Move rest of the modules outside of nixops

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-22 20:55:28 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-05-22 20:55:28 +0200
commit: 8d213e2b1c934f6861f76aad5eb7c11097fa97de (patch)
tree: 23f8a2d5692deaeffffa1ab5f098b2d24b9e2217 /modules/private/tasks
parent: a1a8649a2be768685eb04c246c114fce36b8096f (diff)
download: Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.tar.gz
Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.tar.zst
Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.zip
2 files changed, 484 insertions, 0 deletions
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
new file mode 100644
index 0000000..30f49ee
--- /dev/null
+++ b/modules/private/tasks/default.nix
@@ -0,0 +1,327 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.tasks;
+  server_vardir = config.services.taskserver.dataDir;
+  fqdn = "task.immae.eu";
+  user = config.services.taskserver.user;
+  env = myconfig.env.tools.task;
+  group = config.services.taskserver.group;
+  taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} ''
+    mkdir -p $out/bin
+    cat > $out/bin/taskserver-user-certs <<"EOF"
+    #!/usr/bin/env bash
+    user=$1
+    silent_certtool() {
+      if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
+        echo "GNUTLS certtool invocation failed with output:" >&2
+        echo "$output" >&2
+      fi
+    }
+    silent_certtool -p \
+      --bits 4096 \
+      --outfile "${server_vardir}/userkeys/$user.key.pem"
+    ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${server_vardir}/userkeys/$user.key.pem"
+    silent_certtool -c \
+      --template "${pkgs.writeText "taskserver-ca.template" ''
+        tls_www_client
+        encryption_key
+        signing_key
+        expiration_days = 3650
+      ''}" \
+      --load-ca-certificate "${server_vardir}/keys/ca.cert" \
+      --load-ca-privkey "${server_vardir}/keys/ca.key" \
+      --load-privkey "${server_vardir}/userkeys/$user.key.pem" \
+      --outfile "${server_vardir}/userkeys/$user.cert.pem"
+    EOF
+    chmod a+x $out/bin/taskserver-user-certs
+    patchShebangs $out/bin/taskserver-user-certs
+    '';
+  taskwarrior-web = pkgs.webapps.taskwarrior-web;
+  socketsDir = "/run/taskwarrior-web";
+  varDir = "/var/lib/taskwarrior-web";
+  taskwebPages = let
+    uidPages = lib.attrsets.zipAttrs (
+      lib.lists.flatten
+        (lib.attrsets.mapAttrsToList (k: c: map (v: { "${v}" = k; }) c.uid) env.taskwarrior-web)
+      );
+    pages = lib.attrsets.mapAttrs (uid: items:
+      if lib.lists.length items == 1 then
+      ''
+        <html>
+        <head>
+          <meta http-equiv="refresh" content="0; url=/taskweb/${lib.lists.head items}/" />
+        </head>
+        <body></body>
+        </html>
+        ''
+      else
+      ''
+        <html>
+        <head>
+        <title>To-do list disponibles</title>
+        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        </head>
+        <body>
+          <ul>
+            ${builtins.concatStringsSep "\n" (map (item: "<li><a href='/taskweb/${item}'>${item}</a></li>") items)}
+          </ul>
+        </body>
+        </html>
+        ''
+    ) uidPages;
+  in
+    pkgs.runCommand "taskwerver-pages" {} ''
+      mkdir -p $out/
+      ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (k: v: "cp ${pkgs.writeText k v} $out/${k}.html") pages)}
+      echo "Please login" > $out/index.html
+      '';
+in {
+  options.myServices.tasks = {
+    enable = lib.mkEnableOption "my tasks service";
+  };
+  config = lib.mkIf cfg.enable {
+    secrets.keys = [{
+      dest = "webapps/tools-taskwarrior-web";
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0400";
+      text = ''
+          SetEnv TASKD_HOST          "${fqdn}:${toString config.services.taskserver.listenPort}"
+          SetEnv TASKD_VARDIR        "${server_vardir}"
+          SetEnv TASKD_LDAP_HOST     "ldaps://${env.ldap.host}"
+          SetEnv TASKD_LDAP_DN       "${env.ldap.dn}"
+          SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
+          SetEnv TASKD_LDAP_BASE     "${env.ldap.base}"
+          SetEnv TASKD_LDAP_FILTER   "${env.ldap.search}"
+        '';
+    }];
+    services.websites.tools.modules = [ "proxy_fcgi" "sed" ];
