diff options
Diffstat (limited to 'modules/private/websites/tools/tools/ldap.nix')
-rw-r--r-- | modules/private/websites/tools/tools/ldap.nix | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix new file mode 100644 index 0000000..4585ee3 --- /dev/null +++ b/modules/private/websites/tools/tools/ldap.nix | |||
@@ -0,0 +1,74 @@ | |||
1 | { lib, php, env, writeText, phpldapadmin }: | ||
2 | rec { | ||
3 | activationScript = { | ||
4 | deps = [ "httpd" ]; | ||
5 | text = '' | ||
6 | install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/phpldapadmin | ||
7 | ''; | ||
8 | }; | ||
9 | keys = [{ | ||
10 | dest = "webapps/tools-ldap"; | ||
11 | user = apache.user; | ||
12 | group = apache.group; | ||
13 | permissions = "0400"; | ||
14 | text = '' | ||
15 | <?php | ||
16 | $config->custom->appearance['show_clear_password'] = true; | ||
17 | $config->custom->appearance['hide_template_warning'] = true; | ||
18 | $config->custom->appearance['theme'] = "tango"; | ||
19 | $config->custom->appearance['minimalMode'] = true; | ||
20 | |||
21 | $servers = new Datastore(); | ||
22 | |||
23 | $servers->newServer('ldap_pla'); | ||
24 | $servers->setValue('server','name','Immae’s LDAP'); | ||
25 | $servers->setValue('server','host','ldaps://${env.ldap.host}'); | ||
26 | $servers->setValue('login','auth_type','cookie'); | ||
27 | $servers->setValue('login','bind_id','${env.ldap.dn}'); | ||
28 | $servers->setValue('login','bind_pass','${env.ldap.password}'); | ||
29 | $servers->setValue('appearance','password_hash','ssha'); | ||
30 | $servers->setValue('login','attr','uid'); | ||
31 | $servers->setValue('login','fallback_dn',true); | ||
32 | ''; | ||
33 | }]; | ||
34 | webRoot = phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; | ||
35 | apache = rec { | ||
36 | user = "wwwrun"; | ||
37 | group = "wwwrun"; | ||
38 | modules = [ "proxy_fcgi" ]; | ||
39 | webappName = "tools_ldap"; | ||
40 | root = "/run/current-system/webapps/${webappName}"; | ||
41 | vhostConf = '' | ||
42 | Alias /ldap "${root}" | ||
43 | <Directory "${root}"> | ||
44 | DirectoryIndex index.php | ||
45 | <FilesMatch "\.php$"> | ||
46 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
47 | </FilesMatch> | ||
48 | |||
49 | AllowOverride None | ||
50 | Require all granted | ||
51 | </Directory> | ||
52 | ''; | ||
53 | }; | ||
54 | phpFpm = rec { | ||
55 | serviceDeps = [ "openldap.service" ]; | ||
56 | basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; | ||
57 | socket = "/var/run/phpfpm/ldap.sock"; | ||
58 | pool = '' | ||
59 | listen = ${socket} | ||
60 | user = ${apache.user} | ||
61 | group = ${apache.group} | ||
62 | listen.owner = ${apache.user} | ||
63 | listen.group = ${apache.group} | ||
64 | pm = ondemand | ||
65 | pm.max_children = 60 | ||
66 | pm.process_idle_timeout = 60 | ||
67 | |||
68 | ; Needed to avoid clashes in browser cookies (same domain) | ||
69 | php_value[session.name] = LdapPHPSESSID | ||
70 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin" | ||
71 | php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin" | ||
72 | ''; | ||
73 | }; | ||
74 | } | ||