[perso/Immae/Config/Nix.git] / modules / private / websites / tools / ether / default.nix

{ lib, pkgs, config,  ... }:
let
  env = config.myEnv.tools.etherpad-lite;
  cfg = config.myServices.websites.tools.etherpad-lite;
  # Make sure we’re not rebuilding whole libreoffice just because of a
  # dependency
  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
  ecfg = config.services.etherpad-lite;
in {
  options.myServices.websites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.etherpad-lite = {
      rootDir = "/var/lib/private/etherpad-lite";
    };
    secrets.keys = [
      {
        dest = "webapps/tools-etherpad-apikey";
        permissions = "0400";
        text = env.api_key;
      }
      {
        dest = "webapps/tools-etherpad-sessionkey";
        permissions = "0400";
        text = env.session_key;
      }
      {
        dest = "webapps/tools-etherpad";
        permissions = "0400";
        text = ''
          {
            "title": "Etherpad",
            "favicon": "favicon.ico",
            "skinName": "colibris",
            "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",

            "ip": "",
            "port" : "${ecfg.sockets.node}",
            "showSettingsInAdminPage" : false,
            "dbType" : "postgres",
            "dbSettings" : {
              "user"    : "${env.postgresql.user}",
              "host"    : "${env.postgresql.socket}",
              "password": "${env.postgresql.password}",
              "database": "${env.postgresql.database}",
              "charset" : "utf8mb4"
            },

            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
            "padOptions": {
              "noColors": false,
              "showControls": true,
              "showChat": true,
              "showLineNumbers": true,
              "useMonospaceFont": false,
              "userName": false,
              "userColor": false,
              "rtl": false,
              "alwaysShowChat": false,
              "chatAndUsers": false,
              "lang": "fr"
            },

            "suppressErrorsInPadText" : false,
            "requireSession" : false,
            "editOnly" : false,
            "sessionNoPassword" : false,
            "minify" : true,
            "maxAge" : 21600,
            "abiword" : null,
            "soffice" : "${libreoffice}/bin/soffice",
            "tidyHtml" : "",
            "allowUnknownFileEnds" : true,
            "requireAuthentication" : false,
            "requireAuthorization" : false,
            "trustProxy" : false,
            "disableIPlogging" : false,
            "automaticReconnectionTimeout" : 0,
            "scrollWhenFocusLineIsOutOfViewport": {
              "percentage": {
                "editionAboveViewport": 0,
                "editionBelowViewport": 0
              },
              "duration": 0,
              "scrollWhenCaretIsInTheLastLineOfViewport": false,
              "percentageToScrollWhenUserPressesArrowUp": 0
            },
            "users": {
              "admin": {
                "password": "${env.adminPassword}",
                "is_admin": true
              },
              "ldapauth": {
                "hash": "invalid",
                "url": "ldaps://${env.ldap.host}",
                "accountBase": "${env.ldap.base}",
                "accountPattern": "${env.ldap.filter}",
                "displayNameAttribute": "cn",
                "searchDN": "${env.ldap.dn}",
                "searchPWD": "${env.ldap.password}",
                "groupSearchBase": "${env.ldap.base}",
                "groupAttribute": "member",
                "groupAttributeIsDN": true,
                "searchScope": "sub",
                "groupSearch": "${env.ldap.group_filter}",
                "anonymousReadonly": false
              }
            },
            "ep_mypads": {
              "warning": "This hash is stored in database, changing anything here will not have any consequence",
              "ldap": {
                "url": "ldaps://${env.ldap.host}",
                "bindDN": "${env.ldap.dn}",
                "bindCredentials": "${env.ldap.password}",
                "searchBase": "${env.ldap.base}",
                "searchFilter": "${env.ldap.filter}",
                "properties": {
                  "login": "uid",
                  "email": "mail",
                  "firstname": "givenName",
                  "lastname": "sn"
                },
                "defaultLang": "fr"
              }
            },
            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
            "loadTest": false,
            "indentationOnNewLine": false,
            "toolbar": {
              "left": [
                ["bold", "italic", "underline", "strikethrough"],
                ["orderedlist", "unorderedlist", "indent", "outdent"],
                ["undo", "redo"],
                ["clearauthorship"]
              ],
              "right": [
                ["importexport", "timeslider", "savedrevision"],
                ["settings", "embed"],
                ["showusers"]
              ],
              "timeslider": [
                ["timeslider_export", "timeslider_returnToPad"]
              ]
            },
            "loglevel": "INFO",
            "logconfig" : { "appenders": [ { "type": "console" } ] }
          }
        '';
      }
    ];
    services.etherpad-lite = {
      enable = true;
      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
      configFile = "/var/secrets/webapps/tools-etherpad";
    };

