summaryrefslogtreecommitdiff
path: root/src/Propellor/Property/OpenId.hs
blob: 00daa57d356ff00068f3553c9c241f14ba6d06b6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
module Propellor.Property.OpenId where

import Propellor.Base
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Apache as Apache

import Data.List

-- | Openid provider, using the simpleid PHP CGI, with apache.
--
-- Runs on usual port by default. When a nonstandard port is specified,
-- apache is limited to listening only on that port. Warning: Specifying
-- a port won't compose well with other apache properties on the same
-- host.
--
-- It's probably a good idea to put this property inside a docker or
-- systemd-nspawn container.
providerFor :: [User] -> HostName -> Maybe Port -> Property (HasInfo + DebianLike)
providerFor users hn mp = propertyList desc $ props
	& Apt.serviceInstalledRunning "apache2"
	& apacheconfigured
	& Apt.installed ["simpleid"]
		`onChange` Apache.restarted
	& File.fileProperty (desc ++ " configured")
		(map setbaseurl) "/etc/simpleid/config.inc"
	& propertyList desc (toProps $ map identfile users)
  where
	baseurl = hn ++ case mp of
		Nothing -> ""
		Just p -> ':' : val p
	url = "http://"++baseurl++"/simpleid"
	desc = "openid provider " ++ url
	setbaseurl l
		| "SIMPLEID_BASE_URL" `isInfixOf` l =
			"define('SIMPLEID_BASE_URL', '"++url++"');"
		| otherwise = l

	apacheconfigured = case mp of
		Nothing -> setupRevertableProperty $
			Apache.virtualHost hn (Port 80) "/var/www/html"
		Just p -> propertyList desc $ props
			& Apache.listenPorts [p]
			& Apache.virtualHost hn p "/var/www/html"

	-- the identities directory controls access, so open up
	-- file mode
	identfile (User u) = File.hasPrivContentExposed
		(concat [ "/var/lib/simpleid/identities/", u, ".identity" ])
		(Context baseurl)