[perso/Immae/Config/Nix.git] / modules / private / websites / tools / ether / default.nix

{ lib, pkgs, config,  ... }:
let
  env = config.myEnv.tools.etherpad-lite;
  cfg = config.myServices.websites.tools.etherpad-lite;
  # Make sure we’re not rebuilding whole libreoffice just because of a
  # dependency
  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
  ecfg = config.services.etherpad-lite;
in {
  options.myServices.websites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.etherpad-lite = {
      rootDir = "/var/lib/private/etherpad-lite";
    };
    secrets.keys = [
      {
        dest = "webapps/tools-etherpad-apikey";
        permissions = "0400";
        text = env.api_key;
      }
      {
        dest = "webapps/tools-etherpad-sessionkey";
        permissions = "0400";
        text = env.session_key;
      }
      {
        dest = "webapps/tools-etherpad";
        permissions = "0400";
        text = ''
          {
            "title": "Etherpad",
            "favicon": "favicon.ico",
            "skinName": "colibris",
            "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",

            "ip": "",
            "port" : "${ecfg.sockets.node}",
            "showSettingsInAdminPage" : false,
            "dbType" : "postgres",
            "dbSettings" : {
              "user"    : "${env.postgresql.user}",
              "host"    : "${env.postgresql.socket}",
              "password": "${env.postgresql.password}",
              "database": "${env.postgresql.database}",
              "charset" : "utf8mb4"
            },

            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
            "padOptions": {
              "noColors": false,
              "showControls": true,
              "showChat": true,
              "showLineNumbers": true,
              "useMonospaceFont": false,
              "userName": false,
              "userColor": false,
              "rtl": false,
              "alwaysShowChat": false,
              "chatAndUsers": false,
              "lang": "fr"
            },

            "suppressErrorsInPadText" : false,
            "requireSession" : false,
            "editOnly" : false,
            "sessionNoPassword" : false,
            "minify" : true,
            "maxAge" : 21600,
            "abiword" : null,
            "soffice" : "${libreoffice}/bin/soffice",
            "tidyHtml" : "",
            "allowUnknownFileEnds" : true,
            "requireAuthentication" : false,
            "requireAuthorization" : false,
            "trustProxy" : false,
            "disableIPlogging" : false,
            "automaticReconnectionTimeout" : 0,
            "scrollWhenFocusLineIsOutOfViewport": {
              "percentage": {
                "editionAboveViewport": 0,
                "editionBelowViewport": 0
              },
              "duration": 0,
              "scrollWhenCaretIsInTheLastLineOfViewport": false,
              "percentageToScrollWhenUserPressesArrowUp": 0
            },
            "users": {
              "admin": {
                "password": "${env.adminPassword}",
                "is_admin": true
              },
              "ldapauth": {
                "hash": "invalid",
                "url": "ldaps://${env.ldap.host}",
                "accountBase": "${env.ldap.base}",
                "accountPattern": "${env.ldap.filter}",
                "displayNameAttribute": "cn",
                "searchDN": "${env.ldap.dn}",
                "searchPWD": "${env.ldap.password}",
                "groupSearchBase": "${env.ldap.base}",
                "groupAttribute": "member",
                "groupAttributeIsDN": true,
                "searchScope": "sub",
                "groupSearch": "${env.ldap.group_filter}",
                "anonymousReadonly": false
              }
            },
            "ep_mypads": {
              "warning": "This hash is stored in database, changing anything here will not have any consequence",
              "ldap": {
                "url": "ldaps://${env.ldap.host}",
                "bindDN": "${env.ldap.dn}",
                "bindCredentials": "${env.ldap.password}",
                "searchBase": "${env.ldap.base}",
                "searchFilter": "${env.ldap.filter}",
                "properties": {
                  "login": "uid",
                  "email": "mail",
                  "firstname": "givenName",
                  "lastname": "sn"
                },
                "defaultLang": "fr"
              }
            },
            "ep_comments_page": {
              "displayCommentAsIcon": true,
              "highlightSelectedText": true
            },
            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
            "loadTest": false,
            "indentationOnNewLine": false,
            "toolbar": {
              "left": [
                ["bold", "italic", "underline", "strikethrough"],
                ["orderedlist", "unorderedlist", "indent", "outdent"],
                ["undo", "redo"],
                ["clearauthorship"]
              ],
              "right": [
                ["importexport", "timeslider", "savedrevision"],
                ["settings", "embed"],
                ["showusers"]
              ],
              "timeslider": [
                ["timeslider_export", "timeslider_returnToPad"]
              ]
            },
            "loglevel": "INFO",
            "logconfig" : { "appenders": [ { "type": "console" } ] }
          }
        '';
      }
    ];
    services.etherpad-lite = {
      enable = true;
      package = pkgs.webapps.etherpad-lite.withModules (p: [
        p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
        p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
        p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
        p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
        p.ep_previewimages p.ep_ruler p.ep_scrollto
        p.ep_set_title_on_pad p.ep_subscript_and_superscript
        p.ep_timesliderdiff
      ]);
      modules = [];
      sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
      apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
      configFile = config.secrets.fullPaths."webapps/tools-etherpad";
    };