    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
    # Needed so that they get in the closure
    systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];

    services.filesWatcher.etherpad-lite = {
      restart = true;
      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
    };

    services.websites.env.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    services.websites.env.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      addToCerts  = true;
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
bf3b7671	2	let
ab8f306d	3	env = config.myEnv.tools.etherpad-lite;
4288c2f2	4	cfg = config.myServices.websites.tools.etherpad-lite;
bf3b7671 IB	5	# Make sure we’re not rebuilding whole libreoffice just because of a
	6	# dependency
	7	libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
5af8d43b	8	ecfg = config.services.etherpad-lite;
bf3b7671	9	in {
4288c2f2	10	options.myServices.websites.tools.etherpad-lite = {
bf3b7671 IB	11	enable = lib.mkEnableOption "enable etherpad's website";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
d2e703c5	15	services.duplyBackup.profiles.etherpad-lite = {
6a8252b1 IB	16	rootDir = "/var/lib/private/etherpad-lite";
6a8252b1 IB	17	};
1a718805	18	secrets.keys = [
bf3b7671 IB	19	{
	20	dest = "webapps/tools-etherpad-apikey";
	21	permissions = "0400";
	22	text = env.api_key;
	23	}
	24	{
	25	dest = "webapps/tools-etherpad-sessionkey";
	26	permissions = "0400";
	27	text = env.session_key;
	28	}
	29	{
	30	dest = "webapps/tools-etherpad";
	31	permissions = "0400";
	32	text = ''
	33	{
	34	"title": "Etherpad",
	35	"favicon": "favicon.ico",
d3e4c366 IB	36	"skinName": "colibris",
d3e4c366 IB	37	"skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
bf3b7671	38
5af8d43b IB	39	"ip": "",
5af8d43b IB	40	"port" : "${ecfg.sockets.node}",
bf3b7671 IB	41	"showSettingsInAdminPage" : false,
	42	"dbType" : "postgres",
	43	"dbSettings" : {
	44	"user" : "${env.postgresql.user}",
	45	"host" : "${env.postgresql.socket}",
	46	"password": "${env.postgresql.password}",
	47	"database": "${env.postgresql.database}",
	48	"charset" : "utf8mb4"
	49	},
	50
	51	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	52	"padOptions": {
	53	"noColors": false,
	54	"showControls": true,
	55	"showChat": true,
	56	"showLineNumbers": true,
	57	"useMonospaceFont": false,
	58	"userName": false,
	59	"userColor": false,
	60	"rtl": false,
	61	"alwaysShowChat": false,
	62	"chatAndUsers": false,
78228078	63	"lang": "fr"
bf3b7671 IB	64	},
	65
	66	"suppressErrorsInPadText" : false,
	67	"requireSession" : false,
	68	"editOnly" : false,
	69	"sessionNoPassword" : false,
	70	"minify" : true,
	71	"maxAge" : 21600,
	72	"abiword" : null,
	73	"soffice" : "${libreoffice}/bin/soffice",
78228078	74	"tidyHtml" : "",
bf3b7671 IB	75	"allowUnknownFileEnds" : true,
	76	"requireAuthentication" : false,
	77	"requireAuthorization" : false,
	78	"trustProxy" : false,
	79	"disableIPlogging" : false,
	80	"automaticReconnectionTimeout" : 0,
	81	"scrollWhenFocusLineIsOutOfViewport": {
	82	"percentage": {
	83	"editionAboveViewport": 0,
	84	"editionBelowViewport": 0
	85	},
	86	"duration": 0,
	87	"scrollWhenCaretIsInTheLastLineOfViewport": false,
	88	"percentageToScrollWhenUserPressesArrowUp": 0
	89	},
	90	"users": {
f0d942ac IB	91	"admin": {
	92	"password": "${env.adminPassword}",
	93	"is_admin": true
	94	},
bf3b7671	95	"ldapauth": {
d3e4c366	96	"hash": "invalid",
bf3b7671 IB	97	"url": "ldaps://${env.ldap.host}",
bf3b7671 IB	98	"accountBase": "${env.ldap.base}",
ab8f306d	99	"accountPattern": "${env.ldap.filter}",
bf3b7671	100	"displayNameAttribute": "cn",
ab8f306d	101	"searchDN": "${env.ldap.dn}",
