1 { lib, pkgs, config, myconfig, mylibs, ... }:
3 etherpad = pkgs.webapps.etherpad-lite.withModules
4 (builtins.attrValues pkgs.webapps.etherpad-lite-modules);
5 env = myconfig.env.tools.etherpad-lite;
6 varDir = etherpad.varDir;
7 cfg = config.services.myWebsites.tools.etherpad-lite;
8 # Make sure we’re not rebuilding whole libreoffice just because of a
10 libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
12 options.services.myWebsites.tools.etherpad-lite = {
13 enable = lib.mkEnableOption "enable etherpad's website";
16 config = lib.mkIf cfg.enable {
19 dest = "webapps/tools-etherpad-apikey";
24 dest = "webapps/tools-etherpad-sessionkey";
26 text = env.session_key;
29 dest = "webapps/tools-etherpad";
34 "favicon": "favicon.ico",
37 "port" : ${env.listenPort},
38 "showSettingsInAdminPage" : false,
39 "dbType" : "postgres",
41 "user" : "${env.postgresql.user}",
42 "host" : "${env.postgresql.socket}",
43 "password": "${env.postgresql.password}",
44 "database": "${env.postgresql.database}",
48 "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
53 "showLineNumbers": true,
54 "useMonospaceFont": false,
58 "alwaysShowChat": false,
59 "chatAndUsers": false,
63 "suppressErrorsInPadText" : false,
64 "requireSession" : false,
66 "sessionNoPassword" : false,
70 "soffice" : "${libreoffice}/bin/soffice",
71 "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
72 "allowUnknownFileEnds" : true,
73 "requireAuthentication" : false,
74 "requireAuthorization" : false,
76 "disableIPlogging" : false,
77 "automaticReconnectionTimeout" : 0,
78 "scrollWhenFocusLineIsOutOfViewport": {
80 "editionAboveViewport": 0,
81 "editionBelowViewport": 0
84 "scrollWhenCaretIsInTheLastLineOfViewport": false,
85 "percentageToScrollWhenUserPressesArrowUp": 0
89 "url": "ldaps://${env.ldap.host}",
90 "accountBase": "${env.ldap.base}",
91 "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
92 "displayNameAttribute": "cn",
93 "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
94 "searchPWD": "${env.ldap.password}",
95 "groupSearchBase": "${env.ldap.base}",
96 "groupAttribute": "member",
97 "groupAttributeIsDN": true,
99 "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
100 "anonymousReadonly": false
103 "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
105 "indentationOnNewLine": false,
108 ["bold", "italic", "underline", "strikethrough"],
109 ["orderedlist", "unorderedlist", "indent", "outdent"],
114 ["importexport", "timeslider", "savedrevision"],
115 ["settings", "embed"],
119 ["timeslider_export", "timeslider_returnToPad"]
123 "logconfig" : { "appenders": [ { "type": "console" } ] }
128 systemd.services.etherpad-lite = {
129 description = "Etherpad-lite";
130 wantedBy = [ "multi-user.target" ];
131 after = [ "network.target" "postgresql.service" ];
132 wants = [ "postgresql.service" ];
134 environment.NODE_ENV = "production";
135 environment.HOME = etherpad;
137 path = [ pkgs.nodejs ];
140 exec ${pkgs.nodejs}/bin/node ${etherpad}/src/node/server.js \
141 --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
142 --apikey /var/secrets/webapps/tools-etherpad-apikey \
143 --settings /var/secrets/webapps/tools-etherpad
148 User = "etherpad-lite";
149 Group = "etherpad-lite";
150 SupplementaryGroups = "keys";
151 WorkingDirectory = etherpad;
153 NoNewPrivileges = true;
154 PrivateDevices = true;
156 ProtectControlGroups = true;
157 ProtectKernelModules = true;
161 # Use ReadWritePaths= instead if varDir is outside of /var/lib
162 StateDirectory="etherpad-lite";
164 "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
165 "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
170 services.myWebsites.tools.modules = [
171 "headers" "proxy" "proxy_http" "proxy_wstunnel"
173 security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
174 services.myWebsites.tools.vhostConfs.etherpad-lite = {
175 certName = "eldiron";
176 hosts = [ "ether.immae.eu" ];
179 Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
180 RequestHeader set X-Forwarded-Proto "https"
184 RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
185 RewriteCond %{QUERY_STRING} "!noredirect"
186 RewriteCond %{REQUEST_URI} "^(.*)$"
187 RewriteCond ''${redirects:$1|Unknown} "!Unknown"
188 RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
190 RewriteCond %{REQUEST_URI} ^/socket.io [NC]
191 RewriteCond %{QUERY_STRING} transport=websocket [NC]
192 RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,L]
194 <IfModule mod_proxy.c>
198 ProxyPass / http://localhost:${env.listenPort}/
199 ProxyPassReverse / http://localhost:${env.listenPort}/
201 Options FollowSymLinks MultiViews