X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=nixops%2Fmodules%2Fwebsites%2Ftools%2Ftools%2Fldap.nix;h=623adb581594a381c2cfba2a5a4d9b5416d3bd37;hp=6cde881ccecb1f4133ffa656e9868de4c10cc472;hb=b7d2d4e3da7da83bc7f133acaa216375890592b1;hpb=a95ab089420d6edf24f22500dabf7876d329dc91

diff --git a/nixops/modules/websites/tools/tools/ldap.nix b/nixops/modules/websites/tools/tools/ldap.nix
index 6cde881..623adb5 100644
--- a/nixops/modules/websites/tools/tools/ldap.nix
+++ b/nixops/modules/websites/tools/tools/ldap.nix
@@ -1,24 +1,30 @@
 { lib, php, env, writeText, stdenv, optipng, fetchurl }:
 rec {
-  config = writeText "config.php" ''
-    <?php
-    $config->custom->appearance['show_clear_password'] = true;
-    $config->custom->appearance['hide_template_warning'] = true;
-    $config->custom->appearance['theme'] = "tango";
-    $config->custom->appearance['minimalMode'] = true;
+  keys.tools-ldap = {
+    destDir = "/run/keys/webapps";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+      $config->custom->appearance['show_clear_password'] = true;
+      $config->custom->appearance['hide_template_warning'] = true;
+      $config->custom->appearance['theme'] = "tango";
+      $config->custom->appearance['minimalMode'] = true;
 
-    $servers = new Datastore();
+      $servers = new Datastore();
 
-    $servers->newServer('ldap_pla');
-    $servers->setValue('server','name','Immaeâs LDAP');
-    $servers->setValue('server','host','ldaps://${env.ldap.host}');
-    $servers->setValue('login','auth_type','cookie');
-    $servers->setValue('login','bind_id','${env.ldap.dn}');
-    $servers->setValue('login','bind_pass','${env.ldap.password}');
-    $servers->setValue('appearance','password_hash','ssha');
-    $servers->setValue('login','attr','uid');
-    $servers->setValue('login','fallback_dn',true);
-    '';
+      $servers->newServer('ldap_pla');
+      $servers->setValue('server','name','Immae&#x2019;s LDAP');
+      $servers->setValue('server','host','ldaps://${env.ldap.host}');
+      $servers->setValue('login','auth_type','cookie');
+      $servers->setValue('login','bind_id','${env.ldap.dn}');
+      $servers->setValue('login','bind_pass','${env.ldap.password}');
+      $servers->setValue('appearance','password_hash','ssha');
+      $servers->setValue('login','attr','uid');
+      $servers->setValue('login','fallback_dn',true);
+      '';
+  };
   webRoot = stdenv.mkDerivation rec {
     version = "1.2.3";
     name = "phpldapadmin-${version}";
@@ -39,7 +45,7 @@ rec {
     '';
     installPhase = ''
       cp -a . $out
-      ln -sf ${config} $out/config/config.php
+      ln -sf /run/keys/webapps/tools-ldap $out/config/config.php
     '';
   };
   apache = rec {
@@ -62,7 +68,8 @@ rec {
       '';
   };
   phpFpm = rec {
-    basedir = builtins.concatStringsSep ":" [ webRoot config ];
+    serviceDeps = [ "openldap.service" "tools-ldap-key.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot "/run/keys/webapps/tools-ldap" ];
     socket = "/var/run/phpfpm/ldap.sock";
     pool = ''
       listen = ${socket}
@@ -76,7 +83,8 @@ rec {
 
       ; Needed to avoid clashes in browser cookies (same domain)
       php_value[session.name] = LdapPHPSESSID
-      php_admin_value[open_basedir] = "${basedir}:/tmp"
+      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"
+      php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin"
       '';
   };
 }