]>
Commit | Line | Data |
---|---|---|
22149d17 IB |
1 | { lib, pkgs, config, myconfig, mylibs, ... }: |
2 | let | |
3 | cfg = config.services.myTasks; | |
4 | vardir = config.services.taskserver.dataDir; | |
5 | fqdn = "task.immae.eu"; | |
6 | user = config.services.taskserver.user; | |
7 | env = myconfig.env.tools.task; | |
8 | group = config.services.taskserver.group; | |
9 | in { | |
10 | options.services.myTasks = { | |
11 | enable = lib.mkEnableOption "my tasks service"; | |
12 | }; | |
13 | ||
14 | config = lib.mkIf cfg.enable { | |
15 | security.acme.certs."eldiron".extraDomains.${fqdn} = null; | |
16 | services.myWebsites.tools.modules = [ "proxy_fcgi" ]; | |
17 | services.myWebsites.tools.vhostConfs.task = { | |
18 | certName = "eldiron"; | |
19 | hosts = [ "task.immae.eu" ]; | |
20 | root = "/run/current-system/webapps/_task"; | |
21 | extraConfig = [ '' | |
22 | <Directory /run/current-system/webapps/_task> | |
23 | DirectoryIndex index.php | |
24 | Use LDAPConnect | |
25 | Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu | |
26 | <FilesMatch "\.php$"> | |
27 | SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" | |
28 | </FilesMatch> | |
29 | SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}" | |
30 | SetEnv TASKD_VARDIR "${vardir}" | |
31 | SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}" | |
32 | SetEnv TASKD_LDAP_DN "${env.ldap.dn}" | |
33 | SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}" | |
34 | SetEnv TASKD_LDAP_BASE "${env.ldap.base}" | |
35 | SetEnv TASKD_LDAP_FILTER "${env.ldap.search}" | |
36 | </Directory> | |
37 | '' ]; | |
38 | }; | |
39 | services.myPhpfpm.poolConfigs = { | |
40 | tasks = '' | |
41 | listen = /var/run/phpfpm/task.sock | |
42 | user = ${user} | |
43 | group = ${group} | |
44 | listen.owner = wwwrun | |
45 | listen.group = wwwrun | |
46 | pm = dynamic | |
47 | pm.max_children = 60 | |
48 | pm.start_servers = 2 | |
49 | pm.min_spare_servers = 1 | |
50 | pm.max_spare_servers = 10 | |
51 | ||
52 | ; Needed to avoid clashes in browser cookies (same domain) | |
53 | env[PATH] = "/etc/profiles/per-user/${user}/bin" | |
54 | php_value[session.name] = TaskPHPSESSID | |
55 | php_admin_value[open_basedir] = "${./www}:/tmp:${vardir}:/etc/profiles/per-user/${user}/bin/" | |
56 | ''; | |
57 | }; | |
58 | ||
59 | system.extraSystemBuilderCmds = '' | |
60 | ln -s ${./www} $out/webapps/_task | |
61 | ''; | |
62 | ||
63 | security.acme.certs."task" = config.services.myCertificates.certConfig // { | |
64 | inherit user group; | |
65 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; | |
66 | domain = fqdn; | |
67 | postRun = '' | |
68 | systemctl restart taskserver.service | |
69 | ''; | |
70 | }; | |
71 | ||
72 | users.users.${user}.packages = [ | |
73 | (pkgs.runCommand "taskserver-user-certs" {} '' | |
74 | mkdir -p $out/bin | |
75 | cat > $out/bin/taskserver-user-certs <<"EOF" | |
76 | #!/usr/bin/env bash | |
77 | ||
78 | user=$1 | |
79 | ||
80 | silent_certtool() { | |
81 | if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then | |
82 | echo "GNUTLS certtool invocation failed with output:" >&2 | |
83 | echo "$output" >&2 | |
84 | fi | |
85 | } | |
86 | ||
87 | silent_certtool -p \ | |
88 | --bits 4096 \ | |
89 | --outfile "${vardir}/userkeys/$user.key.pem" | |
90 | ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${vardir}/userkeys/$user.key.pem" | |
91 | ||
92 | silent_certtool -c \ | |
93 | --template "${pkgs.writeText "taskserver-ca.template" '' | |
94 | tls_www_client | |
95 | encryption_key | |
96 | signing_key | |
97 | expiration_days = 3650 | |
98 | ''}" \ | |
99 | --load-ca-certificate "${vardir}/keys/ca.cert" \ | |
100 | --load-ca-privkey "${vardir}/keys/ca.key" \ | |
101 | --load-privkey "${vardir}/userkeys/$user.key.pem" \ | |
102 | --outfile "${vardir}/userkeys/$user.cert.pem" | |
103 | EOF | |
104 | chmod a+x $out/bin/taskserver-user-certs | |
105 | patchShebangs $out/bin/taskserver-user-certs | |
106 | '') | |
107 | ]; | |
108 | ||
109 | systemd.services.taskserver-ca.postStart = '' | |
110 | chown :${group} "${vardir}/keys/ca.key" | |
111 | chmod g+r "${vardir}/keys/ca.key" | |
112 | ''; | |
113 | ||
114 | system.activationScripts.taskserver = { | |
115 | deps = [ "users" ]; | |
116 | text = '' | |
117 | install -m 0750 -o ${user} -g ${group} -d ${vardir} | |
118 | install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys | |
119 | install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys | |
120 | ''; | |
121 | }; | |
122 | ||
123 | services.taskserver = { | |
124 | enable = true; | |
125 | allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ]; | |
126 | inherit fqdn; | |
127 | listenHost = "::"; | |
128 | requestLimit = 104857600; | |
129 | }; | |
130 | }; | |
131 | } |