path: root/systems/eldiron/tasks/default.nix

                                            
   
{ lib, pkgs, config, taskwarrior-web, ... }:
let
  cfg = config.myServices.tasks;
  server_vardir = config.services.taskserver.dataDir;
  fqdn = "task.immae.eu";
  user = config.services.taskserver.user;
  env = config.myEnv.tools.task;
  group = config.services.taskserver.group;
  taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} ''
    mkdir -p $out/bin
    cat > $out/bin/taskserver-user-certs <<"EOF"
    #!/usr/bin/env bash

    user=$1

    silent_certtool() {
      if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
        echo "GNUTLS certtool invocation failed with output:" >&2
        echo "$output" >&2
      fi
    }

    silent_certtool -p \
      --bits 4096 \
      --outfile "${server_vardir}/userkeys/$user.key.pem"
    ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${server_vardir}/userkeys/$user.key.pem"

    silent_certtool -c \
      --template "${pkgs.writeText "taskserver-ca.template" ''
        tls_www_client
        encryption_key
        signing_key
        expiration_days = 3650
      ''}" \
      --load-ca-certificate "${server_vardir}/keys/ca.cert" \
      --load-ca-privkey "${server_vardir}/keys/ca.key" \
      --load-privkey "${server_vardir}/userkeys/$user.key.pem" \
      --outfile "${server_vardir}/userkeys/$user.cert.pem"
    EOF
    chmod a+x $out/bin/taskserver-user-certs
    patchShebangs $out/bin/taskserver-user-certs
    '';
  socketsDir = "/run/taskwarrior-web";
  varDir = "/var/lib/taskwarrior-web";
  taskwebPages = let
    uidPages = lib.attrsets.zipAttrs (
      lib.lists.flatten
        (lib.attrsets.mapAttrsToList (k: c: map (v: { "${v}" = k; }) c.uid) env.taskwarrior-web)
      );
    pages = lib.attrsets.mapAttrs (uid: items:
      if lib.lists.length items == 1 then
      ''
        <html>
        <head>
          <meta http-equiv="refresh" content="0; url=/taskweb/${lib.lists.head items}/" />
        </head>
        <body></body>
        </html>
        ''
      else
      ''
        <html>
        <head>
        <title>To-do list disponibles</title>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
        </head>
        <body>
          <ul>
            ${builtins.concatStringsSep "\n" (map (item: "<li><a href='/taskweb/${item}'>${item}</a></li>") items)}
          </ul>
        </body>
        </html>
        ''
    ) uidPages;
  in
    pkgs.runCommand "taskwerver-pages" {} ''
      mkdir -p $out/
      ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (k: v: "cp ${pkgs.writeText k v} $out/${k}.html") pages)}
      echo "Please login" > $out/index.html
      '';
in {
  options.myServices.tasks = {
    enable = lib.mkEnableOption "my tasks service";
  };

  config = lib.mkIf cfg.enable {
    myServices.dns.zones."immae.eu".subdomains.task =
      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;

