aboutsummaryrefslogtreecommitdiff
path: root/modules/private/system/quatresaisons/databases.nix
blob: 3491ae4fccdcb4b28e530c7f59ba73901280ebfc (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
{ pkgs, config, lib, ... }:
{
  config = let
    serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
    phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
  in {
    services.postgresql.enable = true;
    services.postgresql.package = pkgs.postgresql_12;
    secrets.keys = [
      {
        dest = "ldap/password";
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = "rootpw      ${serverSpecificConfig.ldap_root_pw}";
      }
      {
        dest = "webapps/tools-ldap";
        user = "wwwrun";
        group = "wwwrun";
        permissions = "0400";
        text = ''
          <?php
          $config->custom->appearance['show_clear_password'] = true;
          $config->custom->appearance['hide_template_warning'] = true;
          $config->custom->appearance['theme'] = "tango";
          $config->custom->appearance['minimalMode'] = false;
          $config->custom->appearance['tree'] = 'AJAXTree';

          $servers = new Datastore();

          $servers->newServer('ldap_pla');
          $servers->setValue('server','name','LDAP');
          $servers->setValue('server','host','ldap://localhost');
          $servers->setValue('login','auth_type','cookie');
          $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
          $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
          $servers->setValue('appearance','pla_password_hash','ssha');
          $servers->setValue('login','attr','uid');
          $servers->setValue('login','fallback_dn',true);
        '';
      }
    ];

    users.users.openldap.extraGroups = [ "keys" ];
    services.openldap = {
      enable = true;
      dataDir = "/var/lib/openldap";
      urlList = [ "ldap://localhost" ];
      logLevel = "none";
      extraConfig = ''
        pidfile     /run/slapd/slapd.pid
        argsfile    /run/slapd/slapd.args

        moduleload  back_hdb
        backend     hdb
      '';

      extraDatabaseConfig = ''
        moduleload  memberof
        overlay     memberof

        moduleload  syncprov
        overlay     syncprov
        syncprov-checkpoint 100 10

        index   objectClass       eq
        index   uid               pres,eq
        #index   uidMember         pres,eq
        index   mail              pres,sub,eq
        index   cn                pres,sub,eq
        index   sn                pres,sub,eq
        index   dc                eq
        index   member            eq
        index   memberOf          eq

        # No one must access that information except root
        access to attrs=description
          by * none

        access to attrs=entry,uid filter="(uid=*)"
          by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
          by * break

        access to dn.subtree="ou=users,dc=salle-s,dc=org"
          by dn.subtree="ou=services,dc=salle-s,dc=org" read
          by * break

        access to *
          by self read
          by anonymous auth
          by * break
      '';
      rootpwFile = "${config.secrets.location}/ldap/password";
      suffix = "dc=salle-s,dc=org";
      rootdn = "cn=root,dc=salle-s,dc=org";
      database = "hdb";
    };

    services.websites.env.production.modules = [ "proxy_fcgi" ];
    services.websites.env.production.vhostConfs.tools.extraConfig = [
      ''
        Alias /ldap "${phpLdapAdmin}/htdocs"
        <Directory "${phpLdapAdmin}/htdocs">
          DirectoryIndex index.php
          <FilesMatch "\.php$">
            SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost"
          </FilesMatch>

          AllowOverride None
          Require all granted
        </Directory>
      ''
    ];
    services.phpfpm.pools.ldap = {
      user = "wwwrun";
      group = "wwwrun";
      settings =
        let
          basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ];
        in {
          "listen.owner" = "wwwrun";
          "listen.group" = "wwwrun";
          "pm" = "ondemand";
          "pm.max_children" = "60";
          "pm.process_idle_timeout" = "60";

          # Needed to avoid clashes in browser cookies (same domain)
          "php_value[session.name]" = "LdapPHPSESSID";
          "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
          "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
        };
      phpPackage = pkgs.php72;
    };
    system.activationScripts.ldap = {
      deps = [ "users" ];
      text = ''
        install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
        '';
    };
    systemd.services.phpfpm-ldap = {
      after = lib.mkAfter [ "openldap.service" ];
      wants = [ "openldap.service" ];
    };
  };
}