[perso/Immae/Config/Nix.git] / nixops / modules / task / default.nix

{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  cfg = config.services.myTasks;
  vardir = config.services.taskserver.dataDir;
  fqdn = "task.immae.eu";
  user = config.services.taskserver.user;
  env = myconfig.env.tools.task;
  group = config.services.taskserver.group;
in {
  options.services.myTasks = {
    enable = lib.mkEnableOption "my tasks service";
  };

  config = lib.mkIf cfg.enable {
    security.acme.certs."eldiron".extraDomains.${fqdn} = null;
    services.myWebsites.tools.modules = [ "proxy_fcgi" ];
    services.myWebsites.tools.vhostConfs.task = {
      certName    = "eldiron";
      hosts       = [ "task.immae.eu" ];
      root        = "/run/current-system/webapps/_task";
      extraConfig = [ ''
        <Directory /run/current-system/webapps/_task>
          DirectoryIndex index.php
          Use LDAPConnect
          Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
          <FilesMatch "\.php$">
            SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
          </FilesMatch>
          SetEnv TASKD_HOST          "${fqdn}:${toString config.services.taskserver.listenPort}"
          SetEnv TASKD_VARDIR        "${vardir}"
          SetEnv TASKD_LDAP_HOST     "ldaps://${env.ldap.host}"
          SetEnv TASKD_LDAP_DN       "${env.ldap.dn}"
          SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
          SetEnv TASKD_LDAP_BASE     "${env.ldap.base}"
          SetEnv TASKD_LDAP_FILTER   "${env.ldap.search}"
        </Directory>
        '' ];
    };
    services.myPhpfpm.poolConfigs = {
      tasks = ''
        listen = /var/run/phpfpm/task.sock
        user = ${user}
        group = ${group}
        listen.owner = wwwrun
        listen.group = wwwrun
        pm = dynamic
        pm.max_children = 60
        pm.start_servers = 2
        pm.min_spare_servers = 1
        pm.max_spare_servers = 10

        ; Needed to avoid clashes in browser cookies (same domain)
        env[PATH] = "/etc/profiles/per-user/${user}/bin"
        php_value[session.name] = TaskPHPSESSID
        php_admin_value[open_basedir] = "${./www}:/tmp:${vardir}:/etc/profiles/per-user/${user}/bin/"
      '';
    };

    system.extraSystemBuilderCmds = ''
      ln -s ${./www} $out/webapps/_task
      '';

    security.acme.certs."task" = config.services.myCertificates.certConfig // {
      inherit user group;
      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
      domain = fqdn;
      postRun = ''
        systemctl restart taskserver.service
      '';
    };

    users.users.${user}.packages = [
      (pkgs.runCommand "taskserver-user-certs" {} ''
        mkdir -p $out/bin
        cat > $out/bin/taskserver-user-certs <<"EOF"
        #!/usr/bin/env bash

        user=$1

        silent_certtool() {
          if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
            echo "GNUTLS certtool invocation failed with output:" >&2
            echo "$output" >&2
          fi
        }

        silent_certtool -p \
          --bits 4096 \
          --outfile "${vardir}/userkeys/$user.key.pem"
        ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${vardir}/userkeys/$user.key.pem"

        silent_certtool -c \
          --template "${pkgs.writeText "taskserver-ca.template" ''
            tls_www_client
            encryption_key
            signing_key
            expiration_days = 3650
          ''}" \
          --load-ca-certificate "${vardir}/keys/ca.cert" \
          --load-ca-privkey "${vardir}/keys/ca.key" \
          --load-privkey "${vardir}/userkeys/$user.key.pem" \
          --outfile "${vardir}/userkeys/$user.cert.pem"
        EOF
        chmod a+x $out/bin/taskserver-user-certs
        patchShebangs $out/bin/taskserver-user-certs
        '')
    ];

    systemd.services.taskserver-ca.postStart = ''
      chown :${group} "${vardir}/keys/ca.key"
      chmod g+r "${vardir}/keys/ca.key"
      '';

    system.activationScripts.taskserver = {
      deps = [ "users" ];
      text = ''
        install -m 0750 -o ${user} -g ${group} -d ${vardir}
        install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
        install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
      '';
    };

