[perso/Immae/Config/Nix.git] / modules / private / websites / tools / ether / default.nix

{ lib, pkgs, config,  ... }:
let
  env = config.myEnv.tools.etherpad-lite;
  cfg = config.myServices.websites.tools.etherpad-lite;
  # Make sure we’re not rebuilding whole libreoffice just because of a
  # dependency
  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
  ecfg = config.services.etherpad-lite;
in {
  options.myServices.websites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.etherpad-lite = {
      rootDir = "/var/lib/private/etherpad-lite";
    };
    secrets.keys = [
      {
        dest = "webapps/tools-etherpad-apikey";
        permissions = "0400";
        text = env.api_key;
      }
      {
        dest = "webapps/tools-etherpad-sessionkey";
        permissions = "0400";
        text = env.session_key;
      }
      {
        dest = "webapps/tools-etherpad";
        permissions = "0400";
        text = ''
          {
            "title": "Etherpad",
            "favicon": "favicon.ico",

            "ip": "",
            "port" : "${ecfg.sockets.node}",
            "showSettingsInAdminPage" : false,
            "dbType" : "postgres",
            "dbSettings" : {
              "user"    : "${env.postgresql.user}",
              "host"    : "${env.postgresql.socket}",
              "password": "${env.postgresql.password}",
              "database": "${env.postgresql.database}",
              "charset" : "utf8mb4"
            },

            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
            "padOptions": {
              "noColors": false,
              "showControls": true,
              "showChat": true,
              "showLineNumbers": true,
              "useMonospaceFont": false,
              "userName": false,
              "userColor": false,
              "rtl": false,
              "alwaysShowChat": false,
              "chatAndUsers": false,
              "lang": "fr"
            },

            "suppressErrorsInPadText" : false,
            "requireSession" : false,
            "editOnly" : false,
            "sessionNoPassword" : false,
            "minify" : true,
            "maxAge" : 21600,
            "abiword" : null,
            "soffice" : "${libreoffice}/bin/soffice",
            "tidyHtml" : "",
            "allowUnknownFileEnds" : true,
            "requireAuthentication" : false,
            "requireAuthorization" : false,
            "trustProxy" : false,
            "disableIPlogging" : false,
            "automaticReconnectionTimeout" : 0,
            "scrollWhenFocusLineIsOutOfViewport": {
              "percentage": {
                "editionAboveViewport": 0,
                "editionBelowViewport": 0
              },
              "duration": 0,
              "scrollWhenCaretIsInTheLastLineOfViewport": false,
              "percentageToScrollWhenUserPressesArrowUp": 0
            },
            "users": {
              "ldapauth": {
                "url": "ldaps://${env.ldap.host}",
                "accountBase": "${env.ldap.base}",
                "accountPattern": "${env.ldap.filter}",
                "displayNameAttribute": "cn",
                "searchDN": "${env.ldap.dn}",
                "searchPWD": "${env.ldap.password}",
                "groupSearchBase": "${env.ldap.base}",
                "groupAttribute": "member",
                "groupAttributeIsDN": true,
                "searchScope": "sub",
                "groupSearch": "${env.ldap.group_filter}",
                "anonymousReadonly": false
              }
            },
            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
            "loadTest": false,
            "indentationOnNewLine": false,
            "toolbar": {
              "left": [
                ["bold", "italic", "underline", "strikethrough"],
                ["orderedlist", "unorderedlist", "indent", "outdent"],
                ["undo", "redo"],
                ["clearauthorship"]
              ],
              "right": [
                ["importexport", "timeslider", "savedrevision"],
                ["settings", "embed"],
                ["showusers"]
              ],
              "timeslider": [
                ["timeslider_export", "timeslider_returnToPad"]
              ]
            },
            "loglevel": "INFO",
            "logconfig" : { "appenders": [ { "type": "console" } ] }
          }
        '';
      }
    ];
    services.etherpad-lite = {
      enable = true;
      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
      configFile = "/var/secrets/webapps/tools-etherpad";
    };

    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
    # Needed so that they get in the closure
    systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];

    services.filesWatcher.etherpad-lite = {
      restart = true;
      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
    };

