{ lib, php, env, writeText, stdenv, optipng, fetchurl }:
rec {
  config = writeText "config.php" ''
    <?php
    $config->custom->appearance['show_clear_password'] = true;
    $config->custom->appearance['hide_template_warning'] = true;
    $config->custom->appearance['theme'] = "tango";
    $config->custom->appearance['minimalMode'] = true;

    $servers = new Datastore();

    $servers->newServer('ldap_pla');
    $servers->setValue('server','name','Immae’s LDAP');
    $servers->setValue('server','host','ldaps://${env.ldap.host}');
    $servers->setValue('login','auth_type','cookie');
    $servers->setValue('login','bind_id','${env.ldap.dn}');
    $servers->setValue('login','bind_pass','${env.ldap.password}');
    $servers->setValue('appearance','password_hash','ssha');
    $servers->setValue('login','attr','uid');
    $servers->setValue('login','fallback_dn',true);
    '';
  webRoot = stdenv.mkDerivation rec {
    version = "1.2.3";
    name = "phpldapadmin-${version}";
    src = fetchurl {
      url = "https://downloads.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/${version}/${name}.tgz";
      sha256 = "0n7dhp2a7n1krmnik3pb969jynsmhghmxviivnckifkprv1zijmf";
    };
    patches = [
      ./ldap-php5_5.patch
      ./ldap-disable-mcrypt.patch
      ./ldap-php7_2.patch
      ./ldap-sort-in-templates.patch
      ./ldap-align-button.patch
      ];
    buildInputs = [ optipng ];
    buildPhase = ''
      find -name '*.png' -exec optipng -quiet -force -fix {} \;
    '';
    installPhase = ''
      cp -a . $out
      ln -sf ${config} $out/config/config.php
    '';
  };
  apache = {
    user = "wwwrun";
    group = "wwwrun";
    modules = [ "proxy_fcgi" ];
    vhostConf = ''
      Alias /ldap "${webRoot}/htdocs"
      <Directory "${webRoot}/htdocs">
        DirectoryIndex index.php
        <FilesMatch "\.php$">
          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
        </FilesMatch>

        AllowOverride None
        Require all granted
      </Directory>
      '';
  };
  phpFpm = rec {
    basedir = builtins.concatStringsSep ":" [ webRoot config ];
    socket = "/var/run/phpfpm/ldap.sock";
    pool = ''
      listen = ${socket}
      user = ${apache.user}
      group = ${apache.group}
      listen.owner = ${apache.user}
      listen.group = ${apache.group}
      pm = ondemand
      pm.max_children = 60
      pm.process_idle_timeout = 60

      ; Needed to avoid clashes in browser cookies (same domain)
      php_value[session.name] = LdapPHPSESSID
      php_admin_value[open_basedir] = "${basedir}:/tmp"
      '';
  };
}