[perso/Immae/Config/Nix.git] / modules / private / websites / tools / ether / default.nix

{ lib, pkgs, config,  ... }:
let
  env = config.myEnv.tools.etherpad-lite;
  cfg = config.myServices.websites.tools.etherpad-lite;
  # Make sure we’re not rebuilding whole libreoffice just because of a
  # dependency
  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
  ecfg = config.services.etherpad-lite;
in {
  options.myServices.websites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = {
      "webapps/tools-etherpad-apikey" = {
        permissions = "0400";
        text = env.api_key;
      };
      "webapps/tools-etherpad-sessionkey" = {
        permissions = "0400";
        text = env.session_key;
      };
      "webapps/tools-etherpad" = {
        permissions = "0400";
        text = ''
          {
            "title": "Etherpad",
            "favicon": "favicon.ico",
            "skinName": "colibris",
            "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",

            "ip": "",
            "port" : "${ecfg.sockets.node}",
            "showSettingsInAdminPage" : false,
            "dbType" : "postgres",
            "dbSettings" : {
              "user"    : "${env.postgresql.user}",
              "host"    : "${env.postgresql.socket}",
              "password": "${env.postgresql.password}",
              "database": "${env.postgresql.database}",
              "charset" : "utf8mb4"
            },

            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
            "padOptions": {
              "noColors": false,
              "showControls": true,
              "showChat": true,
              "showLineNumbers": true,
              "useMonospaceFont": false,
              "userName": false,
              "userColor": false,
              "rtl": false,
              "alwaysShowChat": false,
              "chatAndUsers": false,
              "lang": "fr"
            },

            "suppressErrorsInPadText" : false,
            "requireSession" : false,
            "editOnly" : false,
            "sessionNoPassword" : false,
            "minify" : true,
            "maxAge" : 21600,
            "abiword" : null,
            "soffice" : "${libreoffice}/bin/soffice",
            "tidyHtml" : "",
            "allowUnknownFileEnds" : true,
            "requireAuthentication" : false,
            "requireAuthorization" : false,
            "trustProxy" : false,
            "disableIPlogging" : false,
            "automaticReconnectionTimeout" : 0,
            "scrollWhenFocusLineIsOutOfViewport": {
              "percentage": {
                "editionAboveViewport": 0,
                "editionBelowViewport": 0
              },
              "duration": 0,
              "scrollWhenCaretIsInTheLastLineOfViewport": false,
              "percentageToScrollWhenUserPressesArrowUp": 0
            },
            "users": {
              "admin": {
                "password": "${env.adminPassword}",
                "is_admin": true
              },
              "ldapauth": {
                "hash": "invalid",
                "url": "ldaps://${env.ldap.host}",
                "accountBase": "${env.ldap.base}",
                "accountPattern": "${env.ldap.filter}",
                "displayNameAttribute": "cn",
                "searchDN": "${env.ldap.dn}",
                "searchPWD": "${env.ldap.password}",
                "groupSearchBase": "${env.ldap.base}",
                "groupAttribute": "member",
                "groupAttributeIsDN": true,
                "searchScope": "sub",
                "groupSearch": "${env.ldap.group_filter}",
                "anonymousReadonly": false
              }
            },
            "ep_mypads": {
              "warning": "This hash is stored in database, changing anything here will not have any consequence",
              "ldap": {
                "url": "ldaps://${env.ldap.host}",
                "bindDN": "${env.ldap.dn}",
                "bindCredentials": "${env.ldap.password}",
                "searchBase": "${env.ldap.base}",
                "searchFilter": "${env.ldap.filter}",
                "properties": {
                  "login": "uid",
                  "email": "mail",
                  "firstname": "givenName",
                  "lastname": "sn"
                },
                "defaultLang": "fr"
              }
            },
            "ep_comments_page": {
              "displayCommentAsIcon": true,
              "highlightSelectedText": true
            },
            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
            "loadTest": false,
            "indentationOnNewLine": false,
            "toolbar": {
              "left": [
                ["bold", "italic", "underline", "strikethrough"],
                ["orderedlist", "unorderedlist", "indent", "outdent"],
                ["undo", "redo"],
                ["clearauthorship"]
              ],
              "right": [
                ["importexport", "timeslider", "savedrevision"],
                ["settings", "embed"],
                ["showusers"]
              ],
              "timeslider": [
                ["timeslider_export", "timeslider_returnToPad"]
              ]
            },
            "loglevel": "INFO",
            "logconfig" : { "appenders": [ { "type": "console" } ] }
          }
        '';
      };
    };
    services.etherpad-lite = {
      enable = true;
      package = pkgs.webapps.etherpad-lite.withModules (p: [
        p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
        p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
        p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
        p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
        p.ep_previewimages p.ep_ruler p.ep_scrollto
        p.ep_set_title_on_pad p.ep_subscript_and_superscript
        p.ep_timesliderdiff
      ]);
      modules = [];
      sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
      apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
      configFile = config.secrets.fullPaths."webapps/tools-etherpad";
    };

