Add etherpad lite tool

[perso/Immae/Config/Nix.git] / virtual / modules / websites / tools / ether / default.nix

diff --git a/virtual/modules/websites/tools/ether/default.nix b/virtual/modules/websites/tools/ether/default.nix
new file mode 100644 (file)
index 0000000..5ee3433
--- /dev/null
+++ b/virtual/modules/websites/tools/ether/default.nix
@@ -0,0 +1,89 @@
+{ lib, pkgs, config, myconfig, mylibs, ... }:
+let
+  etherpad = pkgs.callPackage ./etherpad_lite.nix {
+    inherit (mylibs) fetchedGithub;
+    env = myconfig.env.tools.etherpad-lite;
+  };
+
+  cfg = config.services.myWebsites.tools.etherpad-lite;
+in {
+  options.services.myWebsites.tools.etherpad-lite = {
+    enable = lib.mkEnableOption "enable etherpad's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.etherpad-lite = {
+      description = "Etherpad-lite";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "postgresql.service" ];
+      wants = [ "postgresql.service" ];
+
+      environment.NODE_ENV = "production";
+      environment.HOME = etherpad.webappDir;
+
+      path = [ pkgs.nodejs ];
+
+      script = ''
+        exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
+          --settings ${etherpad.config}
+      '';
+
+      serviceConfig = {
+        DynamicUser = true;
+        User = "etherpad-lite";
+        Group = "etherpad-lite";
+        WorkingDirectory = etherpad.webappDir;
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        Restart = "always";
+        Type = "simple";
+        TimeoutSec = 60;
+      };
+    };
+
+    services.myWebsites.tools.modules = [
+      "headers" "proxy" "proxy_http" "proxy_wstunnel"
+    ];
+    security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
+    services.myWebsites.tools.vhostConfs.etherpad-lite = {
+      certName    = "eldiron";
+      hosts       = [ "ether.immae.eu" ];
+      root        = null;
+      extraConfig = [ ''
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
+        RequestHeader set X-Forwarded-Proto "https"
+
+        RewriteEngine On
+
+        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
+        RewriteCond %{QUERY_STRING}         "!noredirect"
+        RewriteCond %{REQUEST_URI}          "^(.*)$"
+        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
+        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]
+
+        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
+        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
+        RewriteRule /(.*)           ws://localhost:${etherpad.listenPort}/$1 [P,L]
+
+        <IfModule mod_proxy.c>
+          ProxyVia On
+          ProxyRequests Off
+          ProxyPreserveHost On
+          ProxyPass         / http://localhost:${etherpad.listenPort}/
+          ProxyPassReverse  / http://localhost:${etherpad.listenPort}/
+          ProxyPass         /socket.io ws://localhost:${etherpad.listenPort}/socket.io
+          ProxyPassReverse  /socket.io ws://localhost:${etherpad.listenPort}/socket.io
+          <Proxy *>
+            Options FollowSymLinks MultiViews
+            AllowOverride None
+            Require all granted
+          </Proxy>
+        </IfModule>
+      '' ];
+    };
+  };
+}