    myServices.chatonsProperties.services.taskwarrior = {
      file.datetime = "2022-08-22T00:00:00";
      service = {
        name = "Taskwarrior";
        description = "Taskwarrior is Free and Open Source Software that manages your TODO list from the command line. Web interface and synchronization server";
        website = "https://task.immae.eu/";
        logo = "https://taskwarrior.org/favicon.ico";
        status.level = "OK";
        status.description = "OK";
        registration."" = ["MEMBER" "CLIENT"];
        registration.load = "OPEN";
        install.type = "PACKAGE";
      };
      software = {
        name = "Taskwarrior";
        website = "https://taskwarrior.org/";
        license.url = "https://github.com/GothenburgBitFactory/taskwarrior/blob/develop/LICENSE";
        license.name = "MIT License";
        version = taskwarrior-web.version;
        source.url = "https://taskwarrior.org/download/";
      };
    };
    secrets.keys = {
      "webapps/tools-taskwarrior-web" = {
        user = "wwwrun";
        group = "wwwrun";
        permissions = "0400";
        text = ''
            SetEnv TASKD_HOST          "${fqdn}:${toString config.services.taskserver.listenPort}"
            SetEnv TASKD_VARDIR        "${server_vardir}"
            SetEnv TASKD_LDAP_HOST     "ldaps://${env.ldap.host}"
            SetEnv TASKD_LDAP_DN       "${env.ldap.dn}"
            SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
            SetEnv TASKD_LDAP_BASE     "${env.ldap.base}"
            SetEnv TASKD_LDAP_FILTER   "${env.ldap.filter}"
          '';
      };
    } // (lib.mapAttrs' (name: userConfig: lib.nameValuePair "webapps/tools-taskwarrior/${name}-taskrc" (
      let
        credentials = "${userConfig.org}/${name}/${userConfig.key}";
        dateFormat = userConfig.date;
        cacert = pkgs.writeText "ca.cert" ''
          -----BEGIN CERTIFICATE-----
          MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
          TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
          cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
          WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
          ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
          MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
          h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
          0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
          A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
          T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
          B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
          B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
          KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
          OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
          jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
          qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
          rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
          HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
          hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
          ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
          3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
          NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
          ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
          TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
          jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
          oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
          4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
          mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
          emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
          -----END CERTIFICATE-----'';
      in {
      inherit user group;
      permissions = "0400";
      text = ''
        data.location=${varDir}/${name}
        taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
        taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
        # IdenTrust DST Root CA X3
        # obtained here: https://letsencrypt.org/fr/certificates/
        taskd.ca=${cacert}
        taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
        taskd.credentials=${credentials}
        dateformat=${dateFormat}
      '';
      keyDependencies = [ cacert ];
    })) env.taskwarrior-web);
    security.acme.certs.eldiron.extraDomainNames = [ "task.immae.eu" ];
    services.websites.env.tools.watchPaths = [ config.secrets.fullPaths."webapps/tools-taskwarrior-web" ];
    services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ];
    services.websites.env.tools.vhostConfs.task = {
      certName    = "eldiron";
      hosts       = [ "task.immae.eu" ];
      root        = ./www;
      extraConfig = [ ''
        <Directory ${./www}>
          DirectoryIndex index.php
          Use LDAPConnect
          Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
          <FilesMatch "\.php$">
            SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost"
          </FilesMatch>
          Include ${config.secrets.fullPaths."webapps/tools-taskwarrior-web"}
        </Directory>
        ''
        ''
        <Macro Taskwarrior %{folderName}>
          ProxyPass        "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
          ProxyPassReverse "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
          ProxyPassReverse http://${fqdn}/

          SetOutputFilter Sed
          OutputSed   "s|/ajax|/taskweb/%{folderName}/ajax|g"
          OutputSed   "s|\([^x]\)/tasks|\1/taskweb/%{folderName}/tasks|g"
          OutputSed   "s|\([^x]\)/projects|\1/taskweb/%{folderName}/projects|g"
          OutputSed   "s|http://${fqdn}/|/taskweb/%{folderName}/|g"
          OutputSed   "s|/img/relax.jpg|/taskweb/%{folderName}/img/relax.jpg|g"
        </Macro>
        ''
        ''
        Alias /taskweb ${taskwebPages}
        <Directory "${taskwebPages}">
          DirectoryIndex index.html
          Require all granted
        </Directory>

        RewriteEngine on
        RewriteRule ^/taskweb$ /taskweb/ [R=301,L]
        RedirectMatch permanent ^/taskweb/([^/]+)$ /taskweb/$1/

        RewriteCond %{LA-U:REMOTE_USER} !=""
        RewriteCond ${taskwebPages}/%{LA-U:REMOTE_USER}.html -f
        RewriteRule ^/taskweb/?$ ${taskwebPages}/%{LA-U:REMOTE_USER}.html [L]

        <Location /taskweb/>
          Use LDAPConnect
          Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
        </Location>
        ''
      ] ++ (lib.attrsets.mapAttrsToList (k: v: ''
        <Location /taskweb/${k}/>
          ${builtins.concatStringsSep "\n" (map (uid: "Require ldap-attribute   uid=${uid}") v.uid)}