+    services.websites.tools.vhostConfs.task = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "task.immae.eu" ];
+      root        = "/run/current-system/webapps/_task";
+      extraConfig = [ ''
+        <Directory /run/current-system/webapps/_task>
+          DirectoryIndex index.php
+          Use LDAPConnect
+          Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
+          </FilesMatch>
+          Include /var/secrets/webapps/tools-taskwarrior-web
+        </Directory>
+        ''
+        ''
+        <Macro Taskwarrior %{folderName}>
+          ProxyPass        "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
+          ProxyPassReverse "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
+          ProxyPassReverse http://${fqdn}/
+          SetOutputFilter Sed
+          OutputSed   "s|/ajax|/taskweb/%{folderName}/ajax|g"
+          OutputSed   "s|\([^x]\)/tasks|\1/taskweb/%{folderName}/tasks|g"
+          OutputSed   "s|\([^x]\)/projects|\1/taskweb/%{folderName}/projects|g"
+          OutputSed   "s|http://${fqdn}/|/taskweb/%{folderName}/|g"
+          OutputSed   "s|/img/relax.jpg|/taskweb/%{folderName}/img/relax.jpg|g"
+        </Macro>
+        ''
+        ''
+        Alias /taskweb ${taskwebPages}
+        <Directory "${taskwebPages}">
+          DirectoryIndex index.html
+          Require all granted
+        </Directory>
+        RewriteEngine on
+        RewriteRule ^/taskweb$ /taskweb/ [R=301,L]
+        RedirectMatch permanent ^/taskweb/([^/]+)$ /taskweb/$1/
+        RewriteCond %{LA-U:REMOTE_USER} !=""
+        RewriteCond ${taskwebPages}/%{LA-U:REMOTE_USER}.html -f
+        RewriteRule ^/taskweb/?$ ${taskwebPages}/%{LA-U:REMOTE_USER}.html [L]
+        <Location /taskweb/>
+          Use LDAPConnect
+          Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
+        </Location>
+        ''
+      ] ++ (lib.attrsets.mapAttrsToList (k: v: ''
+        <Location /taskweb/${k}/>
+          ${builtins.concatStringsSep "\n" (map (uid: "Require ldap-attribute   uid=${uid}") v.uid)}
+          Use Taskwarrior ${k}
+        </Location>
+        '') env.taskwarrior-web);
+    };
+    services.phpfpm.poolConfigs = {
+      tasks = ''
+        listen = /var/run/phpfpm/task.sock
+        user = ${user}
+        group = ${group}
+        listen.owner = wwwrun
+        listen.group = wwwrun
+        pm = dynamic
+        pm.max_children = 60
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 10
+        ; Needed to avoid clashes in browser cookies (same domain)
+        env[PATH] = "/etc/profiles/per-user/${user}/bin"
+        php_value[session.name] = TaskPHPSESSID
+        php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"
+      '';
+    };
+    myServices.websites.webappDirs._task = ./www;
+    security.acme.certs."task" = config.services.myCertificates.certConfig // {
+      inherit user group;
+      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+      domain = fqdn;
+      postRun = ''
+        systemctl restart taskserver.service
+      '';
+    };
+    users.users.${user}.packages = [ taskserver-user-certs ];
+    system.activationScripts.taskserver = {
+      deps = [ "users" ];
+      text = ''
+        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}
+        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/userkeys
+        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/keys
+        if [ ! -e "${server_vardir}/keys/ca.key" ]; then
+          silent_certtool() {
+            if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
+              echo "GNUTLS certtool invocation failed with output:" >&2
+              echo "$output" >&2
+            fi
+          }
+          silent_certtool -p \
+            --bits 4096 \
+            --outfile "${server_vardir}/keys/ca.key"
+          silent_certtool -s \
+            --template "${pkgs.writeText "taskserver-ca.template" ''
+              cn = ${fqdn}
+              expiration_days = -1
+              cert_signing_key
+              ca
+            ''}" \
+            --load-privkey "${server_vardir}/keys/ca.key" \
+            --outfile "${server_vardir}/keys/ca.cert"
+          chown :${group} "${server_vardir}/keys/ca.key"
+          chmod g+r "${server_vardir}/keys/ca.key"
+        fi
