1 { pkgs, config, lib, ... }:
4 serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
5 phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
7 services.postgresql.enable = true;
8 services.postgresql.package = pkgs.postgresql_12;
9 services.postgresql.ensureUsers = [
17 text = "rootpw ${serverSpecificConfig.ldap_root_pw}";
19 "webapps/tools-ldap" = {
25 $config->custom->appearance['show_clear_password'] = true;
26 $config->custom->appearance['hide_template_warning'] = true;
27 $config->custom->appearance['theme'] = "tango";
28 $config->custom->appearance['minimalMode'] = false;
29 $config->custom->appearance['tree'] = 'AJAXTree';
31 $servers = new Datastore();
33 $servers->newServer('ldap_pla');
34 $servers->setValue('server','name','LDAP');
35 $servers->setValue('server','host','ldap://localhost');
36 $servers->setValue('login','auth_type','cookie');
37 $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
38 $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
39 $servers->setValue('appearance','pla_password_hash','ssha');
40 $servers->setValue('login','attr','uid');
41 $servers->setValue('login','fallback_dn',true);
46 users.users.openldap.extraGroups = [ "keys" ];
49 dataDir = "/var/lib/openldap";
50 urlList = [ "ldap://localhost" ];
53 pidfile /run/slapd/slapd.pid
54 argsfile /run/slapd/slapd.args
60 extraDatabaseConfig = ''
66 syncprov-checkpoint 100 10
70 #index uidMember pres,eq
71 index mail pres,sub,eq
78 # No one must access that information except root
79 access to attrs=description
82 access to attrs=entry,uid filter="(uid=*)"
83 by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
86 access to dn.subtree="ou=users,dc=salle-s,dc=org"
87 by dn.subtree="ou=services,dc=salle-s,dc=org" read
95 rootpwFile = config.secrets.fullPaths."ldap/password";
96 suffix = "dc=salle-s,dc=org";
97 rootdn = "cn=root,dc=salle-s,dc=org";
101 services.websites.env.production.modules = [ "proxy_fcgi" ];
102 services.websites.env.production.vhostConfs.tools.extraConfig = [
104 Alias /ldap "${phpLdapAdmin}/htdocs"
105 <Directory "${phpLdapAdmin}/htdocs">
106 DirectoryIndex index.php
107 <FilesMatch "\.php$">
108 SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost"
116 services.phpfpm.pools.ldap = {
121 basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ];
123 "listen.owner" = "wwwrun";
124 "listen.group" = "wwwrun";
126 "pm.max_children" = "60";
127 "pm.process_idle_timeout" = "60";
129 # Needed to avoid clashes in browser cookies (same domain)
130 "php_value[session.name]" = "LdapPHPSESSID";
131 "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
132 "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
134 phpPackage = pkgs.php72;
136 system.activationScripts.ldap = {
139 install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
142 systemd.services.phpfpm-ldap = {
143 after = lib.mkAfter [ "openldap.service" ];
144 wants = [ "openldap.service" ];