[perso/Immae/Config/Nix.git] / modules / private / websites / tools / ether / default.nix

{ lib, pkgs, config,  ... }:
let
  env = config.myEnv.tools.etherpad-lite;
  cfg = config.myServices.websites.tools.etherpad-lite;
  # Make sure we’re not rebuilding whole libreoffice just because of a
  # dependency
  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
  ecfg = config.services.etherpad-lite;
in {
  options.myServices.websites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.etherpad-lite = {
      rootDir = "/var/lib/private/etherpad-lite";
    };
    secrets.keys = [
      {
        dest = "webapps/tools-etherpad-apikey";
        permissions = "0400";
        text = env.api_key;
      }
      {
        dest = "webapps/tools-etherpad-sessionkey";
        permissions = "0400";
        text = env.session_key;
      }
      {
        dest = "webapps/tools-etherpad";
        permissions = "0400";
        text = ''
          {
            "title": "Etherpad",
            "favicon": "favicon.ico",

            "ip": "",
            "port" : "${ecfg.sockets.node}",
            "showSettingsInAdminPage" : false,
            "dbType" : "postgres",
            "dbSettings" : {
              "user"    : "${env.postgresql.user}",
              "host"    : "${env.postgresql.socket}",
              "password": "${env.postgresql.password}",
              "database": "${env.postgresql.database}",
              "charset" : "utf8mb4"
            },

            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
            "padOptions": {
              "noColors": false,
              "showControls": true,
              "showChat": true,
              "showLineNumbers": true,
              "useMonospaceFont": false,
              "userName": false,
              "userColor": false,
              "rtl": false,
              "alwaysShowChat": false,
              "chatAndUsers": false,
              "lang": "en-gb"
            },

            "suppressErrorsInPadText" : false,
            "requireSession" : false,
            "editOnly" : false,
            "sessionNoPassword" : false,
            "minify" : true,
            "maxAge" : 21600,
            "abiword" : null,
            "soffice" : "${libreoffice}/bin/soffice",
            "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
            "allowUnknownFileEnds" : true,
            "requireAuthentication" : false,
            "requireAuthorization" : false,
            "trustProxy" : false,
            "disableIPlogging" : false,
            "automaticReconnectionTimeout" : 0,
            "scrollWhenFocusLineIsOutOfViewport": {
              "percentage": {
                "editionAboveViewport": 0,
                "editionBelowViewport": 0
              },
              "duration": 0,
              "scrollWhenCaretIsInTheLastLineOfViewport": false,
              "percentageToScrollWhenUserPressesArrowUp": 0
            },
            "users": {
              "ldapauth": {
                "url": "ldaps://${env.ldap.host}",
                "accountBase": "${env.ldap.base}",
                "accountPattern": "${env.ldap.filter}",
                "displayNameAttribute": "cn",
                "searchDN": "${env.ldap.dn}",
                "searchPWD": "${env.ldap.password}",
                "groupSearchBase": "${env.ldap.base}",
                "groupAttribute": "member",
                "groupAttributeIsDN": true,
                "searchScope": "sub",
                "groupSearch": "${env.ldap.group_filter}",
                "anonymousReadonly": false
              }
            },
            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
            "loadTest": false,
            "indentationOnNewLine": false,
            "toolbar": {
              "left": [
                ["bold", "italic", "underline", "strikethrough"],
                ["orderedlist", "unorderedlist", "indent", "outdent"],
                ["undo", "redo"],
                ["clearauthorship"]
              ],
              "right": [
                ["importexport", "timeslider", "savedrevision"],
                ["settings", "embed"],
                ["showusers"]
              ],
              "timeslider": [
                ["timeslider_export", "timeslider_returnToPad"]
              ]
            },
            "loglevel": "INFO",
            "logconfig" : { "appenders": [ { "type": "console" } ] }
          }
        '';
      }
    ];
    services.etherpad-lite = {
      enable = true;
      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
      configFile = "/var/secrets/webapps/tools-etherpad";
    };

    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";

    services.filesWatcher.etherpad-lite = {
      restart = true;
      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
    };

