[perso/Immae/Config/Nix.git] / modules / private / websites / tools / dav / davical.nix

{ stdenv, fetchurl, gettext, writeText, env, awl, davical }:
rec {
  activationScript = {
    deps = [ "httpd" ];
    text = ''
      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical
      '';
  };
  keys = [{
    dest = "webapps/dav-davical";
    user = apache.user;
    group = apache.group;
    permissions = "0400";
    text = ''
      <?php
      $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";

      $c->readonly_webdav_collections = false;

      $c->admin_email ='davical@tools.immae.eu';

      $c->restrict_setup_to_admin = true;

      $c->collections_always_exist = false;

      $c->external_refresh = 60;

      $c->enable_scheduling = true;

      $c->iMIP = (object) array("send_email" => true);

      $c->authenticate_hook['optional'] = false;
      $c->authenticate_hook['call'] = 'LDAP_check';
      $c->authenticate_hook['config'] = array(
          'host' => '${env.ldap.host}',
          'port' => '389',
          'startTLS' => 'yes',
          'bindDN'=> '${env.ldap.dn}',
          'passDN'=> '${env.ldap.password}',
          'protocolVersion' => '3',
          'baseDNUsers'=> array('ou=users,${env.ldap.base}', 'ou=group_users,${env.ldap.base}'),
          'filterUsers' => '${env.ldap.filter}',
          'baseDNGroups' => 'ou=groups,${env.ldap.base}',
          'filterGroups' => 'memberOf=cn=groups,${env.ldap.dn}',
          'mapping_field' => array(
            "username" => "uid",
            "fullname" => "cn",
            "email"    => "mail",
            "modified" => "modifyTimestamp",
          ),
          'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)),
            /** used to set default value for all users, will be overcharged by ldap if defined also in mapping_field **/
      //    'default_value' => array("date_format_type" => "E","locale" => "fr_FR"),
          'group_mapping_field' => array(
            "username"    => "cn",
            "updated"     => "modifyTimestamp",
            "fullname"    => "givenName",
            "displayname" => "givenName",
            "members"     => "memberUid",
            "email"       => "mail",
          ),
        );

      $c->do_not_sync_from_ldap = array('admin' => true);
      include('drivers_ldap.php');
    '';
  }];
  webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; };
  webRoot = "${webapp}/htdocs";
  apache = rec {
    user = "wwwrun";
    group = "wwwrun";
    modules = [ "proxy_fcgi" ];
    webappName = "tools_davical";
    root = "/run/current-system/webapps/${webappName}";
    vhostConf = socket: ''
      Alias /davical "${root}"
      Alias /caldav.php  "${root}/caldav.php"
      <Directory "${root}">
        DirectoryIndex index.php index.html
        AcceptPathInfo On
        AllowOverride None
        Require all granted

        <FilesMatch "\.php$">
          CGIPassAuth on
          SetHandler "proxy:unix:${socket}|fcgi://localhost"
        </FilesMatch>

        RewriteEngine On
        <IfModule mod_headers.c>
                Header unset Access-Control-Allow-Origin
                Header unset Access-Control-Allow-Methods
                Header unset Access-Control-Allow-Headers
                Header unset Access-Control-Allow-Credentials
                Header unset Access-Control-Expose-Headers

                Header always set Access-Control-Allow-Origin "*"
                Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK"
                Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With"
                Header always set Access-Control-Allow-Credentials false
                Header always set Access-Control-Expose-Headers "Etag,Preference-Applied"

                RewriteCond %{HTTP:Access-Control-Request-Method} !^$
                RewriteCond %{REQUEST_METHOD} OPTIONS
                RewriteRule ^(.*)$ $1 [R=200,L]
        </IfModule>
      </Directory>
      '';
  };
  phpFpm = rec {
    serviceDeps = [ "postgresql.service" "openldap.service" ];
    basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ];
    pool = {
      "listen.owner" = apache.user;
      "listen.group" = apache.group;
      "pm" = "dynamic";
      "pm.max_children" = "60";
      "pm.start_servers" = "2";
      "pm.min_spare_servers" = "1";
      "pm.max_spare_servers" = "10";

