{ pkgs, config, lib, ... }: { config = let serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; in { services.postgresql.enable = true; services.postgresql.package = pkgs.postgresql_12; secrets.keys = [ { dest = "ldap/password"; permissions = "0400"; user = "openldap"; group = "openldap"; text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; } { dest = "webapps/tools-ldap"; user = "wwwrun"; group = "wwwrun"; permissions = "0400"; text = '' custom->appearance['show_clear_password'] = true; $config->custom->appearance['hide_template_warning'] = true; $config->custom->appearance['theme'] = "tango"; $config->custom->appearance['minimalMode'] = false; $config->custom->appearance['tree'] = 'AJAXTree'; $servers = new Datastore(); $servers->newServer('ldap_pla'); $servers->setValue('server','name','LDAP'); $servers->setValue('server','host','ldap://localhost'); $servers->setValue('login','auth_type','cookie'); $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}'); $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}'); $servers->setValue('appearance','pla_password_hash','ssha'); $servers->setValue('login','attr','uid'); $servers->setValue('login','fallback_dn',true); ''; } ]; users.users.openldap.extraGroups = [ "keys" ]; services.openldap = { enable = true; dataDir = "/var/lib/openldap"; urlList = [ "ldap://localhost" ]; logLevel = "none"; extraConfig = '' pidfile /run/slapd/slapd.pid argsfile /run/slapd/slapd.args moduleload back_hdb backend hdb ''; extraDatabaseConfig = '' moduleload memberof overlay memberof moduleload syncprov overlay syncprov syncprov-checkpoint 100 10 index objectClass eq index uid pres,eq #index uidMember pres,eq index mail pres,sub,eq index cn pres,sub,eq index sn pres,sub,eq index dc eq index member eq index memberOf eq # No one must access that information except root access to attrs=description by * none access to attrs=entry,uid filter="(uid=*)" by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read by * break access to dn.subtree="ou=users,dc=salle-s,dc=org" by dn.subtree="ou=services,dc=salle-s,dc=org" read by * break access to * by self read by anonymous auth by * break ''; rootpwFile = "${config.secrets.location}/ldap/password"; suffix = "dc=salle-s,dc=org"; rootdn = "cn=root,dc=salle-s,dc=org"; database = "hdb"; }; services.websites.env.production.modules = [ "proxy_fcgi" ]; services.websites.env.production.vhostConfs.tools.extraConfig = [ '' Alias /ldap "${phpLdapAdmin}/htdocs" DirectoryIndex index.php SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost" AllowOverride None Require all granted '' ]; services.phpfpm.pools.ldap = { user = "wwwrun"; group = "wwwrun"; settings = let basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ]; in { "listen.owner" = "wwwrun"; "listen.group" = "wwwrun"; "pm" = "ondemand"; "pm.max_children" = "60"; "pm.process_idle_timeout" = "60"; # Needed to avoid clashes in browser cookies (same domain) "php_value[session.name]" = "LdapPHPSESSID"; "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; }; phpPackage = pkgs.php72; }; system.activationScripts.ldap = { deps = [ "users" ]; text = '' install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin ''; }; systemd.services.phpfpm-ldap = { after = lib.mkAfter [ "openldap.service" ]; wants = [ "openldap.service" ]; }; }; }