    services.websites.env.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    services.websites.env.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      addToCerts  = true;
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
bf3b7671	2	let
ab8f306d	3	env = config.myEnv.tools.etherpad-lite;
4288c2f2	4	cfg = config.myServices.websites.tools.etherpad-lite;
bf3b7671 IB	5	# Make sure we’re not rebuilding whole libreoffice just because of a
	6	# dependency
	7	libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
5af8d43b	8	ecfg = config.services.etherpad-lite;
bf3b7671	9	in {
4288c2f2	10	options.myServices.websites.tools.etherpad-lite = {
bf3b7671 IB	11	enable = lib.mkEnableOption "enable etherpad's website";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
d2e703c5	15	services.duplyBackup.profiles.etherpad-lite = {
6a8252b1 IB	16	rootDir = "/var/lib/private/etherpad-lite";
6a8252b1 IB	17	};
1a718805	18	secrets.keys = [
bf3b7671 IB	19	{
	20	dest = "webapps/tools-etherpad-apikey";
	21	permissions = "0400";
	22	text = env.api_key;
	23	}
	24	{
	25	dest = "webapps/tools-etherpad-sessionkey";
	26	permissions = "0400";
	27	text = env.session_key;
	28	}
	29	{
	30	dest = "webapps/tools-etherpad";
	31	permissions = "0400";
	32	text = ''
	33	{
	34	"title": "Etherpad",
	35	"favicon": "favicon.ico",
	36
5af8d43b IB	37	"ip": "",
5af8d43b IB	38	"port" : "${ecfg.sockets.node}",
bf3b7671 IB	39	"showSettingsInAdminPage" : false,
	40	"dbType" : "postgres",
	41	"dbSettings" : {
	42	"user" : "${env.postgresql.user}",
	43	"host" : "${env.postgresql.socket}",
	44	"password": "${env.postgresql.password}",
	45	"database": "${env.postgresql.database}",
	46	"charset" : "utf8mb4"
	47	},
	48
	49	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	50	"padOptions": {
	51	"noColors": false,
	52	"showControls": true,
	53	"showChat": true,
	54	"showLineNumbers": true,
	55	"useMonospaceFont": false,
	56	"userName": false,
	57	"userColor": false,
	58	"rtl": false,
	59	"alwaysShowChat": false,
	60	"chatAndUsers": false,
78228078	61	"lang": "fr"
bf3b7671 IB	62	},
	63
	64	"suppressErrorsInPadText" : false,
	65	"requireSession" : false,
	66	"editOnly" : false,
	67	"sessionNoPassword" : false,
	68	"minify" : true,
	69	"maxAge" : 21600,
	70	"abiword" : null,
	71	"soffice" : "${libreoffice}/bin/soffice",
78228078	72	"tidyHtml" : "",
bf3b7671 IB	73	"allowUnknownFileEnds" : true,
	74	"requireAuthentication" : false,
	75	"requireAuthorization" : false,
	76	"trustProxy" : false,
	77	"disableIPlogging" : false,
	78	"automaticReconnectionTimeout" : 0,
	79	"scrollWhenFocusLineIsOutOfViewport": {
	80	"percentage": {
	81	"editionAboveViewport": 0,
	82	"editionBelowViewport": 0
	83	},
	84	"duration": 0,
	85	"scrollWhenCaretIsInTheLastLineOfViewport": false,
	86	"percentageToScrollWhenUserPressesArrowUp": 0
	87	},
	88	"users": {
	89	"ldapauth": {
	90	"url": "ldaps://${env.ldap.host}",
	91	"accountBase": "${env.ldap.base}",
ab8f306d	92	"accountPattern": "${env.ldap.filter}",
bf3b7671	93	"displayNameAttribute": "cn",
ab8f306d	94	"searchDN": "${env.ldap.dn}",
bf3b7671 IB	95	"searchPWD": "${env.ldap.password}",
	96	"groupSearchBase": "${env.ldap.base}",
	97	"groupAttribute": "member",
	98	"groupAttributeIsDN": true,
	99	"searchScope": "sub",
ab8f306d	100	"groupSearch": "${env.ldap.group_filter}",
bf3b7671 IB	101	"anonymousReadonly": false
	102	}
	103	},
	104	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
	105	"loadTest": false,
	106	"indentationOnNewLine": false,
	107	"toolbar": {
	108	"left": [
	109	["bold", "italic", "underline", "strikethrough"],
	110	["orderedlist", "unorderedlist", "indent", "outdent"],
	111	["undo", "redo"],
	112	["clearauthorship"]
	113	],
	114	"right": [
	115	["importexport", "timeslider", "savedrevision"],
	116	["settings", "embed"],
	117	["showusers"]
	118	],
	119	"timeslider": [
	120	["timeslider_export", "timeslider_returnToPad"]
	121	]
	122	},
	123	"loglevel": "INFO",
	124	"logconfig" : { "appenders": [ { "type": "console" } ] }
	125	}
	126	'';
	127	}
	128	];
742c28ad IB	129	services.etherpad-lite = {
	130	enable = true;
	131	modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
	132	sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
	133	apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
	134	configFile = "/var/secrets/webapps/tools-etherpad";
bf3b7671 IB	135	};
bf3b7671 IB	136
742c28ad	137	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
78228078 IB	138	# Needed so that they get in the closure
78228078 IB	139	systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
742c28ad	140
17f6eae9 IB	141	services.filesWatcher.etherpad-lite = {
	142	restart = true;
	143	paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
	144	};
	145
29f8cb85	146	services.websites.env.tools.modules = [
bf3b7671 IB	147	"headers" "proxy" "proxy_http" "proxy_wstunnel"
bf3b7671 IB	148	];
29f8cb85	149	services.websites.env.tools.vhostConfs.etherpad-lite = {
bf3b7671	150	certName = "eldiron";
7df420c2	151	addToCerts = true;
bf3b7671 IB	152	hosts = [ "ether.immae.eu" ];
	153	root = null;
	154	extraConfig = [ ''
	155	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	156	RequestHeader set X-Forwarded-Proto "https"
	157
	158	RewriteEngine On
	159
ab8f306d	160	RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
bf3b7671 IB	161	RewriteCond %{QUERY_STRING} "!noredirect"
	162	RewriteCond %{REQUEST_URI} "^(.*)$"
	163	RewriteCond ''${redirects:$1\|Unknown} "!Unknown"
	164	RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
	165
	166	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	167	RewriteCond %{QUERY_STRING} transport=websocket [NC]
5af8d43b	168	RewriteRule /(.*) unix://${ecfg.sockets.node}\|ws://ether.immae.eu/$1 [P,NE,QSA,L]
bf3b7671 IB	169
	170	<IfModule mod_proxy.c>
	171	ProxyVia On
	172	ProxyRequests Off
	173	ProxyPreserveHost On
5af8d43b IB	174	ProxyPass / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
5af8d43b IB	175	ProxyPassReverse / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
bf3b7671 IB	176	<Proxy *>
	177	Options FollowSymLinks MultiViews
	178	AllowOverride None
	179	Require all granted
	180	</Proxy>
	181	</IfModule>
	182	'' ];
	183	};
	184	};
	185	}