many changes

2025-06-17 16:46:01 +02:00
parent 91394ef68a
commit 6aeb0c9f89
10 changed files with 180 additions and 26 deletions
--- a/hosts/fw/modules/web/phpldapadmin.nix
+++ b/hosts/fw/modules/web/phpldapadmin.nix
@@ -0,0 +1,95 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  phpldapadmin = pkgs.callPackage ../../pkgs/phpldapadmin.nix {};
+  fpm = config.services.phpfpm.pools.phpldapadmin;
+  stateDir = "/var/lib/phpldapadmin";
+  domain = "phpldapadmin.cloonar.com";
+in
+{
+
+  users.users.phpldapadmin = {
+    description = "PHPLdapAdmin Service";
+    home = stateDir;
+    useDefaultShell = true;
+    group = "phpldapadmin";
+    isSystemUser = true;
+  };
+
+  users.groups.phpldapadmin = { };
+
+  sops.secrets.phpldapadmin.owner = "phpldapadmin";
+
+  environment.etc."phpldapadmin/env".source = config.sops.secrets.phpldapadmin.path;
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "${domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        acmeRoot = null;
+        root = stateDir;
+        locations."/" = {
+          root = "${phpldapadmin}/public";
+          index = "index.php";
+          extraConfig = ''
+            location ~* \.php(/|$) {
+              fastcgi_split_path_info ^(.+\.php)(/.+)$;
+              fastcgi_pass unix:${fpm.socket};
+
+              fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+              fastcgi_param PATH_INFO       $fastcgi_path_info;
+
+              include ${pkgs.nginx}/conf/fastcgi_params;
+              include ${pkgs.nginx}/conf/fastcgi.conf;
+            }
+          '';
+        };
+      };
+    };
+  };
+
+  environment.etc.nginx_allowed_groups = {
+    text = "employees";
+    mode = "0444";
+  };
+
+  security.pam.services.nginx.text = ''
+    # auth    required     pam_listfile.so \
+    #                      item=group sense=allow onerr=fail file=/etc/nginx_allowed_groups
+    auth    required     ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
+    account required     ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
+  '';
+  
+  services.phpfpm.pools.phpldapadmin = {
+    user = "phpldapadmin";
+    phpOptions = ''
+      error_log = 'stderr'
+      log_errors = on
+    '';
+    settings = mapAttrs (name: mkDefault) {
+      "listen.owner" = "nginx";
+      "listen.group" = "nginx";
+      "listen.mode" = "0660";
+      "pm" = "dynamic";
+      "pm.max_children" = 75;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 1;
+      "pm.max_spare_servers" = 20;
+      "pm.max_requests" = 500;
+      "catch_workers_output" = true;
+    };
+    phpEnv."PATH" = pkgs.lib.makeBinPath [
+      pkgs.which
+      phpldapadmin
+    ];
+  };
+
+  systemd.tmpfiles.rules = [
+    "d '${stateDir}' 0750 phpldapadmin phpldapadmin - -"
+  ];
+
+}