          Use Taskwarrior ${k}
        </Location>
        '') env.taskwarrior-web);
    };
    services.phpfpm.pools = {
      tasks = {
        user = user;
        group = group;
        settings = {
          "listen.owner" = "wwwrun";
          "listen.group" = "wwwrun";
          "pm" = "dynamic";
          "pm.max_children" = "60";
          "pm.start_servers" = "2";
          "pm.min_spare_servers" = "1";
          "pm.max_spare_servers" = "10";

          # Needed to avoid clashes in browser cookies (same domain)
          "php_value[session.name]" = "TaskPHPSESSID";
          "php_admin_value[session.save_handler]" = "redis";
          "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Task:'";
          "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/";
        };
        phpEnv = {
          PATH = "/etc/profiles/per-user/${user}/bin";
        };
        phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [ all.redis ]);
      };
    };

    security.acme.certs."task" = {
      inherit group;
      domain = fqdn;
      postRun = ''
        systemctl restart taskserver.service
      '';
    };

    users.users.${user} = {
      extraGroups = [ "keys" ];
      packages = [ taskserver-user-certs ];
    };

    system.activationScripts.taskserver = {
      deps = [ "users" ];
      text = ''
        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}
        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/userkeys
        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/keys

        if [ ! -e "${server_vardir}/keys/ca.key" ]; then
          silent_certtool() {
            if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
              echo "GNUTLS certtool invocation failed with output:" >&2
              echo "$output" >&2
            fi
          }

          silent_certtool -p \
            --bits 4096 \
            --outfile "${server_vardir}/keys/ca.key"

          silent_certtool -s \
            --template "${pkgs.writeText "taskserver-ca.template" ''
              cn = ${fqdn}
              expiration_days = -1
              cert_signing_key
              ca
            ''}" \
            --load-privkey "${server_vardir}/keys/ca.key" \
            --outfile "${server_vardir}/keys/ca.cert"

          chown :${group} "${server_vardir}/keys/ca.key"
          chmod g+r "${server_vardir}/keys/ca.key"
        fi
      '';
    };

    services.taskserver = {
      enable = true;
      allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
      inherit fqdn;
      listenHost = "::";
      pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
      pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem";
      pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl";
      pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem";
      requestLimit = 104857600;
    };

    system.activationScripts.taskwarrior-web = {
      deps = [ "users" ];
      text = ''
        if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then
          ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web
          chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem
        fi
      '';
    };

    systemd.slices.taskwarrior = {
      description = "Taskwarrior slice";
    };

    systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
      lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
        description = "Taskwarrior webapp for ${name}";
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        path = [ pkgs.taskwarrior ];

        environment.TASKRC = config.secrets.fullPaths."webapps/tools-taskwarrior/${name}-taskrc";
        environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
        environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
        environment.LC_ALL = "fr_FR.UTF-8";

        script = ''
          exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${socketsDir}/${name}.sock
        '';

        serviceConfig = {
          Slice = "taskwarrior.slice";
          User = user;
          PrivateTmp = true;
          Restart = "always";
          TimeoutSec = 60;
          Type = "simple";
          WorkingDirectory = taskwarrior-web;
          StateDirectoryMode = 0750;
          StateDirectory = assert lib.strings.hasPrefix "/var/lib/" varDir;
            (lib.strings.removePrefix "/var/lib/" varDir + "/${name}");
          RuntimeDirectoryPreserve = "yes";
          RuntimeDirectory = assert lib.strings.hasPrefix "/run/" socketsDir;
            lib.strings.removePrefix "/run/" socketsDir;
        };

        unitConfig.RequiresMountsFor = varDir;
      }) env.taskwarrior-web) // {
        taskserver-ca.postStart = ''
          chown :${group} "${server_vardir}/keys/ca.key"
          chmod g+r "${server_vardir}/keys/ca.key"
        '';
        taskserver-ca.serviceConfig.Slice = "taskwarrior.slice";
        taskserver-init.serviceConfig.Slice = "taskwarrior.slice";
        taskserver.serviceConfig.Slice = "taskwarrior.slice";
      };

