{ lib, pkgs, config, myconfig, mylibs, ... }: let cfg = config.services.myTasks; vardir = config.services.taskserver.dataDir; fqdn = "task.immae.eu"; user = config.services.taskserver.user; env = myconfig.env.tools.task; group = config.services.taskserver.group; in { options.services.myTasks = { enable = lib.mkEnableOption "my tasks service"; }; config = lib.mkIf cfg.enable { security.acme.certs."eldiron".extraDomains.${fqdn} = null; services.myWebsites.tools.modules = [ "proxy_fcgi" ]; services.myWebsites.tools.vhostConfs.task = { certName = "eldiron"; hosts = [ "task.immae.eu" ]; root = "/run/current-system/webapps/_task"; extraConfig = [ '' DirectoryIndex index.php Use LDAPConnect Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}" SetEnv TASKD_VARDIR "${vardir}" SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}" SetEnv TASKD_LDAP_DN "${env.ldap.dn}" SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}" SetEnv TASKD_LDAP_BASE "${env.ldap.base}" SetEnv TASKD_LDAP_FILTER "${env.ldap.search}" '' ]; }; services.myPhpfpm.poolConfigs = { tasks = '' listen = /var/run/phpfpm/task.sock user = ${user} group = ${group} listen.owner = wwwrun listen.group = wwwrun pm = dynamic pm.max_children = 60 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 10 ; Needed to avoid clashes in browser cookies (same domain) env[PATH] = "/etc/profiles/per-user/${user}/bin" php_value[session.name] = TaskPHPSESSID php_admin_value[open_basedir] = "${./www}:/tmp:${vardir}:/etc/profiles/per-user/${user}/bin/" ''; }; system.extraSystemBuilderCmds = '' ln -s ${./www} $out/webapps/_task ''; security.acme.certs."task" = config.services.myCertificates.certConfig // { inherit user group; plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; domain = fqdn; postRun = '' systemctl restart taskserver.service ''; }; users.users.${user}.packages = [ (pkgs.runCommand "taskserver-user-certs" {} '' mkdir -p $out/bin cat > $out/bin/taskserver-user-certs <<"EOF" #!/usr/bin/env bash user=$1 silent_certtool() { if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then echo "GNUTLS certtool invocation failed with output:" >&2 echo "$output" >&2 fi } silent_certtool -p \ --bits 4096 \ --outfile "${vardir}/userkeys/$user.key.pem" ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${vardir}/userkeys/$user.key.pem" silent_certtool -c \ --template "${pkgs.writeText "taskserver-ca.template" '' tls_www_client encryption_key signing_key expiration_days = 3650 ''}" \ --load-ca-certificate "${vardir}/keys/ca.cert" \ --load-ca-privkey "${vardir}/keys/ca.key" \ --load-privkey "${vardir}/userkeys/$user.key.pem" \ --outfile "${vardir}/userkeys/$user.cert.pem" EOF chmod a+x $out/bin/taskserver-user-certs patchShebangs $out/bin/taskserver-user-certs '') ]; systemd.services.taskserver-ca.postStart = '' chown :${group} "${vardir}/keys/ca.key" chmod g+r "${vardir}/keys/ca.key" ''; system.activationScripts.taskserver = { deps = [ "users" ]; text = '' install -m 0750 -o ${user} -g ${group} -d ${vardir} install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys ''; }; services.taskserver = { enable = true; allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ]; inherit fqdn; listenHost = "::"; requestLimit = 104857600; }; }; }