nix/profiles/wayf.nix

{ config, pkgs, ... }: 
let
  sources = import ../npins;
  phps = import sources.nix-phps;
in
{
  nixpkgs.overlays = [
    (self: super: {
      switchwayf = super.callPackage ../pkgs/switchwayf.nix { };
    })
  ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts."sso.federez.net" = {
      enableACME = true;
      forceSSL = true;

      root = "${pkgs.switchwayf}/www/";
      locations."~ \\.php" = {
        root = "${pkgs.switchwayf}/www/";
        extraConfig = ''
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_index WAYF.php;
          fastcgi_pass unix:${config.services.phpfpm.pools.switchwayf.socket};
          include ${config.services.nginx.package}/conf/fastcgi.conf;
          include ${config.services.nginx.package}/conf/fastcgi_params;

        '';
      };
    #  locations."~ /wayf/\\.php".extraConfig = ''
    #    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    #    fastcgi_pass unix:${config.services.phpfpm.pools.switchwayf.socket};
    #    include ${config.services.nginx.package}/conf/fastcgi.conf;
    #    include ${config.services.nginx.package}/conf/fastcgi_params;
    #  '';

    };
  };

  users.users.switchwayf = {
    isSystemUser = true;
    group = "nginx";
  };

  users.groups.nginx = {};

  services.phpfpm.pools.switchwayf = {
    user = "switchwayf";
    group = "nginx";

    settings = {
      pm = "dynamic";
      "listen.owner" = "nginx";
      "pm.max_children" = 10;
      "pm.start_servers" = 1;
      "pm.min_spare_servers" = 1;
      "pm.max_spare_servers" = 1;
    };

    # XXX(raitobezarius): I don't allow anyone to go in real production with this.
    phpPackage = phps.packages.${builtins.currentSystem}.php74;

    phpEnv = {
      backupIDPConfigFile = "/var/lib/switchwayf/IDProvider.conf.php";
      metadataIDPFile = "/var/lib/switchwayf/IDProvider.metadata.conf.php";
      metadataSPFile = "/var/lib/switchwayf/SProvider.metadata.conf.php";
      WAYFLogFile = "/var/log/switchwayf/wayf.log";
      #SWITCHWAYF_CONFIG = pkgs.writeText "switch_config.php"
      #  (builtins.readFile ./switch-config.php);
    };
  };
}