1 { lib, pkgs, config, myconfig, mylibs, ... }:
3 etherpad = pkgs.callPackage ./etherpad_lite.nix {
4 inherit (mylibs) fetchedGithub;
5 env = myconfig.env.tools.etherpad-lite;
8 cfg = config.services.myWebsites.tools.etherpad-lite;
10 options.services.myWebsites.tools.etherpad-lite = {
11 enable = lib.mkEnableOption "enable etherpad's website";
14 config = lib.mkIf cfg.enable {
15 deployment.keys = etherpad.keys;
16 systemd.services.etherpad-lite = {
17 description = "Etherpad-lite";
18 wantedBy = [ "multi-user.target" ];
19 after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ];
20 wants = [ "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ];
22 environment.NODE_ENV = "production";
23 environment.HOME = etherpad.webappDir;
25 path = [ pkgs.nodejs ];
28 exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
29 --settings /run/keys/webapps/tools-etherpad
34 User = "etherpad-lite";
35 Group = "etherpad-lite";
36 SupplementaryGroups = "keys";
37 WorkingDirectory = etherpad.webappDir;
39 NoNewPrivileges = true;
40 PrivateDevices = true;
42 ProtectControlGroups = true;
43 ProtectKernelModules = true;
47 ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad /run/keys/webapps/tools-etherpad-sessionkey /run/keys/webapps/tools-etherpad-apikey";
51 services.myWebsites.tools.modules = [
52 "headers" "proxy" "proxy_http" "proxy_wstunnel"
54 security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
55 services.myWebsites.tools.vhostConfs.etherpad-lite = {
57 hosts = [ "ether.immae.eu" ];
60 Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
61 RequestHeader set X-Forwarded-Proto "https"
65 RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
66 RewriteCond %{QUERY_STRING} "!noredirect"
67 RewriteCond %{REQUEST_URI} "^(.*)$"
68 RewriteCond ''${redirects:$1|Unknown} "!Unknown"
69 RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
71 RewriteCond %{REQUEST_URI} ^/socket.io [NC]
72 RewriteCond %{QUERY_STRING} transport=websocket [NC]
73 RewriteRule /(.*) ws://localhost:${etherpad.listenPort}/$1 [P,L]
75 <IfModule mod_proxy.c>
79 ProxyPass / http://localhost:${etherpad.listenPort}/
80 ProxyPassReverse / http://localhost:${etherpad.listenPort}/
82 Options FollowSymLinks MultiViews