[perso/Immae/Config/Nix.git] / modules / private / websites / tools / ether / default.nix

{ lib, pkgs, config, myconfig,  ... }:
let
  env = myconfig.env.tools.etherpad-lite;
  cfg = config.myServices.websites.tools.etherpad-lite;
  # Make sure we’re not rebuilding whole libreoffice just because of a
  # dependency
  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
  ecfg = config.services.etherpad-lite;
in {
  options.myServices.websites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = [
      {
        dest = "webapps/tools-etherpad-apikey";
        permissions = "0400";
        text = env.api_key;
      }
      {
        dest = "webapps/tools-etherpad-sessionkey";
        permissions = "0400";
        text = env.session_key;
      }
      {
        dest = "webapps/tools-etherpad";
        permissions = "0400";
        text = ''
          {
            "title": "Etherpad",
            "favicon": "favicon.ico",

            "ip": "",
            "port" : "${ecfg.sockets.node}",
            "showSettingsInAdminPage" : false,
            "dbType" : "postgres",
            "dbSettings" : {
              "user"    : "${env.postgresql.user}",
              "host"    : "${env.postgresql.socket}",
              "password": "${env.postgresql.password}",
              "database": "${env.postgresql.database}",
              "charset" : "utf8mb4"
            },

            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
            "padOptions": {
              "noColors": false,
              "showControls": true,
              "showChat": true,
              "showLineNumbers": true,
              "useMonospaceFont": false,
              "userName": false,
              "userColor": false,
              "rtl": false,
              "alwaysShowChat": false,
              "chatAndUsers": false,
              "lang": "en-gb"
            },

            "suppressErrorsInPadText" : false,
            "requireSession" : false,
            "editOnly" : false,
            "sessionNoPassword" : false,
            "minify" : true,
            "maxAge" : 21600,
            "abiword" : null,
            "soffice" : "${libreoffice}/bin/soffice",
            "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
            "allowUnknownFileEnds" : true,
            "requireAuthentication" : false,
            "requireAuthorization" : false,
            "trustProxy" : false,
            "disableIPlogging" : false,
            "automaticReconnectionTimeout" : 0,
            "scrollWhenFocusLineIsOutOfViewport": {
              "percentage": {
                "editionAboveViewport": 0,
                "editionBelowViewport": 0
              },
              "duration": 0,
              "scrollWhenCaretIsInTheLastLineOfViewport": false,
              "percentageToScrollWhenUserPressesArrowUp": 0
            },
            "users": {
              "ldapauth": {
                "url": "ldaps://${env.ldap.host}",
                "accountBase": "${env.ldap.base}",
                "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
                "displayNameAttribute": "cn",
                "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
                "searchPWD": "${env.ldap.password}",
                "groupSearchBase": "${env.ldap.base}",
                "groupAttribute": "member",
                "groupAttributeIsDN": true,
                "searchScope": "sub",
                "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
                "anonymousReadonly": false
              }
            },
            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
            "loadTest": false,
            "indentationOnNewLine": false,
            "toolbar": {
              "left": [
                ["bold", "italic", "underline", "strikethrough"],
                ["orderedlist", "unorderedlist", "indent", "outdent"],
                ["undo", "redo"],
                ["clearauthorship"]
              ],
              "right": [
                ["importexport", "timeslider", "savedrevision"],
                ["settings", "embed"],
                ["showusers"]
              ],
              "timeslider": [
                ["timeslider_export", "timeslider_returnToPad"]
              ]
            },
            "loglevel": "INFO",
            "logconfig" : { "appenders": [ { "type": "console" } ] }
          }
        '';
      }
    ];
    services.etherpad-lite = {
      enable = true;
      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
      configFile = "/var/secrets/webapps/tools-etherpad";
    };

    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";

    services.filesWatcher.etherpad-lite = {
      restart = true;
      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
    };

