]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - systems/eldiron/websites/ether/default.nix
Squash changes containing private information
[perso/Immae/Config/Nix.git] / systems / eldiron / websites / ether / default.nix
diff --git a/systems/eldiron/websites/ether/default.nix b/systems/eldiron/websites/ether/default.nix
new file mode 100644 (file)
index 0000000..3993553
--- /dev/null
@@ -0,0 +1,251 @@
+{ lib, pkgs, config, nixpkgsRaw, etherpad-lite, ... }:
+let
+  env = config.myEnv.tools.etherpad-lite;
+  cfg = config.myServices.websites.tools.etherpad-lite;
+  # Make sure we’re not rebuilding whole libreoffice just because of a
+  # dependency
+  libreoffice = nixpkgsRaw.libreoffice-fresh;
+  ecfg = config.services.etherpad-lite;
+in {
+  options.myServices.websites.tools.etherpad-lite = {
+    enable = lib.mkEnableOption "enable etherpad's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    myServices.dns.zones."immae.eu".subdomains.ether =
+      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
+
+    myServices.chatonsProperties.services.etherpad = {
+      file.datetime = "2021-01-04T00:01:00";
+      service = {
+        name = "Etherpad";
+        description = "Éditeur de texte collaboratif en temps réel. on peut y écrire simultanément.";
+        website = "https://ether.immae.eu";
+        logo = "https://ether.immae.eu/favicon.ico";
+        status.level = "OK";
+        status.description = "OK";
+        registration."" = ["NONE" "MEMBER" "CLIENT"];
+        registration.load = "OPEN";
+        install.type = "PACKAGE";
+      };
+      software = {
+        name = "Etherpad";
+        website = "https://etherpad.org/";
+        license.url = "https://github.com/ether/etherpad-lite/blob/develop/LICENSE";
+        license.name = "Apache License Version 2.0";
+        version = ecfg.package.version;
+        source.url = "https://github.com/ether/etherpad-lite";
+        modules = ecfg.package.moduleNames;
+      };
+    };
+    secrets.keys = {
+      "webapps/tools-etherpad-apikey" = {
+        permissions = "0400";
+        text = env.api_key;
+      };
+      "webapps/tools-etherpad-sessionkey" = {
+        permissions = "0400";
+        text = env.session_key;
+      };
+      "webapps/tools-etherpad" = {
+        permissions = "0400";
+        keyDependencies = [ libreoffice ];
+        text = ''
+          {
+            "title": "Etherpad",
+            "favicon": "favicon.ico",
+            "skinName": "colibris",
+            "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
+
+            "ip": "",
+            "port" : "${ecfg.sockets.node}",
+            "showSettingsInAdminPage" : false,
+            "dbType" : "postgres",
+            "dbSettings" : {
+              "user"    : "${env.postgresql.user}",
+              "host"    : "${env.postgresql.socket}",
+              "password": "${env.postgresql.password}",
+              "database": "${env.postgresql.database}",
+              "charset" : "utf8mb4"
+            },
+
+            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
+            "padOptions": {
+              "noColors": false,
+              "showControls": true,
+              "showChat": true,
+              "showLineNumbers": true,
+              "useMonospaceFont": false,
+              "userName": false,
+              "userColor": false,
+              "rtl": false,
+              "alwaysShowChat": false,
+              "chatAndUsers": false,
+              "lang": "fr"
+            },
+
+            "suppressErrorsInPadText" : false,
+            "requireSession" : false,
+            "editOnly" : false,
+            "sessionNoPassword" : false,
+            "minify" : false,
+            "maxAge" : 21600,
+            "abiword" : null,
+            "soffice" : "${libreoffice}/bin/soffice",
+            "tidyHtml" : "",
+            "allowUnknownFileEnds" : true,
+            "requireAuthentication" : false,
+            "requireAuthorization" : false,
+            "trustProxy" : true,
+            "disableIPlogging" : false,
+            "automaticReconnectionTimeout" : 0,
+            "scrollWhenFocusLineIsOutOfViewport": {
+              "percentage": {
+                "editionAboveViewport": 0,
+                "editionBelowViewport": 0
+              },
+              "duration": 0,
+              "scrollWhenCaretIsInTheLastLineOfViewport": false,
+              "percentageToScrollWhenUserPressesArrowUp": 0
+            },
+            "users": {
+              "admin": {
+                "password": "${env.adminPassword}",
+                "is_admin": true
+              },
+              "ldapauth": {
+                "hash": "invalid",
+                "url": "ldaps://${env.ldap.host}",
+                "accountBase": "${env.ldap.base}",
+                "accountPattern": "${env.ldap.filter}",
+                "displayNameAttribute": "cn",
+                "searchDN": "${env.ldap.dn}",
