]>
Commit | Line | Data |
---|---|---|
bf3b7671 IB |
1 | { lib, pkgs, config, myconfig, mylibs, ... }: |
2 | let | |
3 | etherpad = pkgs.webapps.etherpad-lite.withModules | |
4 | (builtins.attrValues pkgs.webapps.etherpad-lite-modules); | |
5 | env = myconfig.env.tools.etherpad-lite; | |
6 | varDir = etherpad.varDir; | |
7 | cfg = config.services.myWebsites.tools.etherpad-lite; | |
8 | # Make sure we’re not rebuilding whole libreoffice just because of a | |
9 | # dependency | |
10 | libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh; | |
11 | in { | |
12 | options.services.myWebsites.tools.etherpad-lite = { | |
13 | enable = lib.mkEnableOption "enable etherpad's website"; | |
14 | }; | |
15 | ||
16 | config = lib.mkIf cfg.enable { | |
17 | mySecrets.keys = [ | |
18 | { | |
19 | dest = "webapps/tools-etherpad-apikey"; | |
20 | permissions = "0400"; | |
21 | text = env.api_key; | |
22 | } | |
23 | { | |
24 | dest = "webapps/tools-etherpad-sessionkey"; | |
25 | permissions = "0400"; | |
26 | text = env.session_key; | |
27 | } | |
28 | { | |
29 | dest = "webapps/tools-etherpad"; | |
30 | permissions = "0400"; | |
31 | text = '' | |
32 | { | |
33 | "title": "Etherpad", | |
34 | "favicon": "favicon.ico", | |
35 | ||
36 | "ip": "127.0.0.1", | |
37 | "port" : ${env.listenPort}, | |
38 | "showSettingsInAdminPage" : false, | |
39 | "dbType" : "postgres", | |
40 | "dbSettings" : { | |
41 | "user" : "${env.postgresql.user}", | |
42 | "host" : "${env.postgresql.socket}", | |
43 | "password": "${env.postgresql.password}", | |
44 | "database": "${env.postgresql.database}", | |
45 | "charset" : "utf8mb4" | |
46 | }, | |
47 | ||
48 | "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", | |
49 | "padOptions": { | |
50 | "noColors": false, | |
51 | "showControls": true, | |
52 | "showChat": true, | |
53 | "showLineNumbers": true, | |
54 | "useMonospaceFont": false, | |
55 | "userName": false, | |
56 | "userColor": false, | |
57 | "rtl": false, | |
58 | "alwaysShowChat": false, | |
59 | "chatAndUsers": false, | |
60 | "lang": "en-gb" | |
61 | }, | |
62 | ||
63 | "suppressErrorsInPadText" : false, | |
64 | "requireSession" : false, | |
65 | "editOnly" : false, | |
66 | "sessionNoPassword" : false, | |
67 | "minify" : true, | |
68 | "maxAge" : 21600, | |
69 | "abiword" : null, | |
70 | "soffice" : "${libreoffice}/bin/soffice", | |
71 | "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", | |
72 | "allowUnknownFileEnds" : true, | |
73 | "requireAuthentication" : false, | |
74 | "requireAuthorization" : false, | |
75 | "trustProxy" : false, | |
76 | "disableIPlogging" : false, | |
77 | "automaticReconnectionTimeout" : 0, | |
78 | "scrollWhenFocusLineIsOutOfViewport": { | |
79 | "percentage": { | |
80 | "editionAboveViewport": 0, | |
81 | "editionBelowViewport": 0 | |
82 | }, | |
83 | "duration": 0, | |
84 | "scrollWhenCaretIsInTheLastLineOfViewport": false, | |
85 | "percentageToScrollWhenUserPressesArrowUp": 0 | |
86 | }, | |
87 | "users": { | |
88 | "ldapauth": { | |
89 | "url": "ldaps://${env.ldap.host}", | |
90 | "accountBase": "${env.ldap.base}", | |
91 | "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", | |
92 | "displayNameAttribute": "cn", | |
93 | "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", | |
94 | "searchPWD": "${env.ldap.password}", | |
95 | "groupSearchBase": "${env.ldap.base}", | |
96 | "groupAttribute": "member", | |
97 | "groupAttributeIsDN": true, | |
98 | "searchScope": "sub", | |
99 | "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", | |
100 | "anonymousReadonly": false | |
101 | } | |
102 | }, | |
103 | "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], | |
104 | "loadTest": false, | |
