pvv-nixos-config/hosts/bekkalokk/services/idp-simplesamlphp/default.nix

{ config, pkgs, lib, ... }:
let
  package = pkgs.simplesamlphp.override {
    authsourcesFile = ./authsources.php;
    saml20-idp-remoteFile = ./saml20-idp-remote.php;
    configFile = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
      cp ${./config.php} "$out"

      substituteInPlace "$out" \
        --replace '$SAML_COOKIE_SECURE' 'true' \
        --replace '$SAML_COOKIE_SALT' '"asdfasdfasjdf"' \
        --replace '$SAML_ADMIN_PASSWORD' '"asdfasdfasdf"' \
        --replace '$SAML_TRUSTED_DOMAINS' 'array( "bekkalokk.pvv.ntnu.no" )'
    '';
  };
in
{
  services.phpfpm.pools.idp = {
    user = "root";
    group = "root";
    settings = let
      listenUser = config.services.nginx.user;
      listenGroup = config.services.nginx.group;
    in {
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 4;
      "listen.owner" = listenUser;
      "listen.group" = listenGroup;

      "catch_workers_output" = true;
      "php_admin_flag[log_errors]" = true;
      # "php_admin_value[error_log]" = "stderr";
    };
  };

  services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
    root = "${package}/share/php/simplesamlphp";
    locations =  {
      "/".index = "index.php";

      "~ /(.+\\.php)" = {
        extraConfig = ''
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_index index.php;
          fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
          include ${pkgs.nginx}/conf/fastcgi_params;
          include ${pkgs.nginx}/conf/fastcgi.conf;
        '';
      };
    };
  };
}