]>
Commit | Line | Data |
---|---|---|
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | |
2 | let | |
3 | etherpad = pkgs.callPackage ./etherpad_lite.nix { | |
4 | inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules; | |
5 | env = myconfig.env.tools.etherpad-lite; | |
6 | }; | |
7 | ||
8 | varDir = etherpad.webappDir.varDir; | |
9 | cfg = config.services.myWebsites.tools.etherpad-lite; | |
10 | in { | |
11 | options.services.myWebsites.tools.etherpad-lite = { | |
12 | enable = lib.mkEnableOption "enable etherpad's website"; | |
13 | }; | |
14 | ||
15 | config = lib.mkIf cfg.enable { | |
16 | mySecrets.keys = etherpad.keys; | |
17 | systemd.services.etherpad-lite = { | |
18 | description = "Etherpad-lite"; | |
19 | wantedBy = [ "multi-user.target" ]; | |
20 | after = [ "network.target" "postgresql.service" ]; | |
21 | wants = [ "postgresql.service" ]; | |
22 | ||
23 | environment.NODE_ENV = "production"; | |
24 | environment.HOME = etherpad.webappDir; | |
25 | ||
26 | path = [ pkgs.nodejs ]; | |
27 | ||
28 | script = '' | |
29 | exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ | |
30 | --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \ | |
31 | --apikey /var/secrets/webapps/tools-etherpad-apikey \ | |
32 | --settings /var/secrets/webapps/tools-etherpad | |
33 | ''; | |
34 | ||
35 | serviceConfig = { | |
36 | DynamicUser = true; | |
37 | User = "etherpad-lite"; | |
38 | Group = "etherpad-lite"; | |
39 | SupplementaryGroups = "keys"; | |
40 | WorkingDirectory = etherpad.webappDir; | |
41 | PrivateTmp = true; | |
42 | NoNewPrivileges = true; | |
43 | PrivateDevices = true; | |
44 | ProtectHome = true; | |
45 | ProtectControlGroups = true; | |
46 | ProtectKernelModules = true; | |
47 | Restart = "always"; | |
48 | Type = "simple"; | |
49 | TimeoutSec = 60; | |
50 | # Use ReadWritePaths= instead if varDir is outside of /var/lib | |
51 | StateDirectory="etherpad-lite"; | |
52 | ExecStartPre = [ | |
53 | "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized" | |
54 | "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey" | |
55 | ]; | |
56 | }; | |
57 | }; | |
58 | ||
59 | services.myWebsites.tools.modules = [ | |
60 | "headers" "proxy" "proxy_http" "proxy_wstunnel" | |
61 | ]; | |
62 | security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null; | |
63 | services.myWebsites.tools.vhostConfs.etherpad-lite = { | |
64 | certName = "eldiron"; | |
65 | hosts = [ "ether.immae.eu" ]; | |
66 | root = null; | |
67 | extraConfig = [ '' | |
68 | Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" | |
69 | RequestHeader set X-Forwarded-Proto "https" | |
70 | ||
71 | RewriteEngine On | |
72 | ||
73 | RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}" | |
74 | RewriteCond %{QUERY_STRING} "!noredirect" | |
75 | RewriteCond %{REQUEST_URI} "^(.*)$" | |
76 | RewriteCond ''${redirects:$1|Unknown} "!Unknown" | |
77 | RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD] | |
78 | ||
79 | RewriteCond %{REQUEST_URI} ^/socket.io [NC] | |
80 | RewriteCond %{QUERY_STRING} transport=websocket [NC] | |
81 | RewriteRule /(.*) ws://localhost:${etherpad.listenPort}/$1 [P,L] | |
82 | ||
83 | <IfModule mod_proxy.c> | |
84 | ProxyVia On | |
85 | ProxyRequests Off | |
86 | ProxyPreserveHost On | |
87 | ProxyPass / http://localhost:${etherpad.listenPort}/ | |
88 | ProxyPassReverse / http://localhost:${etherpad.listenPort}/ | |
89 | <Proxy *> | |
90 | Options FollowSymLinks MultiViews | |
91 | AllowOverride None | |
92 | Require all granted | |
93 | </Proxy> | |
94 | </IfModule> | |
95 | '' ]; | |
96 | }; | |
97 | }; | |
98 | } |