+      '';
+    };
+    services.taskserver = {
+      enable = true;
+      allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
+      inherit fqdn;
+      listenHost = "::";
+      pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
+      pki.manual.server.cert = "${config.security.acme.directory}/task/fullchain.pem";
+      pki.manual.server.crl = "${config.security.acme.directory}/task/invalid.crl";
+      pki.manual.server.key = "${config.security.acme.directory}/task/key.pem";
+      requestLimit = 104857600;
+    };
+    system.activationScripts.taskwarrior-web = {
+      deps = [ "users" ];
+      text = ''
+        if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then
+          ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web
+          chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem
+        fi
+      '';
+    };
+    systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
+      let
+        credentials = "${userConfig.org}/${name}/${userConfig.key}";
+        dateFormat = userConfig.date;
+        taskrc = pkgs.writeText "taskrc" ''
+          data.location=${varDir}/${name}
+          taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
+          taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
+          # IdenTrust DST Root CA X3
+          # obtained here: https://letsencrypt.org/fr/certificates/
+          taskd.ca=${pkgs.writeText "ca.cert" ''
+            -----BEGIN CERTIFICATE-----
+            MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+            MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+            DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+            PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+            Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+            AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+            rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+            OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+            xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+            7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+            aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+            HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+            SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+            ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+            AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+            R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+            JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+            Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+            -----END CERTIFICATE-----''}
+          taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
+          taskd.credentials=${credentials}
+          dateformat=${dateFormat}
+          '';
+      in lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
+        description = "Taskwarrior webapp for ${name}";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        path = [ pkgs.taskwarrior ];
+        environment.TASKRC = taskrc;
+        environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
+        environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
+        environment.LC_ALL = "fr_FR.UTF-8";
+        script = ''
+          exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${socketsDir}/${name}.sock
+        '';
+        serviceConfig = {
+          User = user;
+          PrivateTmp = true;
+          Restart = "always";
+          TimeoutSec = 60;
+          Type = "simple";
+          WorkingDirectory = taskwarrior-web;
+          StateDirectoryMode = 0750;
+          StateDirectory = assert lib.strings.hasPrefix "/var/lib/" varDir;
+            (lib.strings.removePrefix "/var/lib/" varDir + "/${name}");
+          RuntimeDirectoryPreserve = "yes";
+          RuntimeDirectory = assert lib.strings.hasPrefix "/run/" socketsDir;
+            lib.strings.removePrefix "/run/" socketsDir;
+        };
+        unitConfig.RequiresMountsFor = varDir;
+      }) env.taskwarrior-web) // {
+        taskserver-ca.postStart = ''
+          chown :${group} "${server_vardir}/keys/ca.key"
+          chmod g+r "${server_vardir}/keys/ca.key"
+        '';