  };
}
{ lib, pkgs, config, taskwarrior-web, ... }:
let
  cfg = config.myServices.tasks;
  server_vardir = config.services.taskserver.dataDir;
  fqdn = "task.immae.eu";
  user = config.services.taskserver.user;
  env = config.myEnv.tools.task;
  group = config.services.taskserver.group;
  taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} ''
    mkdir -p $out/bin
    cat > $out/bin/taskserver-user-certs <<"EOF"
    #!/usr/bin/env bash

    user=$1

    silent_certtool() {
      if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
        echo "GNUTLS certtool invocation failed with output:" >&2
        echo "$output" >&2
      fi
    }

    silent_certtool -p \
      --bits 4096 \
      --outfile "${server_vardir}/userkeys/$user.key.pem"
    ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${server_vardir}/userkeys/$user.key.pem"

    silent_certtool -c \
      --template "${pkgs.writeText "taskserver-ca.template" ''
        tls_www_client
        encryption_key
        signing_key
        expiration_days = 3650
      ''}" \
      --load-ca-certificate "${server_vardir}/keys/ca.cert" \
      --load-ca-privkey "${server_vardir}/keys/ca.key" \
      --load-privkey "${server_vardir}/userkeys/$user.key.pem" \
      --outfile "${server_vardir}/userkeys/$user.cert.pem"
    EOF
    chmod a+x $out/bin/taskserver-user-certs
    patchShebangs $out/bin/taskserver-user-certs
    '';
  socketsDir = "/run/taskwarrior-web";
  varDir = "/var/lib/taskwarrior-web";
  taskwebPages = let
    uidPages = lib.attrsets.zipAttrs (
      lib.lists.flatten
        (lib.attrsets.mapAttrsToList (k: c: map (v: { "${v}" = k; }) c.uid) env.taskwarrior-web)
      );
    pages = lib.attrsets.mapAttrs (uid: items:
      if lib.lists.length items == 1 then
      ''
        <html>
        <head>
          <meta http-equiv="refresh" content="0; url=/taskweb/${lib.lists.head items}/" />
        </head>
        <body></body>
        </html>
        ''
      else
      ''
        <html>
        <head>
        <title>To-do list disponibles</title>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1" />
        </head>
        <body>
          <ul>
            ${builtins.concatStringsSep "\n" (map (item: "<li><a href='/taskweb/${item}'>${item}</a></li>") items)}
          </ul>
        </body>
        </html>
        ''
    ) uidPages;
  in
    pkgs.runCommand "taskwerver-pages" {} ''
      mkdir -p $out/
      ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (k: v: "cp ${pkgs.writeText k v} $out/${k}.html") pages)}
      echo "Please login" > $out/index.html
      '';
in {
  options.myServices.tasks = {
    enable = lib.mkEnableOption "my tasks service";
  };

  config = lib.mkIf cfg.enable {
    myServices.dns.zones."immae.eu".subdomains.task =
      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;