bf3b7671 IB	102	"searchPWD": "${env.ldap.password}",
	103	"groupSearchBase": "${env.ldap.base}",
	104	"groupAttribute": "member",
	105	"groupAttributeIsDN": true,
	106	"searchScope": "sub",
ab8f306d	107	"groupSearch": "${env.ldap.group_filter}",
bf3b7671 IB	108	"anonymousReadonly": false
	109	}
	110	},
f0d942ac IB	111	"ep_mypads": {
	112	"warning": "This hash is stored in database, changing anything here will not have any consequence",
	113	"ldap": {
	114	"url": "ldaps://${env.ldap.host}",
	115	"bindDN": "${env.ldap.dn}",
	116	"bindCredentials": "${env.ldap.password}",
	117	"searchBase": "${env.ldap.base}",
	118	"searchFilter": "${env.ldap.filter}",
	119	"properties": {
	120	"login": "uid",
	121	"email": "mail",
	122	"firstname": "givenName",
	123	"lastname": "sn"
	124	},
	125	"defaultLang": "fr"
	126	}
	127	},
bf3b7671 IB	128	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
	129	"loadTest": false,
	130	"indentationOnNewLine": false,
	131	"toolbar": {
	132	"left": [
	133	["bold", "italic", "underline", "strikethrough"],
	134	["orderedlist", "unorderedlist", "indent", "outdent"],
	135	["undo", "redo"],
	136	["clearauthorship"]
	137	],
	138	"right": [
	139	["importexport", "timeslider", "savedrevision"],
	140	["settings", "embed"],
	141	["showusers"]
	142	],
	143	"timeslider": [
	144	["timeslider_export", "timeslider_returnToPad"]
	145	]
	146	},
	147	"loglevel": "INFO",
	148	"logconfig" : { "appenders": [ { "type": "console" } ] }
	149	}
	150	'';
	151	}
	152	];
742c28ad IB	153	services.etherpad-lite = {
	154	enable = true;
	155	modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
	156	sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
	157	apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
	158	configFile = "/var/secrets/webapps/tools-etherpad";
bf3b7671 IB	159	};
bf3b7671 IB	160
742c28ad	161	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
78228078 IB	162	# Needed so that they get in the closure
78228078 IB	163	systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
742c28ad	164
17f6eae9 IB	165	services.filesWatcher.etherpad-lite = {
	166	restart = true;
	167	paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
	168	};
	169
29f8cb85	170	services.websites.env.tools.modules = [
bf3b7671 IB	171	"headers" "proxy" "proxy_http" "proxy_wstunnel"
bf3b7671 IB	172	];
29f8cb85	173	services.websites.env.tools.vhostConfs.etherpad-lite = {
bf3b7671	174	certName = "eldiron";
7df420c2	175	addToCerts = true;
bf3b7671 IB	176	hosts = [ "ether.immae.eu" ];
	177	root = null;
	178	extraConfig = [ ''
	179	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	180	RequestHeader set X-Forwarded-Proto "https"
	181
	182	RewriteEngine On
	183
ab8f306d	184	RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
bf3b7671 IB	185	RewriteCond %{QUERY_STRING} "!noredirect"
	186	RewriteCond %{REQUEST_URI} "^(.*)$"
	187	RewriteCond ''${redirects:$1\|Unknown} "!Unknown"
	188	RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
	189
	190	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	191	RewriteCond %{QUERY_STRING} transport=websocket [NC]
5af8d43b	192	RewriteRule /(.*) unix://${ecfg.sockets.node}\|ws://ether.immae.eu/$1 [P,NE,QSA,L]
bf3b7671 IB	193
	194	<IfModule mod_proxy.c>
	195	ProxyVia On
	196	ProxyRequests Off
	197	ProxyPreserveHost On
5af8d43b IB	198	ProxyPass / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
5af8d43b IB	199	ProxyPassReverse / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
bf3b7671 IB	200	<Proxy *>
	201	Options FollowSymLinks MultiViews
	202	AllowOverride None
	203	Require all granted
	204	</Proxy>
	205	</IfModule>
	206	'' ];
	207	};
	208	};
	209	}