+      };
+  };
+}
diff --git a/modules/private/tasks/www/index.php b/modules/private/tasks/www/index.php
new file mode 100644
index 0000000..deaf8af
--- /dev/null
+++ b/modules/private/tasks/www/index.php
@@ -0,0 +1,157 @@
+<?php
+if (!isset($_SERVER["REMOTE_USER"])) {
+  die("please login");
+}
+$ldap_user = $_SERVER["REMOTE_USER"];
+$ldap_host = getenv("TASKD_LDAP_HOST");
+$ldap_dn = getenv('TASKD_LDAP_DN');
+$ldap_password = getenv('TASKD_LDAP_PASSWORD');
+$ldap_base = getenv('TASKD_LDAP_BASE');
+$ldap_filter = getenv('TASKD_LDAP_FILTER');
+$host   = getenv('TASKD_HOST');
+$vardir = getenv('TASKD_VARDIR');
+$connect = ldap_connect($ldap_host);
+ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
+if (!$connect || !ldap_bind($connect, $ldap_dn, $ldap_password)) {
+  die("impossible to connect to LDAP");
+}
+$search_query = str_replace('%login%', ldap_escape($ldap_user), $ldap_filter);
+$search = ldap_search($connect, $ldap_base, $search_query);
+$info = ldap_get_entries($connect, $search);
+if (ldap_count_entries($connect, $search) != 1) {
+  die("Impossible to find user in LDAP");
+}
+$entries = [];
+foreach($info[0]["immaetaskid"] as $key => $value) {
+  if ($key !== "count") {
+    $entries[] = explode(":", $value);
+  }
+}
+if (isset($_GET["file"])) {
+  $basecert = $vardir . "/userkeys/" . $ldap_user;
+  if (!file_exists($basecert . ".cert.pem")) {
+    exec("taskserver-user-certs $ldap_user");
+  }
+  $certificate = file_get_contents($basecert . ".cert.pem");
+  $cert_key    = file_get_contents($basecert . ".key.pem");
+  // IdenTrust DST Root CA X3
+  // obtained here: https://letsencrypt.org/fr/certificates/
+  $server_cert = "-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----";
+  $file = $_GET["file"];
+  switch($file) {
+  case "ca.cert.pem":
+    $content = $server_cert;
+    $name    = "ca.cert.pem";
+    $type    = "application/x-x509-ca-cert";
+    break;
+  case "cert.pem":
+    $content = $certificate;
+    $name    = $ldap_user . ".cert.pem";
+    $type    = "application/x-x509-ca-cert";
+    break;
+  case "key.pem":
+    $content = $cert_key;
+    $name    = $ldap_user . ".key.pem";
+    $type    = "application/x-x509-ca-cert";
+    break;
+  case "mirakel";
+    foreach ($entries as $entry) {
+      list($org, $user, $key) = $entry;
+      if ($key == $_GET["key"]) { break; }
+    }
+    $name    = $user . ".mirakel";
+    $type    = "text/plain";
+    $content = "username: $user
+org: $org
+user key: $key
+server: $host
+client.cert:
+$certificate
+Client.key:
+$cert_key
+ca.cert:
+$server_cert
+";
+    break;
+  default:
+    die("invalid file name");
+    break;
+  }
+  header("Content-Type: $type");
+  header('Content-Disposition: attachment; filename="' . $name . '"');
+  header('Content-Transfer-Encoding: binary');
+  header('Accept-Ranges: bytes');
+  header('Cache-Control: private');
+  header('Pragma: private');
+  echo $content;
+  exit;
+}
+?>
+<html>
+<header>
+  <title>Taskwarrior configuration</title>
+</header>
+<body>
+<ul>
+  <li><a href="?file=ca.cert.pem">ca.cert.pem</a></li>
+  <li><a href="?file=cert.pem"><?php echo $ldap_user; ?>.cert.pem</a></li>
+  <li><a href="?file=key.pem"><?php echo $ldap_user; ?>.key.pem</a></li>
+</ul>
+For command line interface, download the files, put them near your Taskwarrior
+configuration files, and add that to your Taskwarrior configuration:
+<pre>
+taskd.certificate=/path/to/<?php echo $ldap_user; ?>.cert.pem
+taskd.key=/path/to/<?php echo $ldap_user; ?>.key.pem
+taskd.server=<?php echo $host ."\n"; ?>
+<?php if (count($entries) > 1) {
+  echo "# Chose one of them\n";
+  foreach($entries as $entry) {
+    list($org, $user, $key) = $entry;
+    echo "# taskd.credentials=$org/$user/$key\n";
+  }
+} else { ?>
+taskd.credentials=<?php echo $entries[0][0]; ?>/<?php echo $entries[0][1]; ?>/<?php echo $entries[0][2]; ?>
+<?php } ?>
+taskd.ca=/path/to/ca.cert.pem
+</pre>
+For Mirakel, download and import the file:
+<ul>
+<?php
+foreach ($entries as $entry) {
+  list($org, $user, $key) = $entry;
+  echo '<li><a href="?file=mirakel&key='.$key.'">' . $user . '.mirakel</a></li>';
+}
+?>
+</ul>
+For Android Taskwarrior app, see instructions <a href="https://bitbucket.org/kvorobyev/taskwarriorandroid/wiki/Configuration">here</a>.
