--- /dev/null
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+ etherpad = pkgs.callPackage ./etherpad_lite.nix {
+ inherit (mylibs) fetchedGithub;
+ env = myconfig.env.tools.etherpad-lite;
+ };
+
+ cfg = config.services.myWebsites.tools.etherpad-lite;
+in {
+ options.services.myWebsites.tools.etherpad-lite = {
+ enable = lib.mkEnableOption "enable etherpad's website";
+ };
+
+ config = lib.mkIf cfg.enable {
+ systemd.services.etherpad-lite = {
+ description = "Etherpad-lite";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" "postgresql.service" ];
+ wants = [ "postgresql.service" ];
+
+ environment.NODE_ENV = "production";
+ environment.HOME = etherpad.webappDir;
+
+ path = [ pkgs.nodejs ];
+
+ script = ''
+ exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
+ --settings ${etherpad.config}
+ '';
+
+ serviceConfig = {
+ DynamicUser = true;
+ User = "etherpad-lite";
+ Group = "etherpad-lite";
+ WorkingDirectory = etherpad.webappDir;
+ PrivateTmp = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ ProtectHome = true;
+ ProtectControlGroups = true;
+ ProtectKernelModules = true;
+ Restart = "always";
+ Type = "simple";
+ TimeoutSec = 60;
+ };
+ };
+
+ services.myWebsites.tools.modules = [
+ "headers" "proxy" "proxy_http" "proxy_wstunnel"
+ ];
+ security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
+ services.myWebsites.tools.vhostConfs.etherpad-lite = {
+ certName = "eldiron";
+ hosts = [ "ether.immae.eu" ];
+ root = null;
+ extraConfig = [ ''
+ Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
+ RequestHeader set X-Forwarded-Proto "https"
+
+ RewriteEngine On
+
+ RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
+ RewriteCond %{QUERY_STRING} "!noredirect"
+ RewriteCond %{REQUEST_URI} "^(.*)$"
+ RewriteCond ''${redirects:$1|Unknown} "!Unknown"
+ RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
+
+ RewriteCond %{REQUEST_URI} ^/socket.io [NC]
+ RewriteCond %{QUERY_STRING} transport=websocket [NC]
+ RewriteRule /(.*) ws://localhost:${etherpad.listenPort}/$1 [P,L]
+
+ <IfModule mod_proxy.c>
+ ProxyVia On
+ ProxyRequests Off
+ ProxyPreserveHost On
+ ProxyPass / http://localhost:${etherpad.listenPort}/
+ ProxyPassReverse / http://localhost:${etherpad.listenPort}/
+ ProxyPass /socket.io ws://localhost:${etherpad.listenPort}/socket.io
+ ProxyPassReverse /socket.io ws://localhost:${etherpad.listenPort}/socket.io
+ <Proxy *>
+ Options FollowSymLinks MultiViews
+ AllowOverride None
+ Require all granted
+ </Proxy>
+ </IfModule>
+ '' ];
+ };
+ };
+}