]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/tasks/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Upgrade nixos
[perso/Immae/Config/Nix.git] / modules / private / tasks / default.nix
1 { lib, pkgs, config, ... }:
2 let
3 cfg = config.myServices.tasks;
4 server_vardir = config.services.taskserver.dataDir;
5 fqdn = "task.immae.eu";
6 user = config.services.taskserver.user;
7 env = config.myEnv.tools.task;
8 group = config.services.taskserver.group;
9 taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} ''
10 mkdir -p $out/bin
11 cat > $out/bin/taskserver-user-certs <<"EOF"
12 #!/usr/bin/env bash
13
14 user=$1
15
16 silent_certtool() {
17 if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
18 echo "GNUTLS certtool invocation failed with output:" >&2
19 echo "$output" >&2
20 fi
21 }
22
23 silent_certtool -p \
24 --bits 4096 \
25 --outfile "${server_vardir}/userkeys/$user.key.pem"
26 ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${server_vardir}/userkeys/$user.key.pem"
27
28 silent_certtool -c \
29 --template "${pkgs.writeText "taskserver-ca.template" ''
30 tls_www_client
31 encryption_key
32 signing_key
33 expiration_days = 3650
34 ''}" \
35 --load-ca-certificate "${server_vardir}/keys/ca.cert" \
36 --load-ca-privkey "${server_vardir}/keys/ca.key" \
37 --load-privkey "${server_vardir}/userkeys/$user.key.pem" \
38 --outfile "${server_vardir}/userkeys/$user.cert.pem"
39 EOF
40 chmod a+x $out/bin/taskserver-user-certs
41 patchShebangs $out/bin/taskserver-user-certs
42 '';
43 taskwarrior-web = pkgs.webapps.taskwarrior-web;
44 socketsDir = "/run/taskwarrior-web";
45 varDir = "/var/lib/taskwarrior-web";
46 taskwebPages = let
47 uidPages = lib.attrsets.zipAttrs (
48 lib.lists.flatten
49 (lib.attrsets.mapAttrsToList (k: c: map (v: { "${v}" = k; }) c.uid) env.taskwarrior-web)
50 );
51 pages = lib.attrsets.mapAttrs (uid: items:
52 if lib.lists.length items == 1 then
53 ''
54 <html>
55 <head>
56 <meta http-equiv="refresh" content="0; url=/taskweb/${lib.lists.head items}/" />
57 </head>
58 <body></body>
59 </html>
60 ''
61 else
62 ''
63 <html>
64 <head>
65 <title>To-do list disponibles</title>
66 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
67 <meta name="viewport" content="width=device-width, initial-scale=1" />
68 </head>
69 <body>
70 <ul>
71 ${builtins.concatStringsSep "\n" (map (item: "<li><a href='/taskweb/${item}'>${item}</a></li>") items)}
72 </ul>
73 </body>
74 </html>
75 ''
76 ) uidPages;
77 in
78 pkgs.runCommand "taskwerver-pages" {} ''
79 mkdir -p $out/
80 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (k: v: "cp ${pkgs.writeText k v} $out/${k}.html") pages)}
81 echo "Please login" > $out/index.html
82 '';
83 in {
84 options.myServices.tasks = {
85 enable = lib.mkEnableOption "my tasks service";
86 };
87
88 config = lib.mkIf cfg.enable {
89 services.duplyBackup.profiles.tasks = {
90 rootDir = "/var/lib";
91 excludeFile = ''
92 + /var/lib/taskserver
93 + /var/lib/taskwarrior-web
94 - /var/lib
95 '';
96 };
97
98 secrets.keys = [{
99 dest = "webapps/tools-taskwarrior-web";
100 user = "wwwrun";
101 group = "wwwrun";
102 permissions = "0400";
103 text = ''
104 SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
105 SetEnv TASKD_VARDIR "${server_vardir}"
106 SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
107 SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
108 SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
109 SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
110 SetEnv TASKD_LDAP_FILTER "${env.ldap.filter}"
111 '';
112 }];
113 services.websites.env.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ];
114 services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ];
115 services.websites.env.tools.vhostConfs.task = {
116 certName = "eldiron";
117 addToCerts = true;
118 hosts = [ "task.immae.eu" ];
119 root = "/run/current-system/webapps/_task";
120 extraConfig = [ ''
121 <Directory /run/current-system/webapps/_task>
122 DirectoryIndex index.php
123 Use LDAPConnect
124 Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
125 <FilesMatch "\.php$">
126 SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost"
127 </FilesMatch>
128 Include /var/secrets/webapps/tools-taskwarrior-web
129 </Directory>
130 ''
131 ''
132 <Macro Taskwarrior %{folderName}>
133 ProxyPass "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
134 ProxyPassReverse "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
135 ProxyPassReverse http://${fqdn}/
136
137 SetOutputFilter Sed
138 OutputSed "s|/ajax|/taskweb/%{folderName}/ajax|g"
139 OutputSed "s|\([^x]\)/tasks|\1/taskweb/%{folderName}/tasks|g"
140 OutputSed "s|\([^x]\)/projects|\1/taskweb/%{folderName}/projects|g"
141 OutputSed "s|http://${fqdn}/|/taskweb/%{folderName}/|g"
142 OutputSed "s|/img/relax.jpg|/taskweb/%{folderName}/img/relax.jpg|g"
143 </Macro>
144 ''
145 ''
146 Alias /taskweb ${taskwebPages}
147 <Directory "${taskwebPages}">
148 DirectoryIndex index.html
149 Require all granted
150 </Directory>
151
152 RewriteEngine on
153 RewriteRule ^/taskweb$ /taskweb/ [R=301,L]
154 RedirectMatch permanent ^/taskweb/([^/]+)$ /taskweb/$1/
155
156 RewriteCond %{LA-U:REMOTE_USER} !=""
157 RewriteCond ${taskwebPages}/%{LA-U:REMOTE_USER}.html -f
158 RewriteRule ^/taskweb/?$ ${taskwebPages}/%{LA-U:REMOTE_USER}.html [L]
159
160 <Location /taskweb/>
161 Use LDAPConnect
162 Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
163 </Location>
164 ''
165 ] ++ (lib.attrsets.mapAttrsToList (k: v: ''
166 <Location /taskweb/${k}/>
167 ${builtins.concatStringsSep "\n" (map (uid: "Require ldap-attribute uid=${uid}") v.uid)}
168
169 Use Taskwarrior ${k}
170 </Location>
171 '') env.taskwarrior-web);
172 };
173 services.phpfpm.pools = {
174 tasks = {