+</body>
+</html>
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-22 20:55:28 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-05-22 20:55:28 +0200
commit	8d213e2b1c934f6861f76aad5eb7c11097fa97de (patch)
tree	23f8a2d5692deaeffffa1ab5f098b2d24b9e2217 /modules/private/tasks
parent	a1a8649a2be768685eb04c246c114fce36b8096f (diff)
download	Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.tar.gz Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.tar.zst Nix-8d213e2b1c934f6861f76aad5eb7c11097fa97de.zip

diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix new file mode 100644 index 0000000..30f49ee --- /dev/null +++ b/modules/private/tasks/default.nix
@@ -0,0 +1,327 @@
	1	{ lib, pkgs, config, myconfig, ... }:
	2	let
	3	cfg = config.myServices.tasks;
	4	server_vardir = config.services.taskserver.dataDir;
	5	fqdn = "task.immae.eu";
	6	user = config.services.taskserver.user;
	7	env = myconfig.env.tools.task;
	8	group = config.services.taskserver.group;
	9	taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} ''
	10	mkdir -p $out/bin
	11	cat > $out/bin/taskserver-user-certs <<"EOF"
	12	#!/usr/bin/env bash
	13
	14	user=$1
	15
	16	silent_certtool() {
	17	if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
	18	echo "GNUTLS certtool invocation failed with output:" >&2
	19	echo "$output" >&2
	20	fi
	21	}
	22
	23	silent_certtool -p \
	24	--bits 4096 \
	25	--outfile "${server_vardir}/userkeys/$user.key.pem"
	26	${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${server_vardir}/userkeys/$user.key.pem"
	27
	28	silent_certtool -c \
	29	--template "${pkgs.writeText "taskserver-ca.template" ''
	30	tls_www_client
	31	encryption_key
	32	signing_key
	33	expiration_days = 3650
	34	''}" \
	35	--load-ca-certificate "${server_vardir}/keys/ca.cert" \
	36	--load-ca-privkey "${server_vardir}/keys/ca.key" \
	37	--load-privkey "${server_vardir}/userkeys/$user.key.pem" \
	38	--outfile "${server_vardir}/userkeys/$user.cert.pem"
	39	EOF
	40	chmod a+x $out/bin/taskserver-user-certs
	41	patchShebangs $out/bin/taskserver-user-certs
	42	'';
	43	taskwarrior-web = pkgs.webapps.taskwarrior-web;
	44	socketsDir = "/run/taskwarrior-web";
	45	varDir = "/var/lib/taskwarrior-web";
	46	taskwebPages = let
	47	uidPages = lib.attrsets.zipAttrs (
	48	lib.lists.flatten
	49	(lib.attrsets.mapAttrsToList (k: c: map (v: { "${v}" = k; }) c.uid) env.taskwarrior-web)
	50	);
	51	pages = lib.attrsets.mapAttrs (uid: items:
	52	if lib.lists.length items == 1 then
	53	''
	54	<html>
	55	<head>
	56	<meta http-equiv="refresh" content="0; url=/taskweb/${lib.lists.head items}/" />
	57	</head>
	58	<body></body>
	59	</html>
	60	''
	61	else
	62	''
	63	<html>
	64	<head>
	65	<title>To-do list disponibles</title>
	66	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
	67	<meta name="viewport" content="width=device-width, initial-scale=1" />
	68	</head>
	69	<body>
	70	<ul>
	71	${builtins.concatStringsSep "\n" (map (item: "<li><a href='/taskweb/${item}'>${item}</a></li>") items)}
	72	</ul>
	73	</body>
	74	</html>
	75	''
	76	) uidPages;
	77	in
	78	pkgs.runCommand "taskwerver-pages" {} ''
	79	mkdir -p $out/
	80	${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (k: v: "cp ${pkgs.writeText k v} $out/${k}.html") pages)}
	81	echo "Please login" > $out/index.html
	82	'';
	83	in {
	84	options.myServices.tasks = {
	85	enable = lib.mkEnableOption "my tasks service";
	86	};
	87
	88	config = lib.mkIf cfg.enable {
	89	secrets.keys = [{
	90	dest = "webapps/tools-taskwarrior-web";
	91	user = "wwwrun";
	92	group = "wwwrun";
	93	permissions = "0400";
	94	text = ''
	95	SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}"
	96	SetEnv TASKD_VARDIR "${server_vardir}"
	97	SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}"
	98	SetEnv TASKD_LDAP_DN "${env.ldap.dn}"
	99	SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
	100	SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
	101	SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
	102	'';
	103	}];
	104	services.websites.tools.modules = [ "proxy_fcgi" "sed" ];
	105	services.websites.tools.vhostConfs.task = {
	106	certName = "eldiron";
	107	addToCerts = true;
	108	hosts = [ "task.immae.eu" ];
	109	root = "/run/current-system/webapps/_task";
	110	extraConfig = [ ''
	111	<Directory /run/current-system/webapps/_task>
	112	DirectoryIndex index.php
	113	Use LDAPConnect
	114	Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
	115	<FilesMatch "\.php$">
