{ env }:
rec {
  keys = [{
    dest = "webapps/tools-dmarc-reports.php";
    user = "wwwrun";
    group = "wwwrun";
    permissions = "0400";
    text = ''
      <?php
      $dbhost = "${env.mysql.host}";
      $dbname = "${env.mysql.database}";
      $dbuser = "${env.mysql.user}";
      $dbpass = "${env.mysql.password}";
      $dbport = "${env.mysql.port}";
      $anonymous_key = "${env.anonymous_key}";
      ?>
    '';
  }];
  webRoot = ./dmarc_reports;
  apache = rec {
    user = "wwwrun";
    group = "wwwrun";
    modules = [ "proxy_fcgi" ];
    webappName = "tools_dmarc_reports";
    root = "/run/current-system/webapps/${webappName}";
    vhostConf = socket: ''
      Alias /dmarc-reports "${root}"
      <Directory "${root}">
        DirectoryIndex index.html
        <FilesMatch "\.php$">
          SetHandler "proxy:unix:${socket}|fcgi://localhost"
        </FilesMatch>

        AllowOverride None
        Options +FollowSymlinks

        SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
        Use LDAPConnect
        Require all granted
        Require ldap-attribute uid=immae
      </Directory>
      '';
  };
  phpFpm = rec {
    basedir = builtins.concatStringsSep ":"
      [ webRoot "/var/secrets/webapps/tools-dmarc-reports.php" ];
    pool = {
      "listen.owner" = apache.user;
      "listen.group" = apache.group;
      "pm" = "ondemand";
      "pm.max_children" = "60";
      "pm.process_idle_timeout" = "60";

      # Needed to avoid clashes in browser cookies (same domain)
      "php_admin_value[open_basedir]" = "${basedir}:/tmp";
    };
    phpEnv = {
      SECRETS_FILE = "/var/secrets/webapps/tools-dmarc-reports.php";
    };
  };
}