+++ /dev/null
-{ pkgs, config, lib, ... }:
-{
- config = let
- serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
- phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
- in {
- services.postgresql.enable = true;
- services.postgresql.package = pkgs.postgresql_12;
- services.postgresql.ensureUsers = [
- { name = "naemon"; }
- ];
- secrets.keys = {
- "ldap/password" = {
- permissions = "0400";
- user = "openldap";
- group = "openldap";
- text = "rootpw ${serverSpecificConfig.ldap_root_pw}";
- };
- "webapps/tools-ldap" = {
- user = "wwwrun";
- group = "wwwrun";
- permissions = "0400";
- text = ''
- <?php
- $config->custom->appearance['show_clear_password'] = true;
- $config->custom->appearance['hide_template_warning'] = true;
- $config->custom->appearance['theme'] = "tango";
- $config->custom->appearance['minimalMode'] = false;
- $config->custom->appearance['tree'] = 'AJAXTree';
-
- $servers = new Datastore();
-
- $servers->newServer('ldap_pla');
- $servers->setValue('server','name','LDAP');
- $servers->setValue('server','host','ldap://localhost');
- $servers->setValue('login','auth_type','cookie');
- $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
- $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
- $servers->setValue('appearance','pla_password_hash','ssha');
- $servers->setValue('login','attr','uid');
- $servers->setValue('login','fallback_dn',true);
- '';
- };
- };
-
- users.users.openldap.extraGroups = [ "keys" ];
- services.openldap = {
- enable = true;
- dataDir = "/var/lib/openldap";
- urlList = [ "ldap://localhost" ];
- logLevel = "none";
- extraConfig = ''
- pidfile /run/slapd/slapd.pid
- argsfile /run/slapd/slapd.args
-
- moduleload back_hdb
- backend hdb
- '';
-
- extraDatabaseConfig = ''
- moduleload memberof
- overlay memberof
-
- moduleload syncprov
- overlay syncprov
- syncprov-checkpoint 100 10
-
- index objectClass eq
- index uid pres,eq
- #index uidMember pres,eq
- index mail pres,sub,eq
- index cn pres,sub,eq
- index sn pres,sub,eq
- index dc eq
- index member eq
- index memberOf eq
-
- # No one must access that information except root
- access to attrs=description
- by * none
-
- access to attrs=entry,uid filter="(uid=*)"
- by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
- by * break
-
- access to dn.subtree="ou=users,dc=salle-s,dc=org"
- by dn.subtree="ou=services,dc=salle-s,dc=org" read
- by * break
-
- access to *
- by self read
- by anonymous auth
- by * break
- '';
- rootpwFile = config.secrets.fullPaths."ldap/password";
- suffix = "dc=salle-s,dc=org";
- rootdn = "cn=root,dc=salle-s,dc=org";
- database = "hdb";
- };
-
- services.websites.env.production.modules = [ "proxy_fcgi" ];
- services.websites.env.production.vhostConfs.tools.extraConfig = [
- ''
- Alias /ldap "${phpLdapAdmin}/htdocs"
- <Directory "${phpLdapAdmin}/htdocs">
- DirectoryIndex index.php
- <FilesMatch "\.php$">
- SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost"
- </FilesMatch>
-
- AllowOverride None
- Require all granted
- </Directory>
- ''
- ];
- services.phpfpm.pools.ldap = {
- user = "wwwrun";
- group = "wwwrun";
- settings =
- let
- basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ];
- in {
- "listen.owner" = "wwwrun";
- "listen.group" = "wwwrun";
- "pm" = "ondemand";
- "pm.max_children" = "60";
- "pm.process_idle_timeout" = "60";
-
- # Needed to avoid clashes in browser cookies (same domain)
- "php_value[session.name]" = "LdapPHPSESSID";
- "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
- "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
- };
- phpPackage = pkgs.php72;
- };
- system.activationScripts.ldap = {
- deps = [ "users" ];
- text = ''
- install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
- '';
- };
- systemd.services.phpfpm-ldap = {
- after = lib.mkAfter [ "openldap.service" ];
- wants = [ "openldap.service" ];
- };
- };
-}