    services.taskserver = {
      enable = true;
      allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
      inherit fqdn;
      listenHost = "::";
      requestLimit = 104857600;
    };
  };
}
Commit	Line	Data
22149d17 IB	1	{ lib, pkgs, config, myconfig, mylibs, ... }:
	2	let
	3	cfg = config.services.myTasks;
	4	vardir = config.services.taskserver.dataDir;
	5	fqdn = "task.immae.eu";
	6	user = config.services.taskserver.user;
	7	env = myconfig.env.tools.task;
	8	group = config.services.taskserver.group;
	9	in {
	10	options.services.myTasks = {
	11	enable = lib.mkEnableOption "my tasks service";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
	15	security.acme.certs."eldiron".extraDomains.${fqdn} = null;
	16	services.myWebsites.tools.modules = [ "proxy_fcgi" ];
	17	services.myWebsites.tools.vhostConfs.task = {
	18	certName = "eldiron";
	19	hosts = [ "task.immae.eu" ];
	20	root = "/run/current-system/webapps/_task";
	21	extraConfig = [ ''
	22	<Directory /run/current-system/webapps/_task>
	23	DirectoryIndex index.php
	24	Use LDAPConnect
	25	Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
	26	<FilesMatch "\.php$">
	27	SetHandler "proxy:unix:/var/run/phpfpm/task.sock\|fcgi://localhost"
	28	</FilesMatch>
	29	SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
	30	SetEnv TASKD_VARDIR "${vardir}"
	31	SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
	32	SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
	33	SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
	34	SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
	35	SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
	36	</Directory>
	37	'' ];
	38	};
	39	services.myPhpfpm.poolConfigs = {
	40	tasks = ''
	41	listen = /var/run/phpfpm/task.sock
	42	user = ${user}
	43	group = ${group}
	44	listen.owner = wwwrun
	45	listen.group = wwwrun
	46	pm = dynamic
	47	pm.max_children = 60
	48	pm.start_servers = 2
	49	pm.min_spare_servers = 1
	50	pm.max_spare_servers = 10
	51
	52	; Needed to avoid clashes in browser cookies (same domain)
	53	env[PATH] = "/etc/profiles/per-user/${user}/bin"
	54	php_value[session.name] = TaskPHPSESSID
	55	php_admin_value[open_basedir] = "${./www}:/tmp:${vardir}:/etc/profiles/per-user/${user}/bin/"
	56	'';
	57	};
	58
	59	system.extraSystemBuilderCmds = ''
	60	ln -s ${./www} $out/webapps/_task
	61	'';
	62
	63	security.acme.certs."task" = config.services.myCertificates.certConfig // {
	64	inherit user group;
65	plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
66	domain = fqdn;
67	postRun = ''
68	systemctl restart taskserver.service
69	'';
70	};
71
72	users.users.${user}.packages = [
73	(pkgs.runCommand "taskserver-user-certs" {} ''
74	mkdir -p $out/bin
75	cat > $out/bin/taskserver-user-certs <<"EOF"
76	#!/usr/bin/env bash
77
78	user=$1
79
80	silent_certtool() {
81	if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
82	echo "GNUTLS certtool invocation failed with output:" >&2
83	echo "$output" >&2
84	fi
85	}
86
87	silent_certtool -p \
88	--bits 4096 \
89	--outfile "${vardir}/userkeys/$user.key.pem"
90	${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${vardir}/userkeys/$user.key.pem"
91
92	silent_certtool -c \
93	--template "${pkgs.writeText "taskserver-ca.template" ''
94	tls_www_client
95	encryption_key
96	signing_key
97	expiration_days = 3650
98	''}" \
99	--load-ca-certificate "${vardir}/keys/ca.cert" \
100	--load-ca-privkey "${vardir}/keys/ca.key" \
101	--load-privkey "${vardir}/userkeys/$user.key.pem" \
102	--outfile "${vardir}/userkeys/$user.cert.pem"
103	EOF
104	chmod a+x $out/bin/taskserver-user-certs
105	patchShebangs $out/bin/taskserver-user-certs
106	'')
107	];
108
109	systemd.services.taskserver-ca.postStart = ''
110	chown :${group} "${vardir}/keys/ca.key"
111	chmod g+r "${vardir}/keys/ca.key"
112	'';
113
114	system.activationScripts.taskserver = {
115	deps = [ "users" ];
116	text = ''
117	install -m 0750 -o ${user} -g ${group} -d ${vardir}
118	install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
119	install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
120	'';
121	};
122
123	services.taskserver = {
124	enable = true;
125	allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
126	inherit fqdn;
127	listenHost = "::";
128	requestLimit = 104857600;
129	};
130	};
131	}