pvv-nixos-config/hosts/bekkalokk/services/idp-simplesamlphp/default.nix

94 lines
2.7 KiB
Nix
Raw Normal View History

2024-03-29 01:59:46 +01:00
{ config, pkgs, lib, ... }:
let
pwAuthScript = pkgs.writeShellApplication {
name = "pwauth";
text = ''
read -r user1
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
if test "$user1" != "$user2"
then
read -r _
exit 2
fi
${pkgs.heimdal}/bin/kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
'';
};
package = (pkgs.simplesamlphp.override {
authsourcesFile = pkgs.writeText "idp-authsources.php" ''
<?php
$config = array(
'pwauth' => array(
'authpwauth:PwAuth',
'pwauth_bin_path' => '${pwAuthScript}/bin/pwauth',
'mail_domain' => '@pvv.ntnu.no',
),
);
'';
saml20-idp-remoteFile = pkgs.writeText "saml20-idp-remote.php" '''';
configFile = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
cp ${./config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
--replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )'
'';
}).overrideAttrs (prev: {
postInstall = prev.postInstall + ''
install -Dm444 "${./authpwauth.php}" $out/share/php/simplesamlphp/modules/authpwauth/lib/Auth/Source/PwAuth.php
'';
});
in
{
users.groups."idp" = { };
users.users."idp" = {
description = "PVV Identity Provider Service User";
group = "idp";
createHome = false;
isSystemUser = true;
};
services.phpfpm.pools.idp = {
user = "idp";
group = "idp";
settings = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
};
};
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${package}/share/php/simplesamlphp";
locations = {
"/".index = "index.php";
"~ /(.+\\.php)" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
};
};
};
}