[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / ether.nix

{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  env = myconfig.env.tools.etherpad-lite;
  cfg = config.services.myWebsites.tools.etherpad-lite;
  # Make sure we’re not rebuilding whole libreoffice just because of a
  # dependency
  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
in {
  options.services.myWebsites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = [
      {
        dest = "webapps/tools-etherpad-apikey";
        permissions = "0400";
        text = env.api_key;
      }
      {
        dest = "webapps/tools-etherpad-sessionkey";
        permissions = "0400";
        text = env.session_key;
      }
      {
        dest = "webapps/tools-etherpad";
        permissions = "0400";
        text = ''
          {
            "title": "Etherpad",
            "favicon": "favicon.ico",

            "ip": "127.0.0.1",
            "port" : ${env.listenPort},
            "showSettingsInAdminPage" : false,
            "dbType" : "postgres",
            "dbSettings" : {
              "user"    : "${env.postgresql.user}",
              "host"    : "${env.postgresql.socket}",
              "password": "${env.postgresql.password}",
              "database": "${env.postgresql.database}",
              "charset" : "utf8mb4"
            },

            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
            "padOptions": {
              "noColors": false,
              "showControls": true,
              "showChat": true,
              "showLineNumbers": true,
              "useMonospaceFont": false,
              "userName": false,
              "userColor": false,
              "rtl": false,
              "alwaysShowChat": false,
              "chatAndUsers": false,
              "lang": "en-gb"
            },

            "suppressErrorsInPadText" : false,
            "requireSession" : false,
            "editOnly" : false,
            "sessionNoPassword" : false,
            "minify" : true,
            "maxAge" : 21600,
            "abiword" : null,
            "soffice" : "${libreoffice}/bin/soffice",
            "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
            "allowUnknownFileEnds" : true,
            "requireAuthentication" : false,
            "requireAuthorization" : false,
            "trustProxy" : false,
