[perso/Immae/Config/Nix.git] / modules / private / websites / tools / ether / default.nix

{ lib, pkgs, config,  ... }:
let
  env = config.myEnv.tools.etherpad-lite;
  cfg = config.myServices.websites.tools.etherpad-lite;
  # Make sure we’re not rebuilding whole libreoffice just because of a
  # dependency
  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
  ecfg = config.services.etherpad-lite;
in {
  options.myServices.websites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.etherpad-lite = {
      rootDir = "/var/lib/private/etherpad-lite";
    };
    secrets.keys = [
      {
        dest = "webapps/tools-etherpad-apikey";
        permissions = "0400";
        text = env.api_key;
      }
      {
        dest = "webapps/tools-etherpad-sessionkey";
        permissions = "0400";
        text = env.session_key;
      }
      {
        dest = "webapps/tools-etherpad";
        permissions = "0400";
        text = ''
          {
            "title": "Etherpad",
            "favicon": "favicon.ico",
            "skinName": "colibris",
            "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",

            "ip": "",
            "port" : "${ecfg.sockets.node}",
            "showSettingsInAdminPage" : false,
            "dbType" : "postgres",
            "dbSettings" : {
              "user"    : "${env.postgresql.user}",
              "host"    : "${env.postgresql.socket}",
              "password": "${env.postgresql.password}",
              "database": "${env.postgresql.database}",
              "charset" : "utf8mb4"
            },

            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
            "padOptions": {
              "noColors": false,
              "showControls": true,
              "showChat": true,
              "showLineNumbers": true,
              "useMonospaceFont": false,
              "userName": false,
              "userColor": false,
              "rtl": false,
              "alwaysShowChat": false,
              "chatAndUsers": false,
              "lang": "fr"
            },

            "suppressErrorsInPadText" : false,
            "requireSession" : false,
            "editOnly" : false,
            "sessionNoPassword" : false,
            "minify" : true,
            "maxAge" : 21600,
            "abiword" : null,
            "soffice" : "${libreoffice}/bin/soffice",
            "tidyHtml" : "",
            "allowUnknownFileEnds" : true,
            "requireAuthentication" : false,
            "requireAuthorization" : false,
            "trustProxy" : false,
            "disableIPlogging" : false,
            "automaticReconnectionTimeout" : 0,
            "scrollWhenFocusLineIsOutOfViewport": {
              "percentage": {
                "editionAboveViewport": 0,
                "editionBelowViewport": 0
              },
              "duration": 0,
              "scrollWhenCaretIsInTheLastLineOfViewport": false,
              "percentageToScrollWhenUserPressesArrowUp": 0
            },
            "users": {
              "ldapauth": {
                "hash": "invalid",
                "url": "ldaps://${env.ldap.host}",
                "accountBase": "${env.ldap.base}",
                "accountPattern": "${env.ldap.filter}",
                "displayNameAttribute": "cn",
                "searchDN": "${env.ldap.dn}",
                "searchPWD": "${env.ldap.password}",
                "groupSearchBase": "${env.ldap.base}",
                "groupAttribute": "member",
                "groupAttributeIsDN": true,
                "searchScope": "sub",
                "groupSearch": "${env.ldap.group_filter}",
                "anonymousReadonly": false
              }
            },
            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
            "loadTest": false,
            "indentationOnNewLine": false,
            "toolbar": {
              "left": [
                ["bold", "italic", "underline", "strikethrough"],
                ["orderedlist", "unorderedlist", "indent", "outdent"],
                ["undo", "redo"],
                ["clearauthorship"]
              ],
              "right": [
                ["importexport", "timeslider", "savedrevision"],
                ["settings", "embed"],
                ["showusers"]
              ],
              "timeslider": [
                ["timeslider_export", "timeslider_returnToPad"]
              ]
            },
            "loglevel": "INFO",
            "logconfig" : { "appenders": [ { "type": "console" } ] }
          }
        '';
      }
    ];
    services.etherpad-lite = {
      enable = true;
      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
      configFile = "/var/secrets/webapps/tools-etherpad";
    };

