]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - modules/private/system/quatresaisons/databases.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Squash changes containing private information
[perso/Immae/Config/Nix.git] / modules / private / system / quatresaisons / databases.nix
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix
deleted file mode 100644 (file)
index f7b27e0..0000000
--- a/modules/private/system/quatresaisons/databases.nix
+++ /dev/null
@@ -1,147 +0,0 @@
-{ pkgs, config, lib, ... }:
-{
-  config = let
-    serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
-    phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
-  in {
-    services.postgresql.enable = true;
-    services.postgresql.package = pkgs.postgresql_12;
-    services.postgresql.ensureUsers = [
-      { name = "naemon"; }
-    ];
-    secrets.keys = {
-      "ldap/password" = {
-        permissions = "0400";
-        user = "openldap";
-        group = "openldap";
-        text = "rootpw      ${serverSpecificConfig.ldap_root_pw}";
-      };
-      "webapps/tools-ldap" = {
-        user = "wwwrun";
-        group = "wwwrun";
-        permissions = "0400";
-        text = ''
-          <?php
-          $config->custom->appearance['show_clear_password'] = true;
-          $config->custom->appearance['hide_template_warning'] = true;
-          $config->custom->appearance['theme'] = "tango";
-          $config->custom->appearance['minimalMode'] = false;
-          $config->custom->appearance['tree'] = 'AJAXTree';
-
-          $servers = new Datastore();
-
-          $servers->newServer('ldap_pla');
-          $servers->setValue('server','name','LDAP');
-          $servers->setValue('server','host','ldap://localhost');
-          $servers->setValue('login','auth_type','cookie');
-          $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
-          $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
-          $servers->setValue('appearance','pla_password_hash','ssha');
-          $servers->setValue('login','attr','uid');
-          $servers->setValue('login','fallback_dn',true);
-        '';
-      };
-    };
-
-    users.users.openldap.extraGroups = [ "keys" ];
-    services.openldap = {
-      enable = true;
-      dataDir = "/var/lib/openldap";
-      urlList = [ "ldap://localhost" ];
-      logLevel = "none";
-      extraConfig = ''
-        pidfile     /run/slapd/slapd.pid
-        argsfile    /run/slapd/slapd.args
-
-        moduleload  back_hdb
-        backend     hdb
-      '';
-
-      extraDatabaseConfig = ''
-        moduleload  memberof
-        overlay     memberof
-
-        moduleload  syncprov
-        overlay     syncprov
-        syncprov-checkpoint 100 10
-
-        index   objectClass       eq
-        index   uid               pres,eq
-        #index   uidMember         pres,eq
-        index   mail              pres,sub,eq
-        index   cn                pres,sub,eq
-        index   sn                pres,sub,eq
-        index   dc                eq
-        index   member            eq
-        index   memberOf          eq
-
-        # No one must access that information except root
-        access to attrs=description
-          by * none
-
-        access to attrs=entry,uid filter="(uid=*)"
-          by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
-          by * break
-
-        access to dn.subtree="ou=users,dc=salle-s,dc=org"
-          by dn.subtree="ou=services,dc=salle-s,dc=org" read
-          by * break
-
-        access to *
-          by self read
-          by anonymous auth
-          by * break
-      '';
-      rootpwFile = config.secrets.fullPaths."ldap/password";
-      suffix = "dc=salle-s,dc=org";
-      rootdn = "cn=root,dc=salle-s,dc=org";
-      database = "hdb";
-    };
-
-    services.websites.env.production.modules = [ "proxy_fcgi" ];
-    services.websites.env.production.vhostConfs.tools.extraConfig = [
-      ''
-        Alias /ldap "${phpLdapAdmin}/htdocs"
-        <Directory "${phpLdapAdmin}/htdocs">
-          DirectoryIndex index.php
-          <FilesMatch "\.php$">
-            SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost"
-          </FilesMatch>
-
-          AllowOverride None
-          Require all granted
-        </Directory>
-      ''
-    ];
-    services.phpfpm.pools.ldap = {
-      user = "wwwrun";
-      group = "wwwrun";
-      settings =
-        let
-          basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ];
-        in {
-          "listen.owner" = "wwwrun";
-          "listen.group" = "wwwrun";
-          "pm" = "ondemand";
-          "pm.max_children" = "60";
-          "pm.process_idle_timeout" = "60";
-
-          # Needed to avoid clashes in browser cookies (same domain)
-          "php_value[session.name]" = "LdapPHPSESSID";
-          "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
-          "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
-        };
-      phpPackage = pkgs.php72;
-    };
-    system.activationScripts.ldap = {
-      deps = [ "users" ];
-      text = ''
-        install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
-        '';
-    };
-    systemd.services.phpfpm-ldap = {
-      after = lib.mkAfter [ "openldap.service" ];
-      wants = [ "openldap.service" ];
-    };
-  };
-}
My infrastructure configuration