    services.websites.env.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    services.websites.env.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      addToCerts  = true;
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}
Commit	Line	Data
8a964143	1	{ lib, pkgs, config, myconfig, ... }:
bf3b7671	2	let
bf3b7671	3	env = myconfig.env.tools.etherpad-lite;
4288c2f2	4	cfg = config.myServices.websites.tools.etherpad-lite;
bf3b7671 IB	5	# Make sure we’re not rebuilding whole libreoffice just because of a
	6	# dependency
	7	libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
5af8d43b	8	ecfg = config.services.etherpad-lite;
bf3b7671	9	in {
4288c2f2	10	options.myServices.websites.tools.etherpad-lite = {
bf3b7671 IB	11	enable = lib.mkEnableOption "enable etherpad's website";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
1a718805	15	secrets.keys = [
bf3b7671 IB	16	{
	17	dest = "webapps/tools-etherpad-apikey";
	18	permissions = "0400";
	19	text = env.api_key;
	20	}
	21	{
	22	dest = "webapps/tools-etherpad-sessionkey";
	23	permissions = "0400";
	24	text = env.session_key;
	25	}
	26	{
	27	dest = "webapps/tools-etherpad";
	28	permissions = "0400";
	29	text = ''
	30	{
	31	"title": "Etherpad",
	32	"favicon": "favicon.ico",
	33
5af8d43b IB	34	"ip": "",
5af8d43b IB	35	"port" : "${ecfg.sockets.node}",
bf3b7671 IB	36	"showSettingsInAdminPage" : false,
	37	"dbType" : "postgres",
	38	"dbSettings" : {
	39	"user" : "${env.postgresql.user}",
	40	"host" : "${env.postgresql.socket}",
	41	"password": "${env.postgresql.password}",
	42	"database": "${env.postgresql.database}",
	43	"charset" : "utf8mb4"
	44	},
	45
	46	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	47	"padOptions": {
	48	"noColors": false,
	49	"showControls": true,
	50	"showChat": true,
	51	"showLineNumbers": true,
	52	"useMonospaceFont": false,
	53	"userName": false,
	54	"userColor": false,
	55	"rtl": false,
	56	"alwaysShowChat": false,
	57	"chatAndUsers": false,
	58	"lang": "en-gb"
	59	},
	60
	61	"suppressErrorsInPadText" : false,
	62	"requireSession" : false,
	63	"editOnly" : false,
	64	"sessionNoPassword" : false,
	65	"minify" : true,
	66	"maxAge" : 21600,
	67	"abiword" : null,
	68	"soffice" : "${libreoffice}/bin/soffice",
	69	"tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
	70	"allowUnknownFileEnds" : true,
	71	"requireAuthentication" : false,
	72	"requireAuthorization" : false,
	73	"trustProxy" : false,
	74	"disableIPlogging" : false,
	75	"automaticReconnectionTimeout" : 0,
	76	"scrollWhenFocusLineIsOutOfViewport": {
	77	"percentage": {
	78	"editionAboveViewport": 0,
	79	"editionBelowViewport": 0
	80	},
	81	"duration": 0,
	82	"scrollWhenCaretIsInTheLastLineOfViewport": false,
	83	"percentageToScrollWhenUserPressesArrowUp": 0
	84	},
	85	"users": {
	86	"ldapauth": {
	87	"url": "ldaps://${env.ldap.host}",
	88	"accountBase": "${env.ldap.base}",
	89	"accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
	90	"displayNameAttribute": "cn",
	91	"searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
	92	"searchPWD": "${env.ldap.password}",
	93	"groupSearchBase": "${env.ldap.base}",
	94	"groupAttribute": "member",
	95	"groupAttributeIsDN": true,
	96	"searchScope": "sub",
	97	"groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
	98	"anonymousReadonly": false
	99	}
100	},
101	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
102	"loadTest": false,
103	"indentationOnNewLine": false,
104	"toolbar": {
105	"left": [
106	["bold", "italic", "underline", "strikethrough"],
107	["orderedlist", "unorderedlist", "indent", "outdent"],
108	["undo", "redo"],
109	["clearauthorship"]
110	],
111	"right": [
112	["importexport", "timeslider", "savedrevision"],
113	["settings", "embed"],
114	["showusers"]
115	],
116	"timeslider": [
117	["timeslider_export", "timeslider_returnToPad"]
118	]
119	},
120	"loglevel": "INFO",
121	"logconfig" : { "appenders": [ { "type": "console" } ] }
122	}
123	'';
124	}
125	];
742c28ad IB	126	services.etherpad-lite = {
	127	enable = true;
	128	modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
	129	sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
	130	apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
	131	configFile = "/var/secrets/webapps/tools-etherpad";
bf3b7671 IB	132	};
bf3b7671 IB	133
742c28ad IB	134	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
742c28ad IB	135
17f6eae9 IB	136	services.filesWatcher.etherpad-lite = {
	137	restart = true;
	138	paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
	139	};
	140
29f8cb85	141	services.websites.env.tools.modules = [
bf3b7671 IB	142	"headers" "proxy" "proxy_http" "proxy_wstunnel"
bf3b7671 IB	143	];
29f8cb85	144	services.websites.env.tools.vhostConfs.etherpad-lite = {
bf3b7671	145	certName = "eldiron";
7df420c2	146	addToCerts = true;
bf3b7671 IB	147	hosts = [ "ether.immae.eu" ];
	148	root = null;
	149	extraConfig = [ ''
	150	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	151	RequestHeader set X-Forwarded-Proto "https"
	152
	153	RewriteEngine On
	154
	155	RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
	156	RewriteCond %{QUERY_STRING} "!noredirect"
	157	RewriteCond %{REQUEST_URI} "^(.*)$"
	158	RewriteCond ''${redirects:$1\|Unknown} "!Unknown"
	159	RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
	160
	161	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	162	RewriteCond %{QUERY_STRING} transport=websocket [NC]
5af8d43b	163	RewriteRule /(.*) unix://${ecfg.sockets.node}\|ws://ether.immae.eu/$1 [P,NE,QSA,L]
bf3b7671 IB	164
	165	<IfModule mod_proxy.c>
	166	ProxyVia On
	167	ProxyRequests Off
	168	ProxyPreserveHost On
5af8d43b IB	169	ProxyPass / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
5af8d43b IB	170	ProxyPassReverse / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
bf3b7671 IB	171	<Proxy *>
	172	Options FollowSymLinks MultiViews
	173	AllowOverride None
	174	Require all granted
	175	</Proxy>
	176	</IfModule>
	177	'' ];
	178	};
	179	};
	180	}