blob: 3dc329985de02b3f8e3c1397b406cdd04e916949 (
plain) (
tree)
|
|
{ lib, pkgs, config, myconfig, mylibs, ... }:
let
cfg = config.services.myTasks;
vardir = config.services.taskserver.dataDir;
fqdn = "task.immae.eu";
user = config.services.taskserver.user;
env = myconfig.env.tools.task;
group = config.services.taskserver.group;
in {
options.services.myTasks = {
enable = lib.mkEnableOption "my tasks service";
};
config = lib.mkIf cfg.enable {
security.acme.certs."eldiron".extraDomains.${fqdn} = null;
services.myWebsites.tools.modules = [ "proxy_fcgi" ];
services.myWebsites.tools.vhostConfs.task = {
certName = "eldiron";
hosts = [ "task.immae.eu" ];
root = "/run/current-system/webapps/_task";
extraConfig = [ ''
<Directory /run/current-system/webapps/_task>
DirectoryIndex index.php
Use LDAPConnect
Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
<FilesMatch "\.php$">
SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
</FilesMatch>
SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
SetEnv TASKD_VARDIR "${vardir}"
SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
</Directory>
'' ];
};
services.myPhpfpm.poolConfigs = {
tasks = ''
listen = /var/run/phpfpm/task.sock
user = ${user}
group = ${group}
listen.owner = wwwrun
listen.group = wwwrun
pm = dynamic
pm.max_children = 60
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 10
; Needed to avoid clashes in browser cookies (same domain)
env[PATH] = "/etc/profiles/per-user/${user}/bin"
php_value[session.name] = TaskPHPSESSID
php_admin_value[open_basedir] = "${./www}:/tmp:${vardir}:/etc/profiles/per-user/${user}/bin/"
'';
};
system.extraSystemBuilderCmds = ''
ln -s ${./www} $out/webapps/_task
'';
security.acme.certs."task" = config.services.myCertificates.certConfig // {
inherit user group;
plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
domain = fqdn;
postRun = ''
systemctl restart taskserver.service
'';
};
users.users.${user}.packages = [
(pkgs.runCommand "taskserver-user-certs" {} ''
mkdir -p $out/bin
cat > $out/bin/taskserver-user-certs <<"EOF"
#!/usr/bin/env bash
user=$1
silent_certtool() {
if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
echo "GNUTLS certtool invocation failed with output:" >&2
echo "$output" >&2
fi
}
silent_certtool -p \
--bits 4096 \
--outfile "${vardir}/userkeys/$user.key.pem"
${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${vardir}/userkeys/$user.key.pem"
silent_certtool -c \
--template "${pkgs.writeText "taskserver-ca.template" ''
tls_www_client
encryption_key
signing_key
expiration_days = 3650
''}" \
--load-ca-certificate "${vardir}/keys/ca.cert" \
--load-ca-privkey "${vardir}/keys/ca.key" \
--load-privkey "${vardir}/userkeys/$user.key.pem" \
--outfile "${vardir}/userkeys/$user.cert.pem"
EOF
chmod a+x $out/bin/taskserver-user-certs
patchShebangs $out/bin/taskserver-user-certs
'')
];
systemd.services.taskserver-ca.postStart = ''
chown :${group} "${vardir}/keys/ca.key"
chmod g+r "${vardir}/keys/ca.key"
'';
system.activationScripts.taskserver = {
deps = [ "users" ];
text = ''
install -m 0750 -o ${user} -g ${group} -d ${vardir}
install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys
install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys
'';
};
services.taskserver = {
enable = true;
allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
inherit fqdn;
listenHost = "::";
requestLimit = 104857600;
};
};
}
|