    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
    # Needed so that they get in the closure
    systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];

    services.filesWatcher.etherpad-lite = {
      restart = true;
      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
    };

    services.websites.env.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    services.websites.env.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      addToCerts  = true;
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
bf3b7671	2	let
ab8f306d	3	env = config.myEnv.tools.etherpad-lite;
4288c2f2	4	cfg = config.myServices.websites.tools.etherpad-lite;
bf3b7671 IB	5	# Make sure we’re not rebuilding whole libreoffice just because of a
	6	# dependency
	7	libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
5af8d43b	8	ecfg = config.services.etherpad-lite;
bf3b7671	9	in {
4288c2f2	10	options.myServices.websites.tools.etherpad-lite = {
bf3b7671 IB	11	enable = lib.mkEnableOption "enable etherpad's website";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
4c4652aa IB	15	secrets.keys = {
4c4652aa IB	16	"webapps/tools-etherpad-apikey" = {
bf3b7671 IB	17	permissions = "0400";
bf3b7671 IB	18	text = env.api_key;
4c4652aa IB	19	};
4c4652aa IB	20	"webapps/tools-etherpad-sessionkey" = {
bf3b7671 IB	21	permissions = "0400";
bf3b7671 IB	22	text = env.session_key;
4c4652aa IB	23	};
4c4652aa IB	24	"webapps/tools-etherpad" = {
bf3b7671 IB	25	permissions = "0400";
	26	text = ''
	27	{
	28	"title": "Etherpad",
	29	"favicon": "favicon.ico",
d3e4c366 IB	30	"skinName": "colibris",
d3e4c366 IB	31	"skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
bf3b7671	32
5af8d43b IB	33	"ip": "",
5af8d43b IB	34	"port" : "${ecfg.sockets.node}",
bf3b7671 IB	35	"showSettingsInAdminPage" : false,
	36	"dbType" : "postgres",
	37	"dbSettings" : {
	38	"user" : "${env.postgresql.user}",
	39	"host" : "${env.postgresql.socket}",
	40	"password": "${env.postgresql.password}",
	41	"database": "${env.postgresql.database}",
	42	"charset" : "utf8mb4"
	43	},
	44
	45	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	46	"padOptions": {
	47	"noColors": false,
	48	"showControls": true,
	49	"showChat": true,
	50	"showLineNumbers": true,
	51	"useMonospaceFont": false,
	52	"userName": false,
	53	"userColor": false,
	54	"rtl": false,
	55	"alwaysShowChat": false,
	56	"chatAndUsers": false,
78228078	57	"lang": "fr"
bf3b7671 IB	58	},
	59
	60	"suppressErrorsInPadText" : false,
	61	"requireSession" : false,
	62	"editOnly" : false,
	63	"sessionNoPassword" : false,
	64	"minify" : true,
	65	"maxAge" : 21600,
	66	"abiword" : null,
	67	"soffice" : "${libreoffice}/bin/soffice",
78228078	68	"tidyHtml" : "",
bf3b7671 IB	69	"allowUnknownFileEnds" : true,
	70	"requireAuthentication" : false,
	71	"requireAuthorization" : false,
	72	"trustProxy" : false,
	73	"disableIPlogging" : false,
	74	"automaticReconnectionTimeout" : 0,
	75	"scrollWhenFocusLineIsOutOfViewport": {
	76	"percentage": {
	77	"editionAboveViewport": 0,
	78	"editionBelowViewport": 0
	79	},
	80	"duration": 0,
	81	"scrollWhenCaretIsInTheLastLineOfViewport": false,
	82	"percentageToScrollWhenUserPressesArrowUp": 0
	83	},
	84	"users": {
f0d942ac IB	85	"admin": {
	86	"password": "${env.adminPassword}",
	87	"is_admin": true
	88	},
bf3b7671	89	"ldapauth": {
d3e4c366	90	"hash": "invalid",
bf3b7671 IB	91	"url": "ldaps://${env.ldap.host}",
bf3b7671 IB	92	"accountBase": "${env.ldap.base}",
ab8f306d	93	"accountPattern": "${env.ldap.filter}",
bf3b7671	94	"displayNameAttribute": "cn",
ab8f306d	95	"searchDN": "${env.ldap.dn}",
bf3b7671 IB	96	"searchPWD": "${env.ldap.password}",
	97	"groupSearchBase": "${env.ldap.base}",
	98	"groupAttribute": "member",
	99	"groupAttributeIsDN": true,
	100	"searchScope": "sub",
ab8f306d	101	"groupSearch": "${env.ldap.group_filter}",
bf3b7671 IB	102	"anonymousReadonly": false
	103	}
	104	},
f0d942ac IB	105	"ep_mypads": {
