pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / web-apps / atlassian / crowd.nix
at 24.11-pre 5.9 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 7 cfg = config.services.crowd; 8 9 pkg = cfg.package.override { 10 home = cfg.home; 11 port = cfg.listenPort; 12 openidPassword = cfg.openidPassword; 13 } // (optionalAttrs cfg.proxy.enable { 14 proxyUrl = "${cfg.proxy.scheme}://${cfg.proxy.name}:${toString cfg.proxy.port}"; 15 }); 16 17 crowdPropertiesFile = pkgs.writeText "crowd.properties" '' 18 application.name crowd-openid-server 19 application.password @NIXOS_CROWD_OPENID_PW@ 20 application.base.url http://localhost:${toString cfg.listenPort}/openidserver 21 application.login.url http://localhost:${toString cfg.listenPort}/openidserver 22 application.login.url.template http://localhost:${toString cfg.listenPort}/openidserver?returnToUrl=''${RETURN_TO_URL} 23 24 crowd.server.url http://localhost:${toString cfg.listenPort}/crowd/services/ 25 26 session.isauthenticated session.isauthenticated 27 session.tokenkey session.tokenkey 28 session.validationinterval 0 29 session.lastvalidation session.lastvalidation 30 ''; 31 32in 33 34{ 35 options = { 36 services.crowd = { 37 enable = mkEnableOption "Atlassian Crowd service"; 38 39 user = mkOption { 40 type = types.str; 41 default = "crowd"; 42 description = "User which runs Crowd."; 43 }; 44 45 group = mkOption { 46 type = types.str; 47 default = "crowd"; 48 description = "Group which runs Crowd."; 49 }; 50 51 home = mkOption { 52 type = types.str; 53 default = "/var/lib/crowd"; 54 description = "Home directory of the Crowd instance."; 55 }; 56 57 listenAddress = mkOption { 58 type = types.str; 59 default = "127.0.0.1"; 60 description = "Address to listen on."; 61 }; 62 63 listenPort = mkOption { 64 type = types.port; 65 default = 8092; 66 description = "Port to listen on."; 67 }; 68 69 openidPassword = mkOption { 70 type = types.str; 71 default = "WILL_NEVER_BE_SET"; 72 description = "Application password for OpenID server."; 73 }; 74 75 openidPasswordFile = mkOption { 76 type = types.nullOr types.str; 77 default = null; 78 description = "Path to the file containing the application password for OpenID server."; 79 }; 80 81 catalinaOptions = mkOption { 82 type = types.listOf types.str; 83 default = []; 84 example = [ "-Xms1024m" "-Xmx2048m" ]; 85 description = "Java options to pass to catalina/tomcat."; 86 }; 87 88 proxy = { 89 enable = mkEnableOption "reverse proxy support"; 90 91 name = mkOption { 92 type = types.str; 93 example = "crowd.example.com"; 94 description = "Virtual hostname at the proxy"; 95 }; 96 97 port = mkOption { 98 type = types.port; 99 default = 443; 100 example = 80; 101 description = "Port used at the proxy"; 102 }; 103 104 scheme = mkOption { 105 type = types.str; 106 default = "https"; 107 example = "http"; 108 description = "Protocol used at the proxy."; 109 }; 110 111 secure = mkOption { 112 type = types.bool; 113 default = true; 114 description = "Whether the connections to the proxy should be considered secure."; 115 }; 116 }; 117 118 package = mkPackageOption pkgs "atlassian-crowd" { }; 119 120 jrePackage = mkPackageOption pkgs "oraclejre8" { 121 extraDescription = '' 122 ::: {.note } 123 Atlassian only supports the Oracle JRE (JRASERVER-46152). 124 ::: 125 ''; 126 }; 127 }; 128 }; 129 130 config = mkIf cfg.enable { 131 users.users.${cfg.user} = { 132 isSystemUser = true; 133 group = cfg.group; 134 }; 135 136 users.groups.${cfg.group} = {}; 137 138 systemd.tmpfiles.rules = [ 139 "d '${cfg.home}' - ${cfg.user} ${cfg.group} - -" 140 "d /run/atlassian-crowd - - - - -" 141 142 "L+ /run/atlassian-crowd/database - - - - ${cfg.home}/database" 143 "L+ /run/atlassian-crowd/logs - - - - ${cfg.home}/logs" 144 "L+ /run/atlassian-crowd/work - - - - ${cfg.home}/work" 145 "L+ /run/atlassian-crowd/server.xml - - - - ${cfg.home}/server.xml" 146 ]; 147 148 systemd.services.atlassian-crowd = { 149 description = "Atlassian Crowd"; 150 151 wantedBy = [ "multi-user.target" ]; 152 requires = [ "postgresql.service" ]; 153 after = [ "postgresql.service" ]; 154 155 path = [ cfg.jrePackage ]; 156 157 environment = { 158 JAVA_HOME = "${cfg.jrePackage}"; 159 CATALINA_OPTS = concatStringsSep " " cfg.catalinaOptions; 160 CATALINA_TMPDIR = "/tmp"; 161 JAVA_OPTS = mkIf (cfg.openidPasswordFile != null) "-Dcrowd.properties=${cfg.home}/crowd.properties"; 162 }; 163 164 preStart = '' 165 rm -rf ${cfg.home}/work 166 mkdir -p ${cfg.home}/{logs,database,work} 167 168 sed -e 's,port="8095",port="${toString cfg.listenPort}" address="${cfg.listenAddress}",' \ 169 '' + (lib.optionalString cfg.proxy.enable '' 170 -e 's,compression="on",compression="off" protocol="HTTP/1.1" proxyName="${cfg.proxy.name}" proxyPort="${toString cfg.proxy.port}" scheme="${cfg.proxy.scheme}" secure="${boolToString cfg.proxy.secure}",' \ 171 '') + '' 172 ${pkg}/apache-tomcat/conf/server.xml.dist > ${cfg.home}/server.xml 173 174 ${optionalString (cfg.openidPasswordFile != null) '' 175 install -m660 ${crowdPropertiesFile} ${cfg.home}/crowd.properties 176 ${pkgs.replace-secret}/bin/replace-secret \ 177 '@NIXOS_CROWD_OPENID_PW@' \ 178 ${cfg.openidPasswordFile} \ 179 ${cfg.home}/crowd.properties 180 ''} 181 ''; 182 183 serviceConfig = { 184 User = cfg.user; 185 Group = cfg.group; 186 PrivateTmp = true; 187 Restart = "on-failure"; 188 RestartSec = "10"; 189 ExecStart = "${pkg}/start_crowd.sh -fg"; 190 }; 191 }; 192 }; 193}