    services.websites.env.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    services.websites.env.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      addToCerts  = true;
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
bf3b7671	2	let
ab8f306d	3	env = config.myEnv.tools.etherpad-lite;
4288c2f2	4	cfg = config.myServices.websites.tools.etherpad-lite;
bf3b7671 IB	5	# Make sure we’re not rebuilding whole libreoffice just because of a
	6	# dependency
	7	libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
5af8d43b	8	ecfg = config.services.etherpad-lite;
bf3b7671	9	in {
4288c2f2	10	options.myServices.websites.tools.etherpad-lite = {
bf3b7671 IB	11	enable = lib.mkEnableOption "enable etherpad's website";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
d2e703c5	15	services.duplyBackup.profiles.etherpad-lite = {
6a8252b1 IB	16	rootDir = "/var/lib/private/etherpad-lite";
6a8252b1 IB	17	};
1a718805	18	secrets.keys = [
bf3b7671 IB	19	{
	20	dest = "webapps/tools-etherpad-apikey";
	21	permissions = "0400";
	22	text = env.api_key;
	23	}
	24	{
	25	dest = "webapps/tools-etherpad-sessionkey";
	26	permissions = "0400";
	27	text = env.session_key;
	28	}
	29	{
	30	dest = "webapps/tools-etherpad";
	31	permissions = "0400";
	32	text = ''
	33	{
	34	"title": "Etherpad",
	35	"favicon": "favicon.ico",
	36
5af8d43b IB	37	"ip": "",
5af8d43b IB	38	"port" : "${ecfg.sockets.node}",
bf3b7671 IB	39	"showSettingsInAdminPage" : false,
	40	"dbType" : "postgres",
	41	"dbSettings" : {
	42	"user" : "${env.postgresql.user}",
	43	"host" : "${env.postgresql.socket}",
	44	"password": "${env.postgresql.password}",
	45	"database": "${env.postgresql.database}",
	46	"charset" : "utf8mb4"
	47	},
	48
	49	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	50	"padOptions": {
	51	"noColors": false,
	52	"showControls": true,
	53	"showChat": true,
	54	"showLineNumbers": true,
	55	"useMonospaceFont": false,
	56	"userName": false,
	57	"userColor": false,
	58	"rtl": false,
	59	"alwaysShowChat": false,
	60	"chatAndUsers": false,
	61	"lang": "en-gb"
	62	},
	63
	64	"suppressErrorsInPadText" : false,
	65	"requireSession" : false,
	66	"editOnly" : false,
	67	"sessionNoPassword" : false,
	68	"minify" : true,
	69	"maxAge" : 21600,
	70	"abiword" : null,
	71	"soffice" : "${libreoffice}/bin/soffice",
	72	"tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
	73	"allowUnknownFileEnds" : true,
	74	"requireAuthentication" : false,
	75	"requireAuthorization" : false,
	76	"trustProxy" : false,
	77	"disableIPlogging" : false,
	78	"automaticReconnectionTimeout" : 0,
	79	"scrollWhenFocusLineIsOutOfViewport": {
	80	"percentage": {
	81	"editionAboveViewport": 0,
	82	"editionBelowViewport": 0
	83	},
	84	"duration": 0,
	85	"scrollWhenCaretIsInTheLastLineOfViewport": false,
	86	"percentageToScrollWhenUserPressesArrowUp": 0
	87	},
	88	"users": {
	89	"ldapauth": {
	90	"url": "ldaps://${env.ldap.host}",
	91	"accountBase": "${env.ldap.base}",
ab8f306d	92	"accountPattern": "${env.ldap.filter}",
bf3b7671	93	"displayNameAttribute": "cn",
ab8f306d	94	"searchDN": "${env.ldap.dn}",
bf3b7671 IB	95	"searchPWD": "${env.ldap.password}",
	96	"groupSearchBase": "${env.ldap.base}",
	97	"groupAttribute": "member",
	98	"groupAttributeIsDN": true,
	99	"searchScope": "sub",
ab8f306d	100	"groupSearch": "${env.ldap.group_filter}",
bf3b7671 IB	101	"anonymousReadonly": false
	102	}
	103	},
	104	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
	105	"loadTest": false,
	106	"indentationOnNewLine": false,
	107	"toolbar": {
	108	"left": [
	109	["bold", "italic", "underline", "strikethrough"],
	110	["orderedlist", "unorderedlist", "indent", "outdent"],
	111	["undo", "redo"],
	112	["clearauthorship"]
	113	],
	114	"right": [
	115	["importexport", "timeslider", "savedrevision"],
	116	["settings", "embed"],
	117	["showusers"]
	118	],
	119	"timeslider": [
	120	["timeslider_export", "timeslider_returnToPad"]
	121	]
	122	},
	123	"loglevel": "INFO",
	124	"logconfig" : { "appenders": [ { "type": "console" } ] }
	125	}
	126	'';
	127	}
	128	];
742c28ad IB	129	services.etherpad-lite = {
	130	enable = true;
	131	modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
	132	sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
	133	apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
	134	configFile = "/var/secrets/webapps/tools-etherpad";
bf3b7671 IB	135	};
bf3b7671 IB	136
742c28ad IB	137	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
742c28ad IB	138
17f6eae9 IB	139	services.filesWatcher.etherpad-lite = {
	140	restart = true;
	141	paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
	142	};
	143
29f8cb85	144	services.websites.env.tools.modules = [
bf3b7671 IB	145	"headers" "proxy" "proxy_http" "proxy_wstunnel"
bf3b7671 IB	146	];
29f8cb85	147	services.websites.env.tools.vhostConfs.etherpad-lite = {
bf3b7671	148	certName = "eldiron";
7df420c2	149	addToCerts = true;
bf3b7671 IB	150	hosts = [ "ether.immae.eu" ];
	151	root = null;
	152	extraConfig = [ ''
	153	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	154	RequestHeader set X-Forwarded-Proto "https"
	155
	156	RewriteEngine On
	157
ab8f306d	158	RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
bf3b7671 IB	159	RewriteCond %{QUERY_STRING} "!noredirect"
	160	RewriteCond %{REQUEST_URI} "^(.*)$"
	161	RewriteCond ''${redirects:$1\|Unknown} "!Unknown"
	162	RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
	163
	164	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	165	RewriteCond %{QUERY_STRING} transport=websocket [NC]
5af8d43b	166	RewriteRule /(.*) unix://${ecfg.sockets.node}\|ws://ether.immae.eu/$1 [P,NE,QSA,L]
bf3b7671 IB	167
	168	<IfModule mod_proxy.c>
	169	ProxyVia On
	170	ProxyRequests Off
	171	ProxyPreserveHost On
5af8d43b IB	172	ProxyPass / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
5af8d43b IB	173	ProxyPassReverse / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
bf3b7671 IB	174	<Proxy *>
	175	Options FollowSymLinks MultiViews
	176	AllowOverride None
	177	Require all granted
	178	</Proxy>
	179	</IfModule>
	180	'' ];
	181	};
	182	};
	183	}