175 user = user;
176 group = group;
177 settings = {
178 "listen.owner" = "wwwrun";
179 "listen.group" = "wwwrun";
180 "pm" = "dynamic";
181 "pm.max_children" = "60";
182 "pm.start_servers" = "2";
183 "pm.min_spare_servers" = "1";
184 "pm.max_spare_servers" = "10";
185
186 # Needed to avoid clashes in browser cookies (same domain)
187 "php_value[session.name]" = "TaskPHPSESSID";
188 "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/";
189 };
190 phpEnv = {
191 PATH = "/etc/profiles/per-user/${user}/bin";
192 };
193 };
194 };
195
196 myServices.websites.webappDirs._task = ./www;
197
198 security.acme.certs."task" = config.myServices.certificates.certConfig // {
199 inherit user group;
200 plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
201 domain = fqdn;
202 postRun = ''
203 systemctl restart taskserver.service
204 '';
205 };
206
207 users.users.${user}.packages = [ taskserver-user-certs ];
208
209 system.activationScripts.taskserver = {
210 deps = [ "users" ];
211 text = ''
212 install -m 0750 -o ${user} -g ${group} -d ${server_vardir}
213 install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/userkeys
214 install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/keys
215
216 if [ ! -e "${server_vardir}/keys/ca.key" ]; then
217 silent_certtool() {
218 if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
219 echo "GNUTLS certtool invocation failed with output:" >&2
220 echo "$output" >&2
221 fi
222 }
223
224 silent_certtool -p \
225 --bits 4096 \
226 --outfile "${server_vardir}/keys/ca.key"
227
228 silent_certtool -s \
229 --template "${pkgs.writeText "taskserver-ca.template" ''
230 cn = ${fqdn}
231 expiration_days = -1
232 cert_signing_key
233 ca
234 ''}" \
235 --load-privkey "${server_vardir}/keys/ca.key" \
236 --outfile "${server_vardir}/keys/ca.cert"
237
238 chown :${group} "${server_vardir}/keys/ca.key"
239 chmod g+r "${server_vardir}/keys/ca.key"
240 fi
241 '';
242 };
243
244 services.taskserver = {
245 enable = true;
246 allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
247 inherit fqdn;
248 listenHost = "::";
249 pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
250 pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem";
251 pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl";
252 pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem";
253 requestLimit = 104857600;
254 };
255
256 system.activationScripts.taskwarrior-web = {
257 deps = [ "users" ];
258 text = ''
259 if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then
260 ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web
261 chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem
262 fi
263 '';
264 };
265
266 systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
267 let
268 credentials = "${userConfig.org}/${name}/${userConfig.key}";
269 dateFormat = userConfig.date;
270 taskrc = pkgs.writeText "taskrc" ''
271 data.location=${varDir}/${name}
272 taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
273 taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
274 # IdenTrust DST Root CA X3
275 # obtained here: https://letsencrypt.org/fr/certificates/
276 taskd.ca=${pkgs.writeText "ca.cert" ''
277 -----BEGIN CERTIFICATE-----
278 MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
279 MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
280 DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
281 PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
282 Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
283 AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
284 rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
285 OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
286 xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
287 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
288 aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
289 HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
290 SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
291 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
292 AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
293 R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
294 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
295 Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
296 -----END CERTIFICATE-----''}
297 taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
298 taskd.credentials=${credentials}
299 dateformat=${dateFormat}
300 '';
301 in lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
302 description = "Taskwarrior webapp for ${name}";
303 wantedBy = [ "multi-user.target" ];
304 after = [ "network.target" ];
305 path = [ pkgs.taskwarrior ];
306
307 environment.TASKRC = taskrc;
308 environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
309 environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
310 environment.LC_ALL = "fr_FR.UTF-8";
311
312 script = ''
313 exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${socketsDir}/${name}.sock
314 '';
315
316 serviceConfig = {
317 User = user;
318 PrivateTmp = true;
319 Restart = "always";
320 TimeoutSec = 60;
321 Type = "simple";
322 WorkingDirectory = taskwarrior-web;
323 StateDirectoryMode = 0750;
324 StateDirectory = assert lib.strings.hasPrefix "/var/lib/" varDir;
325 (lib.strings.removePrefix "/var/lib/" varDir + "/${name}");
326 RuntimeDirectoryPreserve = "yes";
327 RuntimeDirectory = assert lib.strings.hasPrefix "/run/" socketsDir;
328 lib.strings.removePrefix "/run/" socketsDir;
329 };
330
331 unitConfig.RequiresMountsFor = varDir;
332 }) env.taskwarrior-web) // {
333 taskserver-ca.postStart = ''
334 chown :${group} "${server_vardir}/keys/ca.key"
335 chmod g+r "${server_vardir}/keys/ca.key"
336 '';
337 };
338
339 };
340 }
My infrastructure configuration