    myServices.chatonsProperties.services.taskwarrior = {
      file.datetime = "2022-08-22T00:00:00";
      service = {
        name = "Taskwarrior";
        description = "Taskwarrior is Free and Open Source Software that manages your TODO list from the command line. Web interface and synchronization server";
        website = "https://task.immae.eu/";
        logo = "https://taskwarrior.org/favicon.ico";
        status.level = "OK";
        status.description = "OK";
        registration."" = ["MEMBER" "CLIENT"];
        registration.load = "OPEN";
        install.type = "PACKAGE";
      };
      software = {
        name = "Taskwarrior";
        website = "https://taskwarrior.org/";
        license.url = "https://github.com/GothenburgBitFactory/taskwarrior/blob/develop/LICENSE";
        license.name = "MIT License";
        version = taskwarrior-web.version;
        source.url = "https://taskwarrior.org/download/";
      };
    };
    secrets.keys = {
      "webapps/tools-taskwarrior-web" = {
        user = "wwwrun";
        group = "wwwrun";
        permissions = "0400";
        text = ''
            SetEnv TASKD_HOST          "${fqdn}:${toString config.services.taskserver.listenPort}"
            SetEnv TASKD_VARDIR        "${server_vardir}"
            SetEnv TASKD_LDAP_HOST     "ldaps://${env.ldap.host}"
            SetEnv TASKD_LDAP_DN       "${env.ldap.dn}"
            SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
            SetEnv TASKD_LDAP_BASE     "${env.ldap.base}"
            SetEnv TASKD_LDAP_FILTER   "${env.ldap.filter}"
          '';
      };
    } // (lib.mapAttrs' (name: userConfig: lib.nameValuePair "webapps/tools-taskwarrior/${name}-taskrc" (
      let
        credentials = "${userConfig.org}/${name}/${userConfig.key}";
        dateFormat = userConfig.date;
        cacert = pkgs.writeText "ca.cert" ''
          -----BEGIN CERTIFICATE-----
          MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
          TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
          cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
          WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
          ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
          MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
          h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
          0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
          A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
          T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
          B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
          B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
          KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
          OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
          jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
          qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
          rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
          HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
          hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
          ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
          3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
          NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
          ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
          TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
          jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
          oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
          4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
          mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
          emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
          -----END CERTIFICATE-----'';
      in {
      inherit user group;
      permissions = "0400";
      text = ''
        data.location=${varDir}/${name}
        taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
        taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
        # IdenTrust DST Root CA X3
        # obtained here: https://letsencrypt.org/fr/certificates/
        taskd.ca=${cacert}
        taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
        taskd.credentials=${credentials}
        dateformat=${dateFormat}
      '';
      keyDependencies = [ cacert ];
    })) env.taskwarrior-web);
    security.acme.certs.eldiron.extraDomainNames = [ "task.immae.eu" ];
    services.websites.env.tools.watchPaths = [ config.secrets.fullPaths."webapps/tools-taskwarrior-web" ];
    services.websites.env.tools.modules = [ "proxy_fcgi" "sed" ];
    services.websites.env.tools.vhostConfs.task = {
      certName    = "eldiron";
      hosts       = [ "task.immae.eu" ];
      root        = ./www;
      extraConfig = [ ''
        <Directory ${./www}>
          DirectoryIndex index.php
          Use LDAPConnect
          Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
          <FilesMatch "\.php$">
            SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost"
          </FilesMatch>
          Include ${config.secrets.fullPaths."webapps/tools-taskwarrior-web"}
        </Directory>
        ''
        ''
        <Macro Taskwarrior %{folderName}>
          ProxyPass        "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
          ProxyPassReverse "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
          ProxyPassReverse http://${fqdn}/

          SetOutputFilter Sed
          OutputSed   "s|/ajax|/taskweb/%{folderName}/ajax|g"
          OutputSed   "s|\([^x]\)/tasks|\1/taskweb/%{folderName}/tasks|g"
          OutputSed   "s|\([^x]\)/projects|\1/taskweb/%{folderName}/projects|g"
          OutputSed   "s|http://${fqdn}/|/taskweb/%{folderName}/|g"
          OutputSed   "s|/img/relax.jpg|/taskweb/%{folderName}/img/relax.jpg|g"
        </Macro>
        ''
        ''
        Alias /taskweb ${taskwebPages}
        <Directory "${taskwebPages}">
          DirectoryIndex index.html
          Require all granted
        </Directory>

        RewriteEngine on
        RewriteRule ^/taskweb$ /taskweb/ [R=301,L]
        RedirectMatch permanent ^/taskweb/([^/]+)$ /taskweb/$1/

        RewriteCond %{LA-U:REMOTE_USER} !=""
        RewriteCond ${taskwebPages}/%{LA-U:REMOTE_USER}.html -f
        RewriteRule ^/taskweb/?$ ${taskwebPages}/%{LA-U:REMOTE_USER}.html [L]

        <Location /taskweb/>
          Use LDAPConnect
          Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
        </Location>
        ''
      ] ++ (lib.attrsets.mapAttrsToList (k: v: ''
        <Location /taskweb/${k}/>
          ${builtins.concatStringsSep "\n" (map (uid: "Require ldap-attribute   uid=${uid}") v.uid)}