+                "searchPWD": "${env.ldap.password}",
+                "groupSearchBase": "${env.ldap.base}",
+                "groupAttribute": "member",
+                "groupAttributeIsDN": true,
+                "searchScope": "sub",
+                "groupSearch": "${env.ldap.group_filter}",
+                "anonymousReadonly": false
+              }
+            },
+            "ep_mypads": {
+              "warning": "This hash is stored in database, changing anything here will not have any consequence",
+              "ldap": {
+                "url": "ldaps://${env.ldap.host}",
+                "bindDN": "${env.ldap.dn}",
+                "bindCredentials": "${env.ldap.password}",
+                "searchBase": "${env.ldap.base}",
+                "searchFilter": "${env.ldap.filter}",
+                "properties": {
+                  "login": "uid",
+                  "email": "mail",
+                  "firstname": "givenName",
+                  "lastname": "sn"
+                },
+                "defaultLang": "fr"
+              }
+            },
+            "ep_comments_page": {
+              "displayCommentAsIcon": true,
+              "highlightSelectedText": true
+            },
+            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
+            "loadTest": false,
+            "indentationOnNewLine": false,
+            "toolbar": {
+              "left": [
+                ["bold", "italic", "underline", "strikethrough"],
+                ["orderedlist", "unorderedlist", "indent", "outdent"],
+                ["undo", "redo"],
+                ["clearauthorship"]
+              ],
+              "right": [
+                ["importexport", "timeslider", "savedrevision"],
+                ["settings", "embed"],
+                ["showusers"]
+              ],
+              "timeslider": [
+                ["timeslider_export", "timeslider_returnToPad"]
+              ]
+            },
+            "loglevel": "INFO",
+            "logconfig" : { "appenders": [ { "type": "console" } ] }
+          }
+        '';
+      };
+    };
+    services.etherpad-lite = {
+      enable = true;
+      package = etherpad-lite.withModules (p: [
+        p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
+        p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
+        p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
+        p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
+        p.ep_previewimages p.ep_ruler p.ep_scrollto
+        p.ep_set_title_on_pad p.ep_subscript_and_superscript
+        p.ep_timesliderdiff
+      ]);
+      modules = [];
+      sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
+      apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
+      configFile = config.secrets.fullPaths."webapps/tools-etherpad";
+    };
+
+    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
+    systemd.services.etherpad-lite-cleanup.serviceConfig.SupplementaryGroups = "keys";
+    # Needed so that they get in the closure
+    systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
+
+    services.filesWatcher.etherpad-lite = {
+      restart = true;
+      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
+    };
+
+    services.websites.env.tools.modules = [
+      "headers" "proxy" "proxy_http" "proxy_wstunnel"
+    ];
+    security.acme.certs.eldiron.extraDomainNames = [ "ether.immae.eu" ];
+    services.websites.env.tools.vhostConfs.etherpad-lite = {
+      certName    = "eldiron";
+      hosts       = [ "ether.immae.eu" ];
+      root        = null;
+      extraConfig = [ ''
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
+        RequestHeader set X-Forwarded-Proto "https"
+
+        RewriteEngine On
+
+        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
+        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
+        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
+
+        <IfModule mod_proxy.c>
+          ProxyVia On
+          ProxyRequests Off
+          ProxyPreserveHost On
+          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
+          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
+          <Proxy *>
+            Options FollowSymLinks MultiViews
+            AllowOverride None
+            Require all granted
+          </Proxy>
+        </IfModule>
+      '' ];
+    };
+    myServices.monitoring.fromMasterActivatedPlugins = [ "http" ];
+    myServices.monitoring.fromMasterObjects.service = [
+      {
+        service_description = "etherpad website is running on ether.immae.eu";
+        host_name = config.hostEnv.fqdn;
+        use = "external-web-service";
+        check_command = ["check_https" "ether.immae.eu" "/" "<title>Etherpad"];
+
+        servicegroups = "webstatus-webapps";
+        _webstatus_name = "Etherpad";
+        _webstatus_url = "https://ether.immae.eu/";
+      }
+    ];
+  };
+}