    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
    # Needed so that they get in the closure
    systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];

    services.filesWatcher.etherpad-lite = {
      restart = true;
      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
    };

    services.websites.env.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    services.websites.env.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      addToCerts  = true;
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
bf3b7671	2	let
ab8f306d	3	env = config.myEnv.tools.etherpad-lite;
4288c2f2	4	cfg = config.myServices.websites.tools.etherpad-lite;
bf3b7671 IB	5	# Make sure we’re not rebuilding whole libreoffice just because of a
	6	# dependency
	7	libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
5af8d43b	8	ecfg = config.services.etherpad-lite;
bf3b7671	9	in {
4288c2f2	10	options.myServices.websites.tools.etherpad-lite = {
bf3b7671 IB	11	enable = lib.mkEnableOption "enable etherpad's website";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
d2e703c5	15	services.duplyBackup.profiles.etherpad-lite = {
6a8252b1 IB	16	rootDir = "/var/lib/private/etherpad-lite";
6a8252b1 IB	17	};
1a718805	18	secrets.keys = [
bf3b7671 IB	19	{
	20	dest = "webapps/tools-etherpad-apikey";
	21	permissions = "0400";
	22	text = env.api_key;
	23	}
	24	{
	25	dest = "webapps/tools-etherpad-sessionkey";
	26	permissions = "0400";
	27	text = env.session_key;
	28	}
	29	{
	30	dest = "webapps/tools-etherpad";
	31	permissions = "0400";
	32	text = ''
	33	{
	34	"title": "Etherpad",
	35	"favicon": "favicon.ico",
d3e4c366 IB	36	"skinName": "colibris",
d3e4c366 IB	37	"skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
bf3b7671	38
5af8d43b IB	39	"ip": "",
5af8d43b IB	40	"port" : "${ecfg.sockets.node}",
bf3b7671 IB	41	"showSettingsInAdminPage" : false,
	42	"dbType" : "postgres",
	43	"dbSettings" : {
	44	"user" : "${env.postgresql.user}",
	45	"host" : "${env.postgresql.socket}",
	46	"password": "${env.postgresql.password}",
	47	"database": "${env.postgresql.database}",
	48	"charset" : "utf8mb4"
	49	},
	50
	51	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	52	"padOptions": {
	53	"noColors": false,
	54	"showControls": true,
	55	"showChat": true,
	56	"showLineNumbers": true,
	57	"useMonospaceFont": false,
	58	"userName": false,
	59	"userColor": false,
	60	"rtl": false,
	61	"alwaysShowChat": false,
	62	"chatAndUsers": false,
78228078	63	"lang": "fr"
bf3b7671 IB	64	},
	65
	66	"suppressErrorsInPadText" : false,
	67	"requireSession" : false,
	68	"editOnly" : false,
	69	"sessionNoPassword" : false,
	70	"minify" : true,
	71	"maxAge" : 21600,
	72	"abiword" : null,
	73	"soffice" : "${libreoffice}/bin/soffice",
78228078	74	"tidyHtml" : "",
bf3b7671 IB	75	"allowUnknownFileEnds" : true,
	76	"requireAuthentication" : false,
	77	"requireAuthorization" : false,
	78	"trustProxy" : false,
	79	"disableIPlogging" : false,
	80	"automaticReconnectionTimeout" : 0,
	81	"scrollWhenFocusLineIsOutOfViewport": {
	82	"percentage": {
	83	"editionAboveViewport": 0,
	84	"editionBelowViewport": 0
	85	},
	86	"duration": 0,
	87	"scrollWhenCaretIsInTheLastLineOfViewport": false,
	88	"percentageToScrollWhenUserPressesArrowUp": 0
	89	},
	90	"users": {
f0d942ac IB	91	"admin": {
	92	"password": "${env.adminPassword}",
	93	"is_admin": true
	94	},
bf3b7671	95	"ldapauth": {
d3e4c366	96	"hash": "invalid",
bf3b7671 IB	97	"url": "ldaps://${env.ldap.host}",
bf3b7671 IB	98	"accountBase": "${env.ldap.base}",
ab8f306d	99	"accountPattern": "${env.ldap.filter}",
bf3b7671	100	"displayNameAttribute": "cn",
ab8f306d	101	"searchDN": "${env.ldap.dn}",
bf3b7671 IB	102	"searchPWD": "${env.ldap.password}",
	103	"groupSearchBase": "${env.ldap.base}",
	104	"groupAttribute": "member",
	105	"groupAttributeIsDN": true,
	106	"searchScope": "sub",
ab8f306d	107	"groupSearch": "${env.ldap.group_filter}",
bf3b7671 IB	108	"anonymousReadonly": false
