{ pkgs, config, lib, ... }:
{
config = let
serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; };
in {
services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql_12;
services.postgresql.ensureUsers = [
{ name = "naemon"; }
];
secrets.keys = {
"ldap/password" = {
permissions = "0400";
user = "openldap";
group = "openldap";
text = "rootpw ${serverSpecificConfig.ldap_root_pw}";
};
"webapps/tools-ldap" = {
user = "wwwrun";
group = "wwwrun";
permissions = "0400";
text = ''
<?php
$config->custom->appearance['show_clear_password'] = true;
$config->custom->appearance['hide_template_warning'] = true;
$config->custom->appearance['theme'] = "tango";
$config->custom->appearance['minimalMode'] = false;
$config->custom->appearance['tree'] = 'AJAXTree';
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','LDAP');
$servers->setValue('server','host','ldap://localhost');
$servers->setValue('login','auth_type','cookie');
$servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
$servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
$servers->setValue('appearance','pla_password_hash','ssha');
$servers->setValue('login','attr','uid');
$servers->setValue('login','fallback_dn',true);
'';
};
};
users.users.openldap.extraGroups = [ "keys" ];
services.openldap = {
enable = true;
dataDir = "/var/lib/openldap";
urlList = [ "ldap://localhost" ];
logLevel = "none";
extraConfig = ''
pidfile /run/slapd/slapd.pid
argsfile /run/slapd/slapd.args
moduleload back_hdb
backend hdb
'';
extraDatabaseConfig = ''
moduleload memberof
overlay memberof
moduleload syncprov
overlay syncprov
syncprov-checkpoint 100 10
index objectClass eq
index uid pres,eq
#index uidMember pres,eq
index mail pres,sub,eq
index cn pres,sub,eq
index sn pres,sub,eq
index dc eq
index member eq
index memberOf eq
# No one must access that information except root
access to attrs=description
by * none
access to attrs=entry,uid filter="(uid=*)"
by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
by * break
access to dn.subtree="ou=users,dc=salle-s,dc=org"
by dn.subtree="ou=services,dc=salle-s,dc=org" read
by * break
access to *
by self read
by anonymous auth
by * break
'';
rootpwFile = config.secrets.fullPaths."ldap/password";
suffix = "dc=salle-s,dc=org";
rootdn = "cn=root,dc=salle-s,dc=org";
database = "hdb";
};
services.websites.env.production.modules = [ "proxy_fcgi" ];
services.websites.env.production.vhostConfs.tools.extraConfig = [
''
Alias /ldap "${phpLdapAdmin}/htdocs"
<Directory "${phpLdapAdmin}/htdocs">
DirectoryIndex index.php
<FilesMatch "\.php$">
SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost"
</FilesMatch>
AllowOverride None
Require all granted
</Directory>
''
];
services.phpfpm.pools.ldap = {
user = "wwwrun";
group = "wwwrun";
settings =
let
basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ];
in {
"listen.owner" = "wwwrun";
"listen.group" = "wwwrun";
"pm" = "ondemand";
"pm.max_children" = "60";
"pm.process_idle_timeout" = "60";
# Needed to avoid clashes in browser cookies (same domain)
"php_value[session.name]" = "LdapPHPSESSID";
"php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
"php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
};
phpPackage = pkgs.php72;
};
system.activationScripts.ldap = {
deps = [ "users" ];
text = ''
install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
'';
};
systemd.services.phpfpm-ldap = {
after = lib.mkAfter [ "openldap.service" ];
wants = [ "openldap.service" ];
};
};
}
