-{ lib, pkgs, config, myconfig, ... }:
+{ lib, pkgs, config, ... }:
let
cfg = config.myServices.tasks;
server_vardir = config.services.taskserver.dataDir;
fqdn = "task.immae.eu";
user = config.services.taskserver.user;
- env = myconfig.env.tools.task;
+ env = config.myEnv.tools.task;
group = config.services.taskserver.group;
taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} ''
mkdir -p $out/bin
};
config = lib.mkIf cfg.enable {
- services.backup.profiles.tasks = {
+ services.duplyBackup.profiles.tasks = {
rootDir = "/var/lib";
excludeFile = ''
+ /var/lib/taskserver
'';
};
- secrets.keys = [{
- dest = "webapps/tools-taskwarrior-web";
- user = "wwwrun";
- group = "wwwrun";
+ secrets.keys = {
+ "webapps/tools-taskwarrior-web" = {
+ user = "wwwrun";
+ group = "wwwrun";
+ permissions = "0400";
+ text = ''
+ SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
+ SetEnv TASKD_VARDIR "${server_vardir}"
+ SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
+ SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
+ SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
+ SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
+ SetEnv TASKD_LDAP_FILTER "${env.ldap.filter}"
+ '';
+ };
+ } // (lib.mapAttrs' (name: userConfig: lib.nameValuePair "webapps/tools-taskwarrior/${name}-taskrc" {
+ inherit user group;
permissions = "0400";
- text = ''
- SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
- SetEnv TASKD_VARDIR "${server_vardir}"
- SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
- SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
- SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
- SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
- SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
- '';
- }];
- services.websites.env.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ];
+ text = let
+ credentials = "${userConfig.org}/${name}/${userConfig.key}";
+ dateFormat = userConfig.date;
+ in ''
+ data.location=${varDir}/${name}
+ taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
+ taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
+ # IdenTrust DST Root CA X3
+ # obtained here: https://letsencrypt.org/fr/certificates/
+ taskd.ca=${pkgs.writeText "ca.cert" ''
+ -----BEGIN CERTIFICATE-----
+ MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+ TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+ cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+ WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+ MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+ h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+ 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+ A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+ T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+ B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+ B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+ KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+ OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+ jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+ qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+ rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+ HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+ hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+ 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+ NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+ TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+ jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+ oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+ 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+ mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+ emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+ -----END CERTIFICATE-----''}
+ taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
+ taskd.credentials=${credentials}
+ dateformat=${dateFormat}
+ '';
+ }) env.taskwarrior-web);
+ services.websites.env.tools.watchPaths = [ config.secrets.fullPaths."webapps/tools-taskwarrior-web" ];
services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ];
services.websites.env.tools.vhostConfs.task = {
certName = "eldiron";
Use LDAPConnect
Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
<FilesMatch "\.php$">
- SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
+ SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost"
</FilesMatch>
- Include /var/secrets/webapps/tools-taskwarrior-web
+ Include ${config.secrets.fullPaths."webapps/tools-taskwarrior-web"}
</Directory>
''
''
</Location>
'') env.taskwarrior-web);
};
- services.phpfpm.poolConfigs = {
- tasks = ''
- listen = /var/run/phpfpm/task.sock
- user = ${user}
- group = ${group}
- listen.owner = wwwrun
- listen.group = wwwrun
- pm = dynamic
- pm.max_children = 60
- pm.start_servers = 2
- pm.min_spare_servers = 1
- pm.max_spare_servers = 10
+ services.phpfpm.pools = {
+ tasks = {
+ user = user;
+ group = group;
+ settings = {
+ "listen.owner" = "wwwrun";
+ "listen.group" = "wwwrun";
+ "pm" = "dynamic";
+ "pm.max_children" = "60";
+ "pm.start_servers" = "2";
+ "pm.min_spare_servers" = "1";
+ "pm.max_spare_servers" = "10";
- ; Needed to avoid clashes in browser cookies (same domain)
- env[PATH] = "/etc/profiles/per-user/${user}/bin"
- php_value[session.name] = TaskPHPSESSID
- php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"
- '';
+ # Needed to avoid clashes in browser cookies (same domain)
+ "php_value[session.name]" = "TaskPHPSESSID";
+ "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/";
+ };
+ phpEnv = {
+ PATH = "/etc/profiles/per-user/${user}/bin";
+ };
+ phpPackage = pkgs.php72;
+ };
};
- myServices.websites.webappDirs._task = ./www;
+ services.websites.webappDirs._task = ./www;
- security.acme.certs."task" = config.services.myCertificates.certConfig // {
+ security.acme.certs."task" = config.myServices.certificates.certConfig // {
inherit user group;
- plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
domain = fqdn;
postRun = ''
systemctl restart taskserver.service
'';
};
- users.users.${user}.packages = [ taskserver-user-certs ];
+ users.users.${user} = {
+ extraGroups = [ "keys" ];
+ packages = [ taskserver-user-certs ];
+ };
system.activationScripts.taskserver = {
deps = [ "users" ];
inherit fqdn;
listenHost = "::";
pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
- pki.manual.server.cert = "${config.security.acme.directory}/task/fullchain.pem";
- pki.manual.server.crl = "${config.security.acme.directory}/task/invalid.crl";
- pki.manual.server.key = "${config.security.acme.directory}/task/key.pem";
+ pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem";
+ pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl";
+ pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem";
requestLimit = 104857600;
};
'';
};
+ systemd.slices.taskwarrior = {
+ description = "Taskwarrior slice";
+ };
+
systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
- let
- credentials = "${userConfig.org}/${name}/${userConfig.key}";
- dateFormat = userConfig.date;
- taskrc = pkgs.writeText "taskrc" ''
- data.location=${varDir}/${name}
- taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
- taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
- # IdenTrust DST Root CA X3
- # obtained here: https://letsencrypt.org/fr/certificates/
- taskd.ca=${pkgs.writeText "ca.cert" ''
- -----BEGIN CERTIFICATE-----
- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
- MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
- DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
- PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
- Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
- AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
- rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
- OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
- xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
- 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
- aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
- HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
- SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
- ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
- AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
- R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
- JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
- Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
- -----END CERTIFICATE-----''}
- taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
- taskd.credentials=${credentials}
- dateformat=${dateFormat}
- '';
- in lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
+ lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
description = "Taskwarrior webapp for ${name}";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = [ pkgs.taskwarrior ];
- environment.TASKRC = taskrc;
+ environment.TASKRC = config.secrets.fullPaths."webapps/tools-taskwarrior/${name}-taskrc";
environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
environment.LC_ALL = "fr_FR.UTF-8";
'';
serviceConfig = {
+ Slice = "taskwarrior.slice";
User = user;
PrivateTmp = true;
Restart = "always";
chown :${group} "${server_vardir}/keys/ca.key"
chmod g+r "${server_vardir}/keys/ca.key"
'';
+ taskserver-ca.serviceConfig.Slice = "taskwarrior.slice";
+ taskserver-init.serviceConfig.Slice = "taskwarrior.slice";
+ taskserver.serviceConfig.Slice = "taskwarrior.slice";
};
};
projects / perso / Immae / Config / Nix.git / blobdiff