diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-10-24 12:30:42 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-10-24 12:30:42 +0200 |
commit | 75489e72e379af8aeac64bc4967717d9ae776ff0 (patch) | |
tree | 1d028e5a9ab73d096e48e3f177eb60b4f73486bd /modules/private/system/quatresaisons/databases.nix | |
parent | e43fdf341072e4a0150324196fc7af8f383860ec (diff) | |
download | Nix-75489e72e379af8aeac64bc4967717d9ae776ff0.tar.gz Nix-75489e72e379af8aeac64bc4967717d9ae776ff0.tar.zst Nix-75489e72e379af8aeac64bc4967717d9ae776ff0.zip |
Add quatresaisons server
Diffstat (limited to 'modules/private/system/quatresaisons/databases.nix')
-rw-r--r-- | modules/private/system/quatresaisons/databases.nix | 146 |
1 files changed, 146 insertions, 0 deletions
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix new file mode 100644 index 0000000..3491ae4 --- /dev/null +++ b/modules/private/system/quatresaisons/databases.nix | |||
@@ -0,0 +1,146 @@ | |||
1 | { pkgs, config, lib, ... }: | ||
2 | { | ||
3 | config = let | ||
4 | serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; | ||
5 | phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; | ||
6 | in { | ||
7 | services.postgresql.enable = true; | ||
8 | services.postgresql.package = pkgs.postgresql_12; | ||
9 | secrets.keys = [ | ||
10 | { | ||
11 | dest = "ldap/password"; | ||
12 | permissions = "0400"; | ||
13 | user = "openldap"; | ||
14 | group = "openldap"; | ||
15 | text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; | ||
16 | } | ||
17 | { | ||
18 | dest = "webapps/tools-ldap"; | ||
19 | user = "wwwrun"; | ||
20 | group = "wwwrun"; | ||
21 | permissions = "0400"; | ||
22 | text = '' | ||
23 | <?php | ||
24 | $config->custom->appearance['show_clear_password'] = true; | ||
25 | $config->custom->appearance['hide_template_warning'] = true; | ||
26 | $config->custom->appearance['theme'] = "tango"; | ||
27 | $config->custom->appearance['minimalMode'] = false; | ||
28 | $config->custom->appearance['tree'] = 'AJAXTree'; | ||
29 | |||
30 | $servers = new Datastore(); | ||
31 | |||
32 | $servers->newServer('ldap_pla'); | ||
33 | $servers->setValue('server','name','LDAP'); | ||
34 | $servers->setValue('server','host','ldap://localhost'); | ||
35 | $servers->setValue('login','auth_type','cookie'); | ||
36 | $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}'); | ||
37 | $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}'); | ||
38 | $servers->setValue('appearance','pla_password_hash','ssha'); | ||
39 | $servers->setValue('login','attr','uid'); | ||
40 | $servers->setValue('login','fallback_dn',true); | ||
41 | ''; | ||
42 | } | ||
43 | ]; | ||
44 | |||
45 | users.users.openldap.extraGroups = [ "keys" ]; | ||
46 | services.openldap = { | ||
47 | enable = true; | ||
48 | dataDir = "/var/lib/openldap"; | ||
49 | urlList = [ "ldap://localhost" ]; | ||
50 | logLevel = "none"; | ||
51 | extraConfig = '' | ||
52 | pidfile /run/slapd/slapd.pid | ||
53 | argsfile /run/slapd/slapd.args | ||
54 | |||
55 | moduleload back_hdb | ||
56 | backend hdb | ||
57 | ''; | ||
58 | |||
59 | extraDatabaseConfig = '' | ||
60 | moduleload memberof | ||
61 | overlay memberof | ||
62 | |||
63 | moduleload syncprov | ||
64 | overlay syncprov | ||
65 | syncprov-checkpoint 100 10 | ||
66 | |||
67 | index objectClass eq | ||
68 | index uid pres,eq | ||
69 | #index uidMember pres,eq | ||
70 | index mail pres,sub,eq | ||
71 | index cn pres,sub,eq | ||
72 | index sn pres,sub,eq | ||
73 | index dc eq | ||
74 | index member eq | ||
75 | index memberOf eq | ||
76 | |||
77 | # No one must access that information except root | ||
78 | access to attrs=description | ||
79 | by * none | ||
80 | |||
81 | access to attrs=entry,uid filter="(uid=*)" | ||
82 | by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read | ||
83 | by * break | ||
84 | |||
85 | access to dn.subtree="ou=users,dc=salle-s,dc=org" | ||
86 | by dn.subtree="ou=services,dc=salle-s,dc=org" read | ||
87 | by * break | ||
88 | |||
89 | access to * | ||
90 | by self read | ||
91 | by anonymous auth | ||
92 | by * break | ||
93 | ''; | ||
94 | rootpwFile = "${config.secrets.location}/ldap/password"; | ||
95 | suffix = "dc=salle-s,dc=org"; | ||
96 | rootdn = "cn=root,dc=salle-s,dc=org"; | ||
97 | database = "hdb"; | ||
98 | }; | ||
99 | |||
100 | services.websites.env.production.modules = [ "proxy_fcgi" ]; | ||
101 | services.websites.env.production.vhostConfs.tools.extraConfig = [ | ||
102 | '' | ||
103 | Alias /ldap "${phpLdapAdmin}/htdocs" | ||
104 | <Directory "${phpLdapAdmin}/htdocs"> | ||
105 | DirectoryIndex index.php | ||
106 | <FilesMatch "\.php$"> | ||
107 | SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost" | ||
108 | </FilesMatch> | ||
109 | |||
110 | AllowOverride None | ||
111 | Require all granted | ||
112 | </Directory> | ||
113 | '' | ||
114 | ]; | ||
115 | services.phpfpm.pools.ldap = { | ||
116 | user = "wwwrun"; | ||
117 | group = "wwwrun"; | ||
118 | settings = | ||
119 | let | ||
120 | basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ]; | ||
121 | in { | ||
122 | "listen.owner" = "wwwrun"; | ||
123 | "listen.group" = "wwwrun"; | ||
124 | "pm" = "ondemand"; | ||
125 | "pm.max_children" = "60"; | ||
126 | "pm.process_idle_timeout" = "60"; | ||
127 | |||
128 | # Needed to avoid clashes in browser cookies (same domain) | ||
129 | "php_value[session.name]" = "LdapPHPSESSID"; | ||
130 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; | ||
131 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; | ||
132 | }; | ||
133 | phpPackage = pkgs.php72; | ||
134 | }; | ||
135 | system.activationScripts.ldap = { | ||
136 | deps = [ "users" ]; | ||
137 | text = '' | ||
138 | install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin | ||
139 | ''; | ||
140 | }; | ||
141 | systemd.services.phpfpm-ldap = { | ||
142 | after = lib.mkAfter [ "openldap.service" ]; | ||
143 | wants = [ "openldap.service" ]; | ||
144 | }; | ||
145 | }; | ||
146 | } | ||