	116	SetHandler "proxy:unix:/var/run/phpfpm/task.sock\|fcgi://localhost"
	117	</FilesMatch>
	118	Include /var/secrets/webapps/tools-taskwarrior-web
	119	</Directory>
	120	''
	121	''
	122	<Macro Taskwarrior %{folderName}>
	123	ProxyPass "unix://${socketsDir}/%{folderName}.sock\|http://localhost-%{folderName}/"
	124	ProxyPassReverse "unix://${socketsDir}/%{folderName}.sock\|http://localhost-%{folderName}/"
	125	ProxyPassReverse http://${fqdn}/
	126
	127	SetOutputFilter Sed
	128	OutputSed "s\|/ajax\|/taskweb/%{folderName}/ajax\|g"
	129	OutputSed "s\|\([^x]\)/tasks\|\1/taskweb/%{folderName}/tasks\|g"
	130	OutputSed "s\|\([^x]\)/projects\|\1/taskweb/%{folderName}/projects\|g"
	131	OutputSed "s\|http://${fqdn}/\|/taskweb/%{folderName}/\|g"
	132	OutputSed "s\|/img/relax.jpg\|/taskweb/%{folderName}/img/relax.jpg\|g"
	133	</Macro>
	134	''
	135	''
	136	Alias /taskweb ${taskwebPages}
	137	<Directory "${taskwebPages}">
	138	DirectoryIndex index.html
	139	Require all granted
	140	</Directory>
	141
	142	RewriteEngine on
	143	RewriteRule ^/taskweb$ /taskweb/ [R=301,L]
	144	RedirectMatch permanent ^/taskweb/([^/]+)$ /taskweb/$1/
	145
	146	RewriteCond %{LA-U:REMOTE_USER} !=""
	147	RewriteCond ${taskwebPages}/%{LA-U:REMOTE_USER}.html -f
	148	RewriteRule ^/taskweb/?$ ${taskwebPages}/%{LA-U:REMOTE_USER}.html [L]
	149
	150	<Location /taskweb/>
	151	Use LDAPConnect
	152	Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
	153	</Location>
	154	''
	155	] ++ (lib.attrsets.mapAttrsToList (k: v: ''
	156	<Location /taskweb/${k}/>
	157	${builtins.concatStringsSep "\n" (map (uid: "Require ldap-attribute uid=${uid}") v.uid)}
	158
	159	Use Taskwarrior ${k}
	160	</Location>
	161	'') env.taskwarrior-web);
	162	};
	163	services.phpfpm.poolConfigs = {
	164	tasks = ''
	165	listen = /var/run/phpfpm/task.sock
	166	user = ${user}
	167	group = ${group}
	168	listen.owner = wwwrun
	169	listen.group = wwwrun
	170	pm = dynamic
	171	pm.max_children = 60
	172	pm.start_servers = 2
	173	pm.min_spare_servers = 1
	174	pm.max_spare_servers = 10
	175
	176	; Needed to avoid clashes in browser cookies (same domain)
	177	env[PATH] = "/etc/profiles/per-user/${user}/bin"
	178	php_value[session.name] = TaskPHPSESSID
	179	php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"
	180	'';
	181	};
	182
	183	myServices.websites.webappDirs._task = ./www;
	184
	185	security.acme.certs."task" = config.services.myCertificates.certConfig // {
	186	inherit user group;
	187	plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
	188	domain = fqdn;
	189	postRun = ''
	190	systemctl restart taskserver.service
	191	'';
	192	};
	193
	194	users.users.${user}.packages = [ taskserver-user-certs ];
	195
	196	system.activationScripts.taskserver = {
	197	deps = [ "users" ];
	198	text = ''
	199	install -m 0750 -o ${user} -g ${group} -d ${server_vardir}
	200	install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/userkeys
	201	install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/keys
	202
	203	if [ ! -e "${server_vardir}/keys/ca.key" ]; then
	204	silent_certtool() {
	205	if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
	206	echo "GNUTLS certtool invocation failed with output:" >&2
	207	echo "$output" >&2
	208	fi
	209	}
	210
	211	silent_certtool -p \
	212	--bits 4096 \
	213	--outfile "${server_vardir}/keys/ca.key"
	214
	215	silent_certtool -s \
	216	--template "${pkgs.writeText "taskserver-ca.template" ''
	217	cn = ${fqdn}
	218	expiration_days = -1
	219	cert_signing_key
	220	ca
	221	''}" \
	222	--load-privkey "${server_vardir}/keys/ca.key" \
	223	--outfile "${server_vardir}/keys/ca.cert"
	224
	225	chown :${group} "${server_vardir}/keys/ca.key"
	226	chmod g+r "${server_vardir}/keys/ca.key"
	227	fi
	228	'';
	229	};
	230
	231	services.taskserver = {
	232	enable = true;
	233	allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
	234	inherit fqdn;
	235	listenHost = "::";
	236	pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
	237	pki.manual.server.cert = "${config.security.acme.directory}/task/fullchain.pem";
	238	pki.manual.server.crl = "${config.security.acme.directory}/task/invalid.crl";
	239	pki.manual.server.key = "${config.security.acme.directory}/task/key.pem";
	240	requestLimit = 104857600;
	241	};
	242
	243	system.activationScripts.taskwarrior-web = {
	244	deps = [ "users" ];
	245	text = ''
	246	if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then