105 | "indentationOnNewLine": false, | |
106 | "toolbar": { | |
107 | "left": [ | |
108 | ["bold", "italic", "underline", "strikethrough"], | |
109 | ["orderedlist", "unorderedlist", "indent", "outdent"], | |
110 | ["undo", "redo"], | |
111 | ["clearauthorship"] | |
112 | ], | |
113 | "right": [ | |
114 | ["importexport", "timeslider", "savedrevision"], | |
115 | ["settings", "embed"], | |
116 | ["showusers"] | |
117 | ], | |
118 | "timeslider": [ | |
119 | ["timeslider_export", "timeslider_returnToPad"] | |
120 | ] | |
121 | }, | |
122 | "loglevel": "INFO", | |
123 | "logconfig" : { "appenders": [ { "type": "console" } ] } | |
124 | } | |
125 | ''; | |
126 | } | |
127 | ]; | |
128 | systemd.services.etherpad-lite = { | |
129 | description = "Etherpad-lite"; | |
130 | wantedBy = [ "multi-user.target" ]; | |
131 | after = [ "network.target" "postgresql.service" ]; | |
132 | wants = [ "postgresql.service" ]; | |
133 | ||
134 | environment.NODE_ENV = "production"; | |
135 | environment.HOME = etherpad; | |
136 | ||
137 | path = [ pkgs.nodejs ]; | |
138 | ||
139 | script = '' | |
140 | exec ${pkgs.nodejs}/bin/node ${etherpad}/src/node/server.js \ | |
141 | --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \ | |
142 | --apikey /var/secrets/webapps/tools-etherpad-apikey \ | |
143 | --settings /var/secrets/webapps/tools-etherpad | |
144 | ''; | |
145 | ||
146 | serviceConfig = { | |
147 | DynamicUser = true; | |
148 | User = "etherpad-lite"; | |
149 | Group = "etherpad-lite"; | |
150 | SupplementaryGroups = "keys"; | |
151 | WorkingDirectory = etherpad; | |
152 | PrivateTmp = true; | |
153 | NoNewPrivileges = true; | |
154 | PrivateDevices = true; | |
155 | ProtectHome = true; | |
156 | ProtectControlGroups = true; | |
157 | ProtectKernelModules = true; | |
158 | Restart = "always"; | |
159 | Type = "simple"; | |
160 | TimeoutSec = 60; | |
161 | # Use ReadWritePaths= instead if varDir is outside of /var/lib | |
162 | StateDirectory="etherpad-lite"; | |
163 | ExecStartPre = [ | |
164 | "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized" | |
165 | "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey" | |
166 | ]; | |
167 | }; | |
168 | }; | |
169 | ||
170 | services.myWebsites.tools.modules = [ | |
171 | "headers" "proxy" "proxy_http" "proxy_wstunnel" | |
172 | ]; | |
173 | security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null; | |
174 | services.myWebsites.tools.vhostConfs.etherpad-lite = { | |
175 | certName = "eldiron"; | |
176 | hosts = [ "ether.immae.eu" ]; | |
177 | root = null; | |
178 | extraConfig = [ '' | |
179 | Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" | |
180 | RequestHeader set X-Forwarded-Proto "https" | |
181 | ||
182 | RewriteEngine On | |
183 | ||
184 | RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}" | |
185 | RewriteCond %{QUERY_STRING} "!noredirect" | |
186 | RewriteCond %{REQUEST_URI} "^(.*)$" | |
187 | RewriteCond ''${redirects:$1|Unknown} "!Unknown" | |
188 | RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD] | |
189 | ||
190 | RewriteCond %{REQUEST_URI} ^/socket.io [NC] | |
191 | RewriteCond %{QUERY_STRING} transport=websocket [NC] | |
192 | RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,L] | |
193 | ||
194 | <IfModule mod_proxy.c> | |
195 | ProxyVia On | |
196 | ProxyRequests Off | |
197 | ProxyPreserveHost On | |
198 | ProxyPass / http://localhost:${env.listenPort}/ | |
199 | ProxyPassReverse / http://localhost:${env.listenPort}/ | |
200 | <Proxy *> | |
201 | Options FollowSymLinks MultiViews | |
202 | AllowOverride None | |
203 | Require all granted | |
204 | </Proxy> | |
205 | </IfModule> | |
206 | '' ]; | |
207 | }; | |
208 | }; | |
209 | } |