    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
    # Needed so that they get in the closure
    systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];

    services.filesWatcher.etherpad-lite = {
      restart = true;
      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
    };

    services.websites.env.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    services.websites.env.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      addToCerts  = true;
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
bf3b7671	2	let
ab8f306d	3	env = config.myEnv.tools.etherpad-lite;
4288c2f2	4	cfg = config.myServices.websites.tools.etherpad-lite;
bf3b7671 IB	5	# Make sure we’re not rebuilding whole libreoffice just because of a
	6	# dependency
	7	libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
5af8d43b	8	ecfg = config.services.etherpad-lite;
bf3b7671	9	in {
4288c2f2	10	options.myServices.websites.tools.etherpad-lite = {
bf3b7671 IB	11	enable = lib.mkEnableOption "enable etherpad's website";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
d2e703c5	15	services.duplyBackup.profiles.etherpad-lite = {
6a8252b1 IB	16	rootDir = "/var/lib/private/etherpad-lite";
6a8252b1 IB	17	};
1a718805	18	secrets.keys = [
bf3b7671 IB	19	{
	20	dest = "webapps/tools-etherpad-apikey";
	21	permissions = "0400";
	22	text = env.api_key;
	23	}
	24	{
	25	dest = "webapps/tools-etherpad-sessionkey";
	26	permissions = "0400";
	27	text = env.session_key;
	28	}
	29	{
	30	dest = "webapps/tools-etherpad";
	31	permissions = "0400";
	32	text = ''
	33	{
	34	"title": "Etherpad",
	35	"favicon": "favicon.ico",
d3e4c366 IB	36	"skinName": "colibris",
d3e4c366 IB	37	"skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
bf3b7671	38
5af8d43b IB	39	"ip": "",
5af8d43b IB	40	"port" : "${ecfg.sockets.node}",
bf3b7671 IB	41	"showSettingsInAdminPage" : false,
	42	"dbType" : "postgres",
	43	"dbSettings" : {
	44	"user" : "${env.postgresql.user}",
	45	"host" : "${env.postgresql.socket}",
	46	"password": "${env.postgresql.password}",
	47	"database": "${env.postgresql.database}",
	48	"charset" : "utf8mb4"
	49	},
	50
	51	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	52	"padOptions": {
	53	"noColors": false,
	54	"showControls": true,
	55	"showChat": true,
	56	"showLineNumbers": true,
	57	"useMonospaceFont": false,
	58	"userName": false,
	59	"userColor": false,
	60	"rtl": false,
	61	"alwaysShowChat": false,
	62	"chatAndUsers": false,
78228078	63	"lang": "fr"
bf3b7671 IB	64	},
	65
	66	"suppressErrorsInPadText" : false,
	67	"requireSession" : false,
	68	"editOnly" : false,
	69	"sessionNoPassword" : false,
	70	"minify" : true,
	71	"maxAge" : 21600,
	72	"abiword" : null,
	73	"soffice" : "${libreoffice}/bin/soffice",
78228078	74	"tidyHtml" : "",
bf3b7671 IB	75	"allowUnknownFileEnds" : true,
	76	"requireAuthentication" : false,
	77	"requireAuthorization" : false,
	78	"trustProxy" : false,
	79	"disableIPlogging" : false,
	80	"automaticReconnectionTimeout" : 0,
	81	"scrollWhenFocusLineIsOutOfViewport": {
	82	"percentage": {
	83	"editionAboveViewport": 0,
	84	"editionBelowViewport": 0
	85	},
	86	"duration": 0,
	87	"scrollWhenCaretIsInTheLastLineOfViewport": false,
	88	"percentageToScrollWhenUserPressesArrowUp": 0
	89	},
	90	"users": {
	91	"ldapauth": {
d3e4c366	92	"hash": "invalid",
