modules/private/websites/tools/ether/default.nix

   1 { lib, pkgs, config,  ... }:
   2 let
   3   env = config.myEnv.tools.etherpad-lite;
   4   cfg = config.myServices.websites.tools.etherpad-lite;
   5   # Make sure we’re not rebuilding whole libreoffice just because of a
   6   # dependency
   7   libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
   8   ecfg = config.services.etherpad-lite;
   9 in {
  10   options.myServices.websites.tools.etherpad-lite = {
  11     enable = lib.mkEnableOption "enable etherpad's website";
  12   };
  13
  14   config = lib.mkIf cfg.enable {
  15     secrets.keys = {
  16       "webapps/tools-etherpad-apikey" = {
  17         permissions = "0400";
  18         text = env.api_key;
  19       };
  20       "webapps/tools-etherpad-sessionkey" = {
  21         permissions = "0400";
  22         text = env.session_key;
  23       };
  24       "webapps/tools-etherpad" = {
  25         permissions = "0400";
  26         text = ''
  27           {
  28             "title": "Etherpad",
  29             "favicon": "favicon.ico",
  30             "skinName": "colibris",
  31             "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
  32
  33             "ip": "",
  34             "port" : "${ecfg.sockets.node}",
  35             "showSettingsInAdminPage" : false,
  36             "dbType" : "postgres",
  37             "dbSettings" : {
  38               "user"    : "${env.postgresql.user}",
  39               "host"    : "${env.postgresql.socket}",
  40               "password": "${env.postgresql.password}",
  41               "database": "${env.postgresql.database}",
  42               "charset" : "utf8mb4"
  43             },
  44
  45             "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
  46             "padOptions": {
  47               "noColors": false,
  48               "showControls": true,
  49               "showChat": true,
  50               "showLineNumbers": true,
  51               "useMonospaceFont": false,
  52               "userName": false,
  53               "userColor": false,
  54               "rtl": false,
  55               "alwaysShowChat": false,
  56               "chatAndUsers": false,
  57               "lang": "fr"
  58             },
  59
  60             "suppressErrorsInPadText" : false,
  61             "requireSession" : false,
  62             "editOnly" : false,
  63             "sessionNoPassword" : false,
  64             "minify" : true,
  65             "maxAge" : 21600,
  66             "abiword" : null,
  67             "soffice" : "${libreoffice}/bin/soffice",
  68             "tidyHtml" : "",
  69             "allowUnknownFileEnds" : true,
  70             "requireAuthentication" : false,
  71             "requireAuthorization" : false,
  72             "trustProxy" : false,
  73             "disableIPlogging" : false,
  74             "automaticReconnectionTimeout" : 0,
  75             "scrollWhenFocusLineIsOutOfViewport": {
  76               "percentage": {
  77                 "editionAboveViewport": 0,
  78                 "editionBelowViewport": 0
  79               },
  80               "duration": 0,
  81               "scrollWhenCaretIsInTheLastLineOfViewport": false,
  82               "percentageToScrollWhenUserPressesArrowUp": 0
  83             },
  84             "users": {
  85               "admin": {
  86                 "password": "${env.adminPassword}",
  87                 "is_admin": true
  88               },
  89               "ldapauth": {
  90                 "hash": "invalid",
  91                 "url": "ldaps://${env.ldap.host}",
  92                 "accountBase": "${env.ldap.base}",
  93                 "accountPattern": "${env.ldap.filter}",
  94                 "displayNameAttribute": "cn",
  95                 "searchDN": "${env.ldap.dn}",
  96                 "searchPWD": "${env.ldap.password}",
  97                 "groupSearchBase": "${env.ldap.base}",
  98                 "groupAttribute": "member",
  99                 "groupAttributeIsDN": true,
 100                 "searchScope": "sub",
 101                 "groupSearch": "${env.ldap.group_filter}",
 102                 "anonymousReadonly": false
 103               }
 104             },
 105             "ep_mypads": {
 106               "warning": "This hash is stored in database, changing anything here will not have any consequence",
 107               "ldap": {
 108                 "url": "ldaps://${env.ldap.host}",
 109                 "bindDN": "${env.ldap.dn}",
 110                 "bindCredentials": "${env.ldap.password}",
 111                 "searchBase": "${env.ldap.base}",
 112                 "searchFilter": "${env.ldap.filter}",
 113                 "properties": {
 114                   "login": "uid",
 115                   "email": "mail",
 116                   "firstname": "givenName",
 117                   "lastname": "sn"
 118                 },
 119                 "defaultLang": "fr"
 120               }
 121             },
 122             "ep_comments_page": {
 123               "displayCommentAsIcon": true,
 124               "highlightSelectedText": true
 125             },
 126             "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
 127             "loadTest": false,
 128             "indentationOnNewLine": false,
 129             "toolbar": {
 130               "left": [
 131                 ["bold", "italic", "underline", "strikethrough"],
 132                 ["orderedlist", "unorderedlist", "indent", "outdent"],
 133                 ["undo", "redo"],
 134                 ["clearauthorship"]
 135               ],
 136               "right": [
 137                 ["importexport", "timeslider", "savedrevision"],
 138                 ["settings", "embed"],
 139                 ["showusers"]
 140               ],
 141               "timeslider": [
 142                 ["timeslider_export", "timeslider_returnToPad"]
 143               ]
 144             },
 145             "loglevel": "INFO",
 146             "logconfig" : { "appenders": [ { "type": "console" } ] }
 147           }
 148         '';
 149       };
 150     };
 151     services.etherpad-lite = {
 152       enable = true;
 153       package = pkgs.webapps.etherpad-lite.withModules (p: [
 154         p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
 155         p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
 156         p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
 157         p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
 158         p.ep_previewimages p.ep_ruler p.ep_scrollto
 159         p.ep_set_title_on_pad p.ep_subscript_and_superscript
 160         p.ep_timesliderdiff
 161       ]);
 162       modules = [];
 163       sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
 164       apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
 165       configFile = config.secrets.fullPaths."webapps/tools-etherpad";
 166     };
 167
 168     systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
 169     # Needed so that they get in the closure
 170     systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
 171
 172     services.filesWatcher.etherpad-lite = {
 173       restart = true;
 174       paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
 175     };
 176
 177     services.websites.env.tools.modules = [
 178       "headers" "proxy" "proxy_http" "proxy_wstunnel"
 179     ];
 180     services.websites.env.tools.vhostConfs.etherpad-lite = {
 181       certName    = "eldiron";
 182       addToCerts  = true;
 183       hosts       = [ "ether.immae.eu" ];
 184       root        = null;
 185       extraConfig = [ ''
 186         Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
 187         RequestHeader set X-Forwarded-Proto "https"
 188
 189         RewriteEngine On
 190
 191         RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
 192         RewriteCond %{QUERY_STRING} transport=websocket    [NC]
 193         RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
 194
 195         <IfModule mod_proxy.c>
 196           ProxyVia On
 197           ProxyRequests Off
 198           ProxyPreserveHost On
 199           ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 200           ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 201           <Proxy *>
 202             Options FollowSymLinks MultiViews
 203             AllowOverride None
 204             Require all granted
 205           </Proxy>
 206         </IfModule>
 207       '' ];
 208     };
 209   };
 210 }