	106	"warning": "This hash is stored in database, changing anything here will not have any consequence",
	107	"ldap": {
	108	"url": "ldaps://${env.ldap.host}",
	109	"bindDN": "${env.ldap.dn}",
	110	"bindCredentials": "${env.ldap.password}",
	111	"searchBase": "${env.ldap.base}",
	112	"searchFilter": "${env.ldap.filter}",
	113	"properties": {
	114	"login": "uid",
	115	"email": "mail",
	116	"firstname": "givenName",
	117	"lastname": "sn"
	118	},
	119	"defaultLang": "fr"
	120	}
	121	},
4b0a82cc IB	122	"ep_comments_page": {
	123	"displayCommentAsIcon": true,
	124	"highlightSelectedText": true
	125	},
bf3b7671 IB	126	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
	127	"loadTest": false,
	128	"indentationOnNewLine": false,
	129	"toolbar": {
	130	"left": [
	131	["bold", "italic", "underline", "strikethrough"],
	132	["orderedlist", "unorderedlist", "indent", "outdent"],
	133	["undo", "redo"],
	134	["clearauthorship"]
	135	],
	136	"right": [
	137	["importexport", "timeslider", "savedrevision"],
	138	["settings", "embed"],
	139	["showusers"]
	140	],
	141	"timeslider": [
	142	["timeslider_export", "timeslider_returnToPad"]
	143	]
	144	},
	145	"loglevel": "INFO",
	146	"logconfig" : { "appenders": [ { "type": "console" } ] }
	147	}
	148	'';
4c4652aa IB	149	};
4c4652aa IB	150	};
742c28ad IB	151	services.etherpad-lite = {
742c28ad IB	152	enable = true;
4b0a82cc IB	153	package = pkgs.webapps.etherpad-lite.withModules (p: [
	154	p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
	155	p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
	156	p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
	157	p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
	158	p.ep_previewimages p.ep_ruler p.ep_scrollto
	159	p.ep_set_title_on_pad p.ep_subscript_and_superscript
	160	p.ep_timesliderdiff
	161	]);
	162	modules = [];
da30ae4f IB	163	sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
	164	apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
	165	configFile = config.secrets.fullPaths."webapps/tools-etherpad";
bf3b7671 IB	166	};
bf3b7671 IB	167
742c28ad	168	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
78228078 IB	169	# Needed so that they get in the closure
78228078 IB	170	systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
742c28ad	171
17f6eae9 IB	172	services.filesWatcher.etherpad-lite = {
	173	restart = true;
	174	paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
	175	};
	176
29f8cb85	177	services.websites.env.tools.modules = [
bf3b7671 IB	178	"headers" "proxy" "proxy_http" "proxy_wstunnel"
bf3b7671 IB	179	];
29f8cb85	180	services.websites.env.tools.vhostConfs.etherpad-lite = {
bf3b7671	181	certName = "eldiron";
7df420c2	182	addToCerts = true;
bf3b7671 IB	183	hosts = [ "ether.immae.eu" ];
	184	root = null;
	185	extraConfig = [ ''
	186	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	187	RequestHeader set X-Forwarded-Proto "https"
	188
	189	RewriteEngine On
	190
ab8f306d	191	RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
bf3b7671 IB	192	RewriteCond %{QUERY_STRING} "!noredirect"
	193	RewriteCond %{REQUEST_URI} "^(.*)$"
	194	RewriteCond ''${redirects:$1\|Unknown} "!Unknown"
	195	RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
	196
	197	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	198	RewriteCond %{QUERY_STRING} transport=websocket [NC]
5af8d43b	199	RewriteRule /(.*) unix://${ecfg.sockets.node}\|ws://ether.immae.eu/$1 [P,NE,QSA,L]
bf3b7671 IB	200
	201	<IfModule mod_proxy.c>
	202	ProxyVia On
	203	ProxyRequests Off
	204	ProxyPreserveHost On
5af8d43b IB	205	ProxyPass / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
5af8d43b IB	206	ProxyPassReverse / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
bf3b7671 IB	207	<Proxy *>
	208	Options FollowSymLinks MultiViews
	209	AllowOverride None
	210	Require all granted
	211	</Proxy>
	212	</IfModule>
	213	'' ];
	214	};
	215	};
	216	}