feat: many changes
This commit is contained in:
@@ -2,94 +2,51 @@
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
phpldapadmin = pkgs.callPackage ../../pkgs/phpldapadmin.nix {};
|
||||
fpm = config.services.phpfpm.pools.phpldapadmin;
|
||||
stateDir = "/var/lib/phpldapadmin";
|
||||
domain = "phpldapadmin.cloonar.com";
|
||||
in
|
||||
{
|
||||
|
||||
users.users.phpldapadmin = {
|
||||
description = "PHPLdapAdmin Service";
|
||||
home = stateDir;
|
||||
useDefaultShell = true;
|
||||
group = "phpldapadmin";
|
||||
isSystemUser = true;
|
||||
virtualisation.oci-containers.backend = "podman";
|
||||
virtualisation.oci-containers.containers = {
|
||||
phpldapadmin = {
|
||||
image = "phpldapadmin/phpldapadmin:latest";
|
||||
autoStart = true;
|
||||
ports = [
|
||||
"8087:8080/tcp"
|
||||
];
|
||||
environmentFiles = [
|
||||
config.sops.secrets.phpldapadmin.path
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
users.groups.phpldapadmin = { };
|
||||
|
||||
sops.secrets.phpldapadmin.owner = "phpldapadmin";
|
||||
|
||||
environment.etc."phpldapadmin/env".source = config.sops.secrets.phpldapadmin.path;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
acmeRoot = null;
|
||||
root = stateDir;
|
||||
locations."/" = {
|
||||
root = "${phpldapadmin}/public";
|
||||
index = "index.php";
|
||||
extraConfig = ''
|
||||
location ~* \.php(/|$) {
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:${fpm.socket};
|
||||
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
|
||||
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||
}
|
||||
'';
|
||||
};
|
||||
systemd.timers."restart-phpldapadmin" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = {
|
||||
OnCalendar = "*-*-* 3:00:00";
|
||||
Unit = "restart-phpldapadmin.service";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pla.cloonar.com" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
acmeRoot = null;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:8087";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc.nginx_allowed_groups = {
|
||||
text = "employees";
|
||||
mode = "0444";
|
||||
};
|
||||
|
||||
security.pam.services.nginx.text = ''
|
||||
# auth required pam_listfile.so \
|
||||
# item=group sense=allow onerr=fail file=/etc/nginx_allowed_groups
|
||||
auth required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
|
||||
account required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
|
||||
'';
|
||||
|
||||
services.phpfpm.pools.phpldapadmin = {
|
||||
user = "phpldapadmin";
|
||||
phpOptions = ''
|
||||
error_log = 'stderr'
|
||||
log_errors = on
|
||||
systemd.services."restart-phpldapadmin" = {
|
||||
script = ''
|
||||
set -eu
|
||||
if ${pkgs.systemd}/bin/systemctl is-active --quiet podman-phpldapadmin.service; then
|
||||
${pkgs.systemd}/bin/systemctl restart podman-phpldapadmin.service
|
||||
fi
|
||||
'';
|
||||
settings = mapAttrs (name: mkDefault) {
|
||||
"listen.owner" = "nginx";
|
||||
"listen.group" = "nginx";
|
||||
"listen.mode" = "0660";
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = 75;
|
||||
"pm.start_servers" = 2;
|
||||
"pm.min_spare_servers" = 1;
|
||||
"pm.max_spare_servers" = 20;
|
||||
"pm.max_requests" = 500;
|
||||
"catch_workers_output" = true;
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
phpEnv."PATH" = pkgs.lib.makeBinPath [
|
||||
pkgs.which
|
||||
phpldapadmin
|
||||
];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '${stateDir}' 0750 phpldapadmin phpldapadmin - -"
|
||||
];
|
||||
|
||||
sops.secrets.phpldapadmin = {};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user