          Use Taskwarrior ${k}
        </Location>
        '') env.taskwarrior-web);
    };
    services.phpfpm.pools = {
      tasks = {
        user = user;
        group = group;
        settings = {
          "listen.owner" = "wwwrun";
          "listen.group" = "wwwrun";
          "pm" = "dynamic";
          "pm.max_children" = "60";
          "pm.start_servers" = "2";
          "pm.min_spare_servers" = "1";
          "pm.max_spare_servers" = "10";

          # Needed to avoid clashes in browser cookies (same domain)
          "php_value[session.name]" = "TaskPHPSESSID";
          "php_admin_value[session.save_handler]" = "redis";
          "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Task:'";
          "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/";
        };
        phpEnv = {
          PATH = "/etc/profiles/per-user/${user}/bin";
        };
        phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [ all.redis ]);
      };
    };

    security.acme.certs."task" = {
      inherit group;
      domain = fqdn;
      postRun = ''
        systemctl restart taskserver.service
      '';
    };

    users.users.${user} = {
      extraGroups = [ "keys" ];
      packages = [ taskserver-user-certs ];
    };

    system.activationScripts.taskserver = {
      deps = [ "users" ];
      text = ''
        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}
        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/userkeys
        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/keys

        if [ ! -e "${server_vardir}/keys/ca.key" ]; then
          silent_certtool() {
            if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
              echo "GNUTLS certtool invocation failed with output:" >&2
              echo "$output" >&2
            fi
          }

          silent_certtool -p \
            --bits 4096 \
            --outfile "${server_vardir}/keys/ca.key"

          silent_certtool -s \
            --template "${pkgs.writeText "taskserver-ca.template" ''
              cn = ${fqdn}
              expiration_days = -1
              cert_signing_key
              ca
            ''}" \
            --load-privkey "${server_vardir}/keys/ca.key" \
            --outfile "${server_vardir}/keys/ca.cert"

          chown :${group} "${server_vardir}/keys/ca.key"
          chmod g+r "${server_vardir}/keys/ca.key"
        fi
      '';
    };

    services.taskserver = {
      enable = true;
      allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
      inherit fqdn;
      listenHost = "::";
      pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
      pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem";
      pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl";
      pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem";
      requestLimit = 104857600;
    };

    system.activationScripts.taskwarrior-web = {
      deps = [ "users" ];
      text = ''
        if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then
          ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web
          chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem
        fi
      '';
    };

    systemd.slices.taskwarrior = {
      description = "Taskwarrior slice";
    };

    systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
      lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
        description = "Taskwarrior webapp for ${name}";
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        path = [ pkgs.taskwarrior ];

        environment.TASKRC = config.secrets.fullPaths."webapps/tools-taskwarrior/${name}-taskrc";
        environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
        environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
        environment.LC_ALL = "fr_FR.UTF-8";

        script = ''
          exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${socketsDir}/${name}.sock
        '';

        serviceConfig = {
          Slice = "taskwarrior.slice";
          User = user;
          PrivateTmp = true;
          Restart = "always";
          TimeoutSec = 60;
          Type = "simple";
          WorkingDirectory = taskwarrior-web;
          StateDirectoryMode = 0750;
          StateDirectory = assert lib.strings.hasPrefix "/var/lib/" varDir;
            (lib.strings.removePrefix "/var/lib/" varDir + "/${name}");
          RuntimeDirectoryPreserve = "yes";
          RuntimeDirectory = assert lib.strings.hasPrefix "/run/" socketsDir;
            lib.strings.removePrefix "/run/" socketsDir;
        };

        unitConfig.RequiresMountsFor = varDir;
      }) env.taskwarrior-web) // {
        taskserver-ca.postStart = ''
          chown :${group} "${server_vardir}/keys/ca.key"
          chmod g+r "${server_vardir}/keys/ca.key"
        '';
        taskserver-ca.serviceConfig.Slice = "taskwarrior.slice";
        taskserver-init.serviceConfig.Slice = "taskwarrior.slice";
        taskserver.serviceConfig.Slice = "taskwarrior.slice";
      };

  };
}