	247	${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web
	248	chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem
	249	fi
	250	'';
	251	};
	252
	253	systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
	254	let
	255	credentials = "${userConfig.org}/${name}/${userConfig.key}";
	256	dateFormat = userConfig.date;
	257	taskrc = pkgs.writeText "taskrc" ''
	258	data.location=${varDir}/${name}
	259	taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
	260	taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
	261	# IdenTrust DST Root CA X3
	262	# obtained here: https://letsencrypt.org/fr/certificates/
	263	taskd.ca=${pkgs.writeText "ca.cert" ''
	264	-----BEGIN CERTIFICATE-----
	265	MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
	266	MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
	267	DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
	268	PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
	269	Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
	270	AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
	271	rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
	272	OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
	273	xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
	274	7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
	275	aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
	276	HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
	277	SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
	278	ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
	279	AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
	280	R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
	281	JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
	282	Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
	283	-----END CERTIFICATE-----''}
	284	taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
	285	taskd.credentials=${credentials}
	286	dateformat=${dateFormat}
	287	'';
	288	in lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
	289	description = "Taskwarrior webapp for ${name}";
	290	wantedBy = [ "multi-user.target" ];
	291	after = [ "network.target" ];
	292	path = [ pkgs.taskwarrior ];
	293
	294	environment.TASKRC = taskrc;
	295	environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
	296	environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
	297	environment.LC_ALL = "fr_FR.UTF-8";
	298
	299	script = ''
	300	exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${socketsDir}/${name}.sock
	301	'';
	302
	303	serviceConfig = {
	304	User = user;
	305	PrivateTmp = true;
	306	Restart = "always";
	307	TimeoutSec = 60;
	308	Type = "simple";
	309	WorkingDirectory = taskwarrior-web;
	310	StateDirectoryMode = 0750;
	311	StateDirectory = assert lib.strings.hasPrefix "/var/lib/" varDir;
	312	(lib.strings.removePrefix "/var/lib/" varDir + "/${name}");
	313	RuntimeDirectoryPreserve = "yes";
	314	RuntimeDirectory = assert lib.strings.hasPrefix "/run/" socketsDir;
	315	lib.strings.removePrefix "/run/" socketsDir;
	316	};
	317
	318	unitConfig.RequiresMountsFor = varDir;
	319	}) env.taskwarrior-web) // {
	320	taskserver-ca.postStart = ''
	321	chown :${group} "${server_vardir}/keys/ca.key"
	322	chmod g+r "${server_vardir}/keys/ca.key"
	323	'';
	324	};
	325
	326	};
	327	}


diff --git a/modules/private/tasks/www/index.php b/modules/private/tasks/www/index.php new file mode 100644 index 0000000..deaf8af --- /dev/null +++ b/modules/private/tasks/www/index.php
@@ -0,0 +1,157 @@
	1	<?php
	2	if (!isset($_SERVER["REMOTE_USER"])) {
	3	die("please login");
	4	}
	5	$ldap_user = $_SERVER["REMOTE_USER"];
	6	$ldap_host = getenv("TASKD_LDAP_HOST");
	7	$ldap_dn = getenv('TASKD_LDAP_DN');
	8	$ldap_password = getenv('TASKD_LDAP_PASSWORD');
	9	$ldap_base = getenv('TASKD_LDAP_BASE');
	10	$ldap_filter = getenv('TASKD_LDAP_FILTER');
	11	$host = getenv('TASKD_HOST');
	12	$vardir = getenv('TASKD_VARDIR');
	13
	14	$connect = ldap_connect($ldap_host);
	15	ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
	16	if (!$connect \|\| !ldap_bind($connect, $ldap_dn, $ldap_password)) {
	17	die("impossible to connect to LDAP");
	18	}
	19
	20	$search_query = str_replace('%login%', ldap_escape($ldap_user), $ldap_filter);
	21
	22	$search = ldap_search($connect, $ldap_base, $search_query);
	23	$info = ldap_get_entries($connect, $search);
	24
	25	if (ldap_count_entries($connect, $search) != 1) {
	26	die("Impossible to find user in LDAP");
	27	}
	28
	29	$entries = [];
