{ config, lib, pkgs, ... }: with lib; let phpldapadmin = pkgs.callPackage ../../pkgs/phpldapadmin.nix {}; fpm = config.services.phpfpm.pools.phpldapadmin; stateDir = "/var/lib/phpldapadmin"; domain = "phpldapadmin.cloonar.com"; in { users.users.phpldapadmin = { description = "PHPLdapAdmin Service"; home = stateDir; useDefaultShell = true; group = "phpldapadmin"; isSystemUser = true; }; users.groups.phpldapadmin = { }; sops.secrets.phpldapadmin.owner = "phpldapadmin"; environment.etc."phpldapadmin/env".source = config.sops.secrets.phpldapadmin.path; services.nginx = { enable = true; virtualHosts = { "${domain}" = { forceSSL = true; enableACME = true; acmeRoot = null; root = stateDir; locations."/" = { root = "${phpldapadmin}/public"; index = "index.php"; extraConfig = '' location ~* \.php(/|$) { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${fpm.socket}; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; } ''; }; }; }; }; environment.etc.nginx_allowed_groups = { text = "employees"; mode = "0444"; }; security.pam.services.nginx.text = '' # auth required pam_listfile.so \ # item=group sense=allow onerr=fail file=/etc/nginx_allowed_groups auth required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so account required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so ''; services.phpfpm.pools.phpldapadmin = { user = "phpldapadmin"; phpOptions = '' error_log = 'stderr' log_errors = on ''; settings = mapAttrs (name: mkDefault) { "listen.owner" = "nginx"; "listen.group" = "nginx"; "listen.mode" = "0660"; "pm" = "dynamic"; "pm.max_children" = 75; "pm.start_servers" = 2; "pm.min_spare_servers" = 1; "pm.max_spare_servers" = 20; "pm.max_requests" = 500; "catch_workers_output" = true; }; phpEnv."PATH" = pkgs.lib.makeBinPath [ pkgs.which phpldapadmin ]; }; systemd.tmpfiles.rules = [ "d '${stateDir}' 0750 phpldapadmin phpldapadmin - -" ]; }