs.php72;
    };
    system.activationScripts.ldap = {
      deps = [ "users" ];
      text = ''
        install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
        '';
    };
    systemd.services.phpfpm-ldap = {
      after = lib.mkAfter [ "openldap.service" ];
      wants = [ "openldap.service" ];
    };
  };
}
Commit	Line	Data
75489e72 IB	1	{ pkgs, config, lib, ... }:
	2	{
	3	config = let
	4	serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
da30ae4f	5	phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
75489e72 IB	6	in {
	7	services.postgresql.enable = true;
	8	services.postgresql.package = pkgs.postgresql_12;
e64a4968 IB	9	services.postgresql.ensureUsers = [
	10	{ name = "naemon"; }
	11	];
4c4652aa IB	12	secrets.keys = {
4c4652aa IB	13	"ldap/password" = {
75489e72 IB	14	permissions = "0400";
	15	user = "openldap";
	16	group = "openldap";
	17	text = "rootpw ${serverSpecificConfig.ldap_root_pw}";
4c4652aa IB	18	};
4c4652aa IB	19	"webapps/tools-ldap" = {
75489e72 IB	20	user = "wwwrun";
	21	group = "wwwrun";
	22	permissions = "0400";
	23	text = ''
	24	<?php
	25	$config->custom->appearance['show_clear_password'] = true;
	26	$config->custom->appearance['hide_template_warning'] = true;
	27	$config->custom->appearance['theme'] = "tango";
	28	$config->custom->appearance['minimalMode'] = false;
	29	$config->custom->appearance['tree'] = 'AJAXTree';
	30
	31	$servers = new Datastore();
	32
	33	$servers->newServer('ldap_pla');
	34	$servers->setValue('server','name','LDAP');
	35	$servers->setValue('server','host','ldap://localhost');
	36	$servers->setValue('login','auth_type','cookie');
	37	$servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
	38	$servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
	39	$servers->setValue('appearance','pla_password_hash','ssha');
	40	$servers->setValue('login','attr','uid');
	41	$servers->setValue('login','fallback_dn',true);
	42	'';
4c4652aa IB	43	};
4c4652aa IB	44	};
75489e72 IB	45
	46	users.users.openldap.extraGroups = [ "keys" ];
	47	services.openldap = {
	48	enable = true;
	49	dataDir = "/var/lib/openldap";
	50	urlList = [ "ldap://localhost" ];
	51	logLevel = "none";
	52	extraConfig = ''
	53	pidfile /run/slapd/slapd.pid
	54	argsfile /run/slapd/slapd.args
	55
	56	moduleload back_hdb
	57	backend hdb
	58	'';
	59
	60	extraDatabaseConfig = ''
	61	moduleload memberof
	62	overlay memberof
	63
	64	moduleload syncprov
	65	overlay syncprov
	66	syncprov-checkpoint 100 10
	67
	68	index objectClass eq
	69	index uid pres,eq
	70	#index uidMember pres,eq
	71	index mail pres,sub,eq
	72	index cn pres,sub,eq
	73	index sn pres,sub,eq
	74	index dc eq
	75	index member eq
	76	index memberOf eq
	77
	78	# No one must access that information except root
	79	access to attrs=description
	80	by * none
	81
	82	access to attrs=entry,uid filter="(uid=*)"
	83	by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
	84	by * break
	85
	86	access to dn.subtree="ou=users,dc=salle-s,dc=org"
	87	by dn.subtree="ou=services,dc=salle-s,dc=org" read
	88	by * break
	89
	90	access to *
	91	by self read
	92	by anonymous auth
	93	by * break
	94	'';
da30ae4f	95	rootpwFile = config.secrets.fullPaths."ldap/password";
75489e72 IB	96	suffix = "dc=salle-s,dc=org";
	97	rootdn = "cn=root,dc=salle-s,dc=org";
	98	database = "hdb";
	99	};
	100
	101	services.websites.env.production.modules = [ "proxy_fcgi" ];
	102	services.websites.env.production.vhostConfs.tools.extraConfig = [
	103	''
	104	Alias /ldap "${phpLdapAdmin}/htdocs"
	105	<Directory "${phpLdapAdmin}/htdocs">
	106	DirectoryIndex index.php
	107	<FilesMatch "\.php$">
	108	SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}\|fcgi://localhost"
	109	</FilesMatch>
	110
	111	AllowOverride None
	112	Require all granted
	113	</Directory>
	114	''
	115	];
	116	services.phpfpm.pools.ldap = {
	117	user = "wwwrun";
	118	group = "wwwrun";
	119	settings =
	120	let
da30ae4f	121	basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ];
75489e72 IB	122	in {
	123	"listen.owner" = "wwwrun";
	124	"listen.group" = "wwwrun";
	125	"pm" = "ondemand";
	126	"pm.max_children" = "60";
	127	"pm.process_idle_timeout" = "60";
	128
	129	# Needed to avoid clashes in browser cookies (same domain)
	130	"php_value[session.name]" = "LdapPHPSESSID";
	131	"php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
	132	"php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
	133	};
	134	phpPackage = pkgs.php72;
	135	};
	136	system.activationScripts.ldap = {
	137	deps = [ "users" ];
	138	text = ''
	139	install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
	140	'';
	141	};
	142	systemd.services.phpfpm-ldap = {
	143	after = lib.mkAfter [ "openldap.service" ];
	144	wants = [ "openldap.service" ];
	145	};
	146	};
	147	}