      # Needed to avoid clashes in browser cookies (same domain)
      "php_value[session.name]" = "DavicalPHPSESSID";
      "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/davical";
      "php_admin_value[include_path]" = "${awl}/inc:${webapp}/inc";
      "php_admin_value[session.save_path]" = "/var/lib/php/sessions/davical";
      "php_flag[magic_quotes_gpc]" = "Off";
      "php_flag[register_globals]" = "Off";
      "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE";
      "php_admin_value[default_charset]" = "utf-8";
      "php_flag[magic_quotes_runtime]" = "Off";
    };
  };
}
Commit	Line	Data
452c2314 IB	1	{ stdenv, fetchurl, gettext, writeText, env, awl, davical }:
452c2314 IB	2	rec {
4288c2f2 IB	3	activationScript = {
	4	deps = [ "httpd" ];
	5	text = ''
	6	install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical
	7	'';
	8	};
452c2314 IB	9	keys = [{
	10	dest = "webapps/dav-davical";
	11	user = apache.user;
	12	group = apache.group;
	13	permissions = "0400";
	14	text = ''
	15	<?php
	16	$c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
d9998b44	17
452c2314	18	$c->readonly_webdav_collections = false;
d9998b44	19
452c2314	20	$c->admin_email ='davical@tools.immae.eu';
d9998b44	21
452c2314	22	$c->restrict_setup_to_admin = true;
d9998b44	23
452c2314	24	$c->collections_always_exist = false;
d9998b44	25
452c2314	26	$c->external_refresh = 60;
d9998b44	27
452c2314	28	$c->enable_scheduling = true;
d9998b44	29
452c2314	30	$c->iMIP = (object) array("send_email" => true);
d9998b44	31
452c2314 IB	32	$c->authenticate_hook['optional'] = false;
	33	$c->authenticate_hook['call'] = 'LDAP_check';
	34	$c->authenticate_hook['config'] = array(
ab8f306d	35	'host' => '${env.ldap.host}',
452c2314 IB	36	'port' => '389',
452c2314 IB	37	'startTLS' => 'yes',
ab8f306d	38	'bindDN'=> '${env.ldap.dn}',
452c2314 IB	39	'passDN'=> '${env.ldap.password}',
452c2314 IB	40	'protocolVersion' => '3',
ab8f306d IB	41	'baseDNUsers'=> array('ou=users,${env.ldap.base}', 'ou=group_users,${env.ldap.base}'),
	42	'filterUsers' => '${env.ldap.filter}',
	43	'baseDNGroups' => 'ou=groups,${env.ldap.base}',
	44	'filterGroups' => 'memberOf=cn=groups,${env.ldap.dn}',
452c2314 IB	45	'mapping_field' => array(
	46	"username" => "uid",
	47	"fullname" => "cn",
	48	"email" => "mail",
	49	"modified" => "modifyTimestamp",
	50	),
	51	'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)),
	52	/ used to set default value for all users, will be overcharged by ldap if defined also in mapping_field /
	53	// 'default_value' => array("date_format_type" => "E","locale" => "fr_FR"),
	54	'group_mapping_field' => array(
	55	"username" => "cn",
	56	"updated" => "modifyTimestamp",
	57	"fullname" => "givenName",
	58	"displayname" => "givenName",
	59	"members" => "memberUid",
	60	"email" => "mail",
	61	),
	62	);
d9998b44	63
452c2314 IB	64	$c->do_not_sync_from_ldap = array('admin' => true);
	65	include('drivers_ldap.php');
	66	'';
	67	}];
f61d1c7c	68	webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; };
452c2314 IB	69	webRoot = "${webapp}/htdocs";
	70	apache = rec {
	71	user = "wwwrun";
	72	group = "wwwrun";
	73	modules = [ "proxy_fcgi" ];
	74	webappName = "tools_davical";
	75	root = "/run/current-system/webapps/${webappName}";
5400b9b6	76	vhostConf = socket: ''
452c2314 IB	77	Alias /davical "${root}"
	78	Alias /caldav.php "${root}/caldav.php"
	79	<Directory "${root}">
	80	DirectoryIndex index.php index.html
	81	AcceptPathInfo On
	82	AllowOverride None
	83	Require all granted
d9998b44	84
452c2314 IB	85	<FilesMatch "\.php$">
452c2314 IB	86	CGIPassAuth on
5400b9b6	87	SetHandler "proxy:unix:${socket}\|fcgi://localhost"
452c2314	88	</FilesMatch>
d9998b44	89
452c2314 IB	90	RewriteEngine On
	91	<IfModule mod_headers.c>
	92	Header unset Access-Control-Allow-Origin
	93	Header unset Access-Control-Allow-Methods
	94	Header unset Access-Control-Allow-Headers
	95	Header unset Access-Control-Allow-Credentials
	96	Header unset Access-Control-Expose-Headers
d9998b44	97
452c2314 IB	98	Header always set Access-Control-Allow-Origin "*"
	99	Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK"
	100	Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With"
	101	Header always set Access-Control-Allow-Credentials false
	102	Header always set Access-Control-Expose-Headers "Etag,Preference-Applied"
d9998b44	103
452c2314 IB	104	RewriteCond %{HTTP:Access-Control-Request-Method} !^$
	105	RewriteCond %{REQUEST_METHOD} OPTIONS
	106	RewriteRule ^(.*)$ $1 [R=200,L]
	107	</IfModule>
	108	</Directory>
	109	'';
	110	};
	111	phpFpm = rec {
	112	serviceDeps = [ "postgresql.service" "openldap.service" ];
	113	basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ];
5400b9b6 IB	114	pool = {
	115	"listen.owner" = apache.user;
	116	"listen.group" = apache.group;
	117	"pm" = "dynamic";
	118	"pm.max_children" = "60";
	119	"pm.start_servers" = "2";
	120	"pm.min_spare_servers" = "1";
	121	"pm.max_spare_servers" = "10";
d9998b44	122
5400b9b6 IB	123	# Needed to avoid clashes in browser cookies (same domain)
	124	"php_value[session.name]" = "DavicalPHPSESSID";
	125	"php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/davical";
	126	"php_admin_value[include_path]" = "${awl}/inc:${webapp}/inc";
	127	"php_admin_value[session.save_path]" = "/var/lib/php/sessions/davical";
	128	"php_flag[magic_quotes_gpc]" = "Off";
	129	"php_flag[register_globals]" = "Off";
	130	"php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE";
	131	"php_admin_value[default_charset]" = "utf-8";
	132	"php_flag[magic_quotes_runtime]" = "Off";
	133	};
d9998b44	134	};
452c2314	135	}