diff options
Diffstat (limited to 'modules/private/system/quatresaisons/databases.nix')
-rw-r--r-- | modules/private/system/quatresaisons/databases.nix | 147 |
1 files changed, 0 insertions, 147 deletions
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix deleted file mode 100644 index f7b27e0..0000000 --- a/modules/private/system/quatresaisons/databases.nix +++ /dev/null | |||
@@ -1,147 +0,0 @@ | |||
1 | { pkgs, config, lib, ... }: | ||
2 | { | ||
3 | config = let | ||
4 | serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; | ||
5 | phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; | ||
6 | in { | ||
7 | services.postgresql.enable = true; | ||
8 | services.postgresql.package = pkgs.postgresql_12; | ||
9 | services.postgresql.ensureUsers = [ | ||
10 | { name = "naemon"; } | ||
11 | ]; | ||
12 | secrets.keys = { | ||
13 | "ldap/password" = { | ||
14 | permissions = "0400"; | ||
15 | user = "openldap"; | ||
16 | group = "openldap"; | ||
17 | text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; | ||
18 | }; | ||
19 | "webapps/tools-ldap" = { | ||
20 | user = "wwwrun"; | ||
21 | group = "wwwrun"; | ||
22 | permissions = "0400"; | ||
23 | text = '' | ||
24 | <?php | ||
25 | $config->custom->appearance['show_clear_password'] = true; | ||
26 | $config->custom->appearance['hide_template_warning'] = true; | ||
27 | $config->custom->appearance['theme'] = "tango"; | ||
28 | $config->custom->appearance['minimalMode'] = false; | ||
29 | $config->custom->appearance['tree'] = 'AJAXTree'; | ||
30 | |||
31 | $servers = new Datastore(); | ||
32 | |||
33 | $servers->newServer('ldap_pla'); | ||
34 | $servers->setValue('server','name','LDAP'); | ||
35 | $servers->setValue('server','host','ldap://localhost'); | ||
36 | $servers->setValue('login','auth_type','cookie'); | ||
37 | $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}'); | ||
38 | $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}'); | ||
39 | $servers->setValue('appearance','pla_password_hash','ssha'); | ||
40 | $servers->setValue('login','attr','uid'); | ||
41 | $servers->setValue('login','fallback_dn',true); | ||
42 | ''; | ||
43 | }; | ||
44 | }; | ||
45 | |||
46 | users.users.openldap.extraGroups = [ "keys" ]; | ||
47 | services.openldap = { | ||
48 | enable = true; | ||
49 | dataDir = "/var/lib/openldap"; | ||
50 | urlList = [ "ldap://localhost" ]; | ||
51 | logLevel = "none"; | ||
52 | extraConfig = '' | ||
53 | pidfile /run/slapd/slapd.pid | ||
54 | argsfile /run/slapd/slapd.args | ||
55 | |||
56 | moduleload back_hdb | ||
57 | backend hdb | ||
58 | ''; | ||
59 | |||
60 | extraDatabaseConfig = '' | ||
61 | moduleload memberof | ||
62 | overlay memberof | ||
63 | |||
64 | moduleload syncprov | ||
65 | overlay syncprov | ||
66 | syncprov-checkpoint 100 10 | ||
67 | |||
68 | index objectClass eq | ||
69 | index uid pres,eq | ||
70 | #index uidMember pres,eq | ||
71 | index mail pres,sub,eq | ||
72 | index cn pres,sub,eq | ||
73 | index sn pres,sub,eq | ||
74 | index dc eq | ||
75 | index member eq | ||
76 | index memberOf eq | ||
77 | |||
78 | # No one must access that information except root | ||
79 | access to attrs=description | ||
80 | by * none | ||
81 | |||
82 | access to attrs=entry,uid filter="(uid=*)" | ||
83 | by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read | ||
84 | by * break | ||
85 | |||
86 | access to dn.subtree="ou=users,dc=salle-s,dc=org" | ||
87 | by dn.subtree="ou=services,dc=salle-s,dc=org" read | ||
88 | by * break | ||
89 | |||
90 | access to * | ||
91 | by self read | ||
92 | by anonymous auth | ||
93 | by * break | ||
94 | ''; | ||
95 | rootpwFile = config.secrets.fullPaths."ldap/password"; | ||
96 | suffix = "dc=salle-s,dc=org"; | ||
97 | rootdn = "cn=root,dc=salle-s,dc=org"; | ||
98 | database = "hdb"; | ||
99 | }; | ||
100 | |||
101 | services.websites.env.production.modules = [ "proxy_fcgi" ]; | ||
102 | services.websites.env.production.vhostConfs.tools.extraConfig = [ | ||
103 | '' | ||
104 | Alias /ldap "${phpLdapAdmin}/htdocs" | ||
105 | <Directory "${phpLdapAdmin}/htdocs"> | ||
106 | DirectoryIndex index.php | ||
107 | <FilesMatch "\.php$"> | ||
108 | SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost" | ||
109 | </FilesMatch> | ||
110 | |||
111 | AllowOverride None | ||
112 | Require all granted | ||
113 | </Directory> | ||
114 | '' | ||
115 | ]; | ||
116 | services.phpfpm.pools.ldap = { | ||
117 | user = "wwwrun"; | ||
118 | group = "wwwrun"; | ||
119 | settings = | ||
120 | let | ||
121 | basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ]; | ||
122 | in { | ||
123 | "listen.owner" = "wwwrun"; | ||
124 | "listen.group" = "wwwrun"; | ||
125 | "pm" = "ondemand"; | ||
126 | "pm.max_children" = "60"; | ||
127 | "pm.process_idle_timeout" = "60"; | ||
128 | |||
129 | # Needed to avoid clashes in browser cookies (same domain) | ||
130 | "php_value[session.name]" = "LdapPHPSESSID"; | ||
131 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; | ||
132 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; | ||
133 | }; | ||
134 | phpPackage = pkgs.php72; | ||
135 | }; | ||
136 | system.activationScripts.ldap = { | ||
137 | deps = [ "users" ]; | ||
138 | text = '' | ||
139 | install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin | ||
140 | ''; | ||
141 | }; | ||
142 | systemd.services.phpfpm-ldap = { | ||
143 | after = lib.mkAfter [ "openldap.service" ]; | ||
144 | wants = [ "openldap.service" ]; | ||
145 | }; | ||
146 | }; | ||
147 | } | ||