bf3b7671 IB	93	"url": "ldaps://${env.ldap.host}",
bf3b7671 IB	94	"accountBase": "${env.ldap.base}",
ab8f306d	95	"accountPattern": "${env.ldap.filter}",
bf3b7671	96	"displayNameAttribute": "cn",
ab8f306d	97	"searchDN": "${env.ldap.dn}",
bf3b7671 IB	98	"searchPWD": "${env.ldap.password}",
	99	"groupSearchBase": "${env.ldap.base}",
	100	"groupAttribute": "member",
	101	"groupAttributeIsDN": true,
	102	"searchScope": "sub",
ab8f306d	103	"groupSearch": "${env.ldap.group_filter}",
bf3b7671 IB	104	"anonymousReadonly": false
	105	}
	106	},
	107	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
	108	"loadTest": false,
	109	"indentationOnNewLine": false,
	110	"toolbar": {
	111	"left": [
	112	["bold", "italic", "underline", "strikethrough"],
	113	["orderedlist", "unorderedlist", "indent", "outdent"],
	114	["undo", "redo"],
	115	["clearauthorship"]
	116	],
	117	"right": [
	118	["importexport", "timeslider", "savedrevision"],
	119	["settings", "embed"],
	120	["showusers"]
	121	],
	122	"timeslider": [
	123	["timeslider_export", "timeslider_returnToPad"]
	124	]
	125	},
	126	"loglevel": "INFO",
	127	"logconfig" : { "appenders": [ { "type": "console" } ] }
	128	}
	129	'';
	130	}
	131	];
742c28ad IB	132	services.etherpad-lite = {
	133	enable = true;
	134	modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
	135	sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
	136	apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
	137	configFile = "/var/secrets/webapps/tools-etherpad";
bf3b7671 IB	138	};
bf3b7671 IB	139
742c28ad	140	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
78228078 IB	141	# Needed so that they get in the closure
78228078 IB	142	systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
742c28ad	143
17f6eae9 IB	144	services.filesWatcher.etherpad-lite = {
	145	restart = true;
	146	paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
	147	};
	148
29f8cb85	149	services.websites.env.tools.modules = [
bf3b7671 IB	150	"headers" "proxy" "proxy_http" "proxy_wstunnel"
bf3b7671 IB	151	];
29f8cb85	152	services.websites.env.tools.vhostConfs.etherpad-lite = {
bf3b7671	153	certName = "eldiron";
7df420c2	154	addToCerts = true;
bf3b7671 IB	155	hosts = [ "ether.immae.eu" ];
	156	root = null;
	157	extraConfig = [ ''
	158	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	159	RequestHeader set X-Forwarded-Proto "https"
	160
	161	RewriteEngine On
	162
ab8f306d	163	RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
bf3b7671 IB	164	RewriteCond %{QUERY_STRING} "!noredirect"
	165	RewriteCond %{REQUEST_URI} "^(.*)$"
	166	RewriteCond ''${redirects:$1\|Unknown} "!Unknown"
	167	RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
	168
	169	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	170	RewriteCond %{QUERY_STRING} transport=websocket [NC]
5af8d43b	171	RewriteRule /(.*) unix://${ecfg.sockets.node}\|ws://ether.immae.eu/$1 [P,NE,QSA,L]
bf3b7671 IB	172
	173	<IfModule mod_proxy.c>
	174	ProxyVia On
	175	ProxyRequests Off
	176	ProxyPreserveHost On
5af8d43b IB	177	ProxyPass / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
5af8d43b IB	178	ProxyPassReverse / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
bf3b7671 IB	179	<Proxy *>
	180	Options FollowSymLinks MultiViews
	181	AllowOverride None
	182	Require all granted
	183	</Proxy>
	184	</IfModule>
	185	'' ];
	186	};
	187	};
	188	}