X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=nixops%2Fmodules%2Fwebsites%2Ftools%2Fether.nix;h=9c78b0cf52283a6ffb9e9d3557a90b2d640b3a1a;hb=5af8d43b9ee0543ff212e5c51fb0e750a2b83955;hp=1c952af5e43a3a3691ff0ee93ae4b9fd6fca0b10;hpb=bf3b7671904b8a8bf4da4eba30564140387499f9;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix index 1c952af..9c78b0c 100644 --- a/nixops/modules/websites/tools/ether.nix +++ b/nixops/modules/websites/tools/ether.nix @@ -1,20 +1,18 @@ { lib, pkgs, config, myconfig, mylibs, ... }: let - etherpad = pkgs.webapps.etherpad-lite.withModules - (builtins.attrValues pkgs.webapps.etherpad-lite-modules); env = myconfig.env.tools.etherpad-lite; - varDir = etherpad.varDir; cfg = config.services.myWebsites.tools.etherpad-lite; # Make sure we’re not rebuilding whole libreoffice just because of a # dependency libreoffice = (import { overlays = []; }).libreoffice-fresh; + ecfg = config.services.etherpad-lite; in { options.services.myWebsites.tools.etherpad-lite = { enable = lib.mkEnableOption "enable etherpad's website"; }; config = lib.mkIf cfg.enable { - mySecrets.keys = [ + secrets.keys = [ { dest = "webapps/tools-etherpad-apikey"; permissions = "0400"; @@ -33,8 +31,8 @@ in { "title": "Etherpad", "favicon": "favicon.ico", - "ip": "127.0.0.1", - "port" : ${env.listenPort}, + "ip": "", + "port" : "${ecfg.sockets.node}", "showSettingsInAdminPage" : false, "dbType" : "postgres", "dbSettings" : { @@ -125,48 +123,16 @@ in { ''; } ]; - systemd.services.etherpad-lite = { - description = "Etherpad-lite"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "postgresql.service" ]; - wants = [ "postgresql.service" ]; - - environment.NODE_ENV = "production"; - environment.HOME = etherpad; - - path = [ pkgs.nodejs ]; - - script = '' - exec ${pkgs.nodejs}/bin/node ${etherpad}/src/node/server.js \ - --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \ - --apikey /var/secrets/webapps/tools-etherpad-apikey \ - --settings /var/secrets/webapps/tools-etherpad - ''; - - serviceConfig = { - DynamicUser = true; - User = "etherpad-lite"; - Group = "etherpad-lite"; - SupplementaryGroups = "keys"; - WorkingDirectory = etherpad; - PrivateTmp = true; - NoNewPrivileges = true; - PrivateDevices = true; - ProtectHome = true; - ProtectControlGroups = true; - ProtectKernelModules = true; - Restart = "always"; - Type = "simple"; - TimeoutSec = 60; - # Use ReadWritePaths= instead if varDir is outside of /var/lib - StateDirectory="etherpad-lite"; - ExecStartPre = [ - "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized" - "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey" - ]; - }; + services.etherpad-lite = { + enable = true; + modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules; + sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey"; + apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey"; + configFile = "/var/secrets/webapps/tools-etherpad"; }; + systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys"; + services.myWebsites.tools.modules = [ "headers" "proxy" "proxy_http" "proxy_wstunnel" ]; @@ -189,14 +155,14 @@ in { RewriteCond %{REQUEST_URI} ^/socket.io [NC] RewriteCond %{QUERY_STRING} transport=websocket [NC] - RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,L] + RewriteRule /(.*) unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L] ProxyVia On ProxyRequests Off ProxyPreserveHost On - ProxyPass / http://localhost:${env.listenPort}/ - ProxyPassReverse / http://localhost:${env.listenPort}/ + ProxyPass / unix://${ecfg.sockets.node}|http://ether.immae.eu/ + ProxyPassReverse / unix://${ecfg.sockets.node}|http://ether.immae.eu/ Options FollowSymLinks MultiViews AllowOverride None