	30	foreach($info[0]["immaetaskid"] as $key => $value) {
	31	if ($key !== "count") {
	32	$entries[] = explode(":", $value);
	33	}
	34	}
	35
	36	if (isset($_GET["file"])) {
	37	$basecert = $vardir . "/userkeys/" . $ldap_user;
	38	if (!file_exists($basecert . ".cert.pem")) {
	39	exec("taskserver-user-certs $ldap_user");
	40	}
	41	$certificate = file_get_contents($basecert . ".cert.pem");
	42	$cert_key = file_get_contents($basecert . ".key.pem");
	43
	44	// IdenTrust DST Root CA X3
	45	// obtained here: https://letsencrypt.org/fr/certificates/
	46	$server_cert = "-----BEGIN CERTIFICATE-----
	47	MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
	48	MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
	49	DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
	50	PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
	51	Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
	52	AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
	53	rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
	54	OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
	55	xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
	56	7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
	57	aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
	58	HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
	59	SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
	60	ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
	61	AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
	62	R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
	63	JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
	64	Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
	65	-----END CERTIFICATE-----";
	66
	67	$file = $_GET["file"];
	68	switch($file) {
	69	case "ca.cert.pem":
	70	$content = $server_cert;
	71	$name = "ca.cert.pem";
	72	$type = "application/x-x509-ca-cert";
	73	break;
	74	case "cert.pem":
	75	$content = $certificate;
	76	$name = $ldap_user . ".cert.pem";
	77	$type = "application/x-x509-ca-cert";
	78	break;
	79	case "key.pem":
	80	$content = $cert_key;
	81	$name = $ldap_user . ".key.pem";
	82	$type = "application/x-x509-ca-cert";
	83	break;
	84	case "mirakel";
	85	foreach ($entries as $entry) {
	86	list($org, $user, $key) = $entry;
	87	if ($key == $_GET["key"]) { break; }
	88	}
	89	$name = $user . ".mirakel";
	90	$type = "text/plain";
	91	$content = "username: $user
	92	org: $org
	93	user key: $key
	94	server: $host
	95	client.cert:
	96	$certificate
	97	Client.key:
	98	$cert_key
	99	ca.cert:
	100	$server_cert
	101	";
	102	break;
	103	default:
	104	die("invalid file name");
	105	break;
	106	}
	107
	108	header("Content-Type: $type");
	109	header('Content-Disposition: attachment; filename="' . $name . '"');
	110	header('Content-Transfer-Encoding: binary');
	111	header('Accept-Ranges: bytes');
	112	header('Cache-Control: private');
	113	header('Pragma: private');
	114	echo $content;
	115	exit;
	116	}
	117	?>
	118	<html>
	119	<header>
	120	<title>Taskwarrior configuration</title>
	121	</header>
	122	<body>
	123	<ul>
	124	<li><a href="?file=ca.cert.pem">ca.cert.pem</a></li>
	125	<li><a href="?file=cert.pem"><?php echo $ldap_user; ?>.cert.pem</a></li>
	126	<li><a href="?file=key.pem"><?php echo $ldap_user; ?>.key.pem</a></li>
	127	</ul>
	128	For command line interface, download the files, put them near your Taskwarrior
	129	configuration files, and add that to your Taskwarrior configuration:
	130	<pre>
	131	taskd.certificate=/path/to/<?php echo $ldap_user; ?>.cert.pem
	132	taskd.key=/path/to/<?php echo $ldap_user; ?>.key.pem
	133	taskd.server=<?php echo $host ."\n"; ?>
	134	<?php if (count($entries) > 1) {
	135	echo "# Chose one of them\n";
	136	foreach($entries as $entry) {
	137	list($org, $user, $key) = $entry;
	138	echo "# taskd.credentials=$org/$user/$key\n";
	139	}
	140	} else { ?>
	141	taskd.credentials=<?php echo $entries[0][0]; ?>/<?php echo $entries[0][1]; ?>/<?php echo $entries[0][2]; ?>
	142	<?php } ?>
	143	taskd.ca=/path/to/ca.cert.pem
	144	</pre>
	145	For Mirakel, download and import the file:
	146	<ul>
	147	<?php
	148	foreach ($entries as $entry) {
	149	list($org, $user, $key) = $entry;
	150	echo '<li><a href="?file=mirakel&key='.$key.'">' . $user . '.mirakel</a></li>';
	151	}
	152	?>
	153	</ul>
	154	For Android Taskwarrior app, see instructions <a href="https://bitbucket.org/kvorobyev/taskwarriorandroid/wiki/Configuration">here</a>.
	155	</body>
	156	</html>
	157