diff options
Diffstat (limited to 'nixops/modules/task/default.nix')
-rw-r--r-- | nixops/modules/task/default.nix | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix new file mode 100644 index 0000000..3dc3299 --- /dev/null +++ b/nixops/modules/task/default.nix | |||
@@ -0,0 +1,131 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | ||
2 | let | ||
3 | cfg = config.services.myTasks; | ||
4 | vardir = config.services.taskserver.dataDir; | ||
5 | fqdn = "task.immae.eu"; | ||
6 | user = config.services.taskserver.user; | ||
7 | env = myconfig.env.tools.task; | ||
8 | group = config.services.taskserver.group; | ||
9 | in { | ||
10 | options.services.myTasks = { | ||
11 | enable = lib.mkEnableOption "my tasks service"; | ||
12 | }; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | security.acme.certs."eldiron".extraDomains.${fqdn} = null; | ||
16 | services.myWebsites.tools.modules = [ "proxy_fcgi" ]; | ||
17 | services.myWebsites.tools.vhostConfs.task = { | ||
18 | certName = "eldiron"; | ||
19 | hosts = [ "task.immae.eu" ]; | ||
20 | root = "/run/current-system/webapps/_task"; | ||
21 | extraConfig = [ '' | ||
22 | <Directory /run/current-system/webapps/_task> | ||
23 | DirectoryIndex index.php | ||
24 | Use LDAPConnect | ||
25 | Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu | ||
26 | <FilesMatch "\.php$"> | ||
27 | SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" | ||
28 | </FilesMatch> | ||
29 | SetEnv TASKD_HOST "${fqdn}:${toString config.services.taskserver.listenPort}" | ||
30 | SetEnv TASKD_VARDIR "${vardir}" | ||
31 | SetEnv TASKD_LDAP_HOST "ldaps://${env.ldap.host}" | ||
32 | SetEnv TASKD_LDAP_DN "${env.ldap.dn}" | ||
33 | SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}" | ||
34 | SetEnv TASKD_LDAP_BASE "${env.ldap.base}" | ||
35 | SetEnv TASKD_LDAP_FILTER "${env.ldap.search}" | ||
36 | </Directory> | ||
37 | '' ]; | ||
38 | }; | ||
39 | services.myPhpfpm.poolConfigs = { | ||
40 | tasks = '' | ||
41 | listen = /var/run/phpfpm/task.sock | ||
42 | user = ${user} | ||
43 | group = ${group} | ||
44 | listen.owner = wwwrun | ||
45 | listen.group = wwwrun | ||
46 | pm = dynamic | ||
47 | pm.max_children = 60 | ||
48 | pm.start_servers = 2 | ||
49 | pm.min_spare_servers = 1 | ||
50 | pm.max_spare_servers = 10 | ||
51 | |||
52 | ; Needed to avoid clashes in browser cookies (same domain) | ||
53 | env[PATH] = "/etc/profiles/per-user/${user}/bin" | ||
54 | php_value[session.name] = TaskPHPSESSID | ||
55 | php_admin_value[open_basedir] = "${./www}:/tmp:${vardir}:/etc/profiles/per-user/${user}/bin/" | ||
56 | ''; | ||
57 | }; | ||
58 | |||
59 | system.extraSystemBuilderCmds = '' | ||
60 | ln -s ${./www} $out/webapps/_task | ||
61 | ''; | ||
62 | |||
63 | security.acme.certs."task" = config.services.myCertificates.certConfig // { | ||
64 | inherit user group; | ||
65 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ]; | ||
66 | domain = fqdn; | ||
67 | postRun = '' | ||
68 | systemctl restart taskserver.service | ||
69 | ''; | ||
70 | }; | ||
71 | |||
72 | users.users.${user}.packages = [ | ||
73 | (pkgs.runCommand "taskserver-user-certs" {} '' | ||
74 | mkdir -p $out/bin | ||
75 | cat > $out/bin/taskserver-user-certs <<"EOF" | ||
76 | #!/usr/bin/env bash | ||
77 | |||
78 | user=$1 | ||
79 | |||
80 | silent_certtool() { | ||
81 | if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then | ||
82 | echo "GNUTLS certtool invocation failed with output:" >&2 | ||
83 | echo "$output" >&2 | ||
84 | fi | ||
85 | } | ||
86 | |||
87 | silent_certtool -p \ | ||
88 | --bits 4096 \ | ||
89 | --outfile "${vardir}/userkeys/$user.key.pem" | ||
90 | ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${vardir}/userkeys/$user.key.pem" | ||
91 | |||
92 | silent_certtool -c \ | ||
93 | --template "${pkgs.writeText "taskserver-ca.template" '' | ||
94 | tls_www_client | ||
95 | encryption_key | ||
96 | signing_key | ||
97 | expiration_days = 3650 | ||
98 | ''}" \ | ||
99 | --load-ca-certificate "${vardir}/keys/ca.cert" \ | ||
100 | --load-ca-privkey "${vardir}/keys/ca.key" \ | ||
101 | --load-privkey "${vardir}/userkeys/$user.key.pem" \ | ||
102 | --outfile "${vardir}/userkeys/$user.cert.pem" | ||
103 | EOF | ||
104 | chmod a+x $out/bin/taskserver-user-certs | ||
105 | patchShebangs $out/bin/taskserver-user-certs | ||
106 | '') | ||
107 | ]; | ||
108 | |||
109 | systemd.services.taskserver-ca.postStart = '' | ||
110 | chown :${group} "${vardir}/keys/ca.key" | ||
111 | chmod g+r "${vardir}/keys/ca.key" | ||
112 | ''; | ||
113 | |||
114 | system.activationScripts.taskserver = { | ||
115 | deps = [ "users" ]; | ||
116 | text = '' | ||
117 | install -m 0750 -o ${user} -g ${group} -d ${vardir} | ||
118 | install -m 0750 -o ${user} -g ${group} -d ${vardir}/userkeys | ||
119 | install -m 0750 -o ${user} -g ${group} -d ${vardir}/keys | ||
120 | ''; | ||
121 | }; | ||
122 | |||
123 | services.taskserver = { | ||
124 | enable = true; | ||
125 | allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ]; | ||
126 | inherit fqdn; | ||
127 | listenHost = "::"; | ||
128 | requestLimit = 104857600; | ||
129 | }; | ||
130 | }; | ||
131 | } | ||