	109	}
	110	},
f0d942ac IB	111	"ep_mypads": {
	112	"warning": "This hash is stored in database, changing anything here will not have any consequence",
	113	"ldap": {
	114	"url": "ldaps://${env.ldap.host}",
	115	"bindDN": "${env.ldap.dn}",
	116	"bindCredentials": "${env.ldap.password}",
	117	"searchBase": "${env.ldap.base}",
	118	"searchFilter": "${env.ldap.filter}",
	119	"properties": {
	120	"login": "uid",
	121	"email": "mail",
	122	"firstname": "givenName",
	123	"lastname": "sn"
	124	},
	125	"defaultLang": "fr"
	126	}
	127	},
4b0a82cc IB	128	"ep_comments_page": {
	129	"displayCommentAsIcon": true,
	130	"highlightSelectedText": true
	131	},
bf3b7671 IB	132	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
	133	"loadTest": false,
	134	"indentationOnNewLine": false,
	135	"toolbar": {
	136	"left": [
	137	["bold", "italic", "underline", "strikethrough"],
	138	["orderedlist", "unorderedlist", "indent", "outdent"],
	139	["undo", "redo"],
	140	["clearauthorship"]
	141	],
	142	"right": [
	143	["importexport", "timeslider", "savedrevision"],
	144	["settings", "embed"],
	145	["showusers"]
	146	],
	147	"timeslider": [
	148	["timeslider_export", "timeslider_returnToPad"]
	149	]
	150	},
	151	"loglevel": "INFO",
	152	"logconfig" : { "appenders": [ { "type": "console" } ] }
	153	}
	154	'';
	155	}
	156	];
742c28ad IB	157	services.etherpad-lite = {
742c28ad IB	158	enable = true;
4b0a82cc IB	159	package = pkgs.webapps.etherpad-lite.withModules (p: [
	160	p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
	161	p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
	162	p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
	163	p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
	164	p.ep_previewimages p.ep_ruler p.ep_scrollto
	165	p.ep_set_title_on_pad p.ep_subscript_and_superscript
	166	p.ep_timesliderdiff
	167	]);
	168	modules = [];
da30ae4f IB	169	sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
	170	apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
	171	configFile = config.secrets.fullPaths."webapps/tools-etherpad";
bf3b7671 IB	172	};
bf3b7671 IB	173
742c28ad	174	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
78228078 IB	175	# Needed so that they get in the closure
78228078 IB	176	systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
742c28ad	177
17f6eae9 IB	178	services.filesWatcher.etherpad-lite = {
	179	restart = true;
	180	paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
	181	};
	182
29f8cb85	183	services.websites.env.tools.modules = [
bf3b7671 IB	184	"headers" "proxy" "proxy_http" "proxy_wstunnel"
bf3b7671 IB	185	];
29f8cb85	186	services.websites.env.tools.vhostConfs.etherpad-lite = {
bf3b7671	187	certName = "eldiron";
7df420c2	188	addToCerts = true;
bf3b7671 IB	189	hosts = [ "ether.immae.eu" ];
	190	root = null;
	191	extraConfig = [ ''
	192	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	193	RequestHeader set X-Forwarded-Proto "https"
	194
	195	RewriteEngine On
	196
ab8f306d	197	RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
bf3b7671 IB	198	RewriteCond %{QUERY_STRING} "!noredirect"
	199	RewriteCond %{REQUEST_URI} "^(.*)$"
	200	RewriteCond ''${redirects:$1\|Unknown} "!Unknown"
	201	RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
	202
	203	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	204	RewriteCond %{QUERY_STRING} transport=websocket [NC]
5af8d43b	205	RewriteRule /(.*) unix://${ecfg.sockets.node}\|ws://ether.immae.eu/$1 [P,NE,QSA,L]
bf3b7671 IB	206
	207	<IfModule mod_proxy.c>
	208	ProxyVia On
	209	ProxyRequests Off
	210	ProxyPreserveHost On
5af8d43b IB	211	ProxyPass / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
5af8d43b IB	212	ProxyPassReverse / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
bf3b7671 IB	213	<Proxy *>
	214	Options FollowSymLinks MultiViews
	215	AllowOverride None
	216	Require all granted
	217	</Proxy>
	218	</IfModule>
	219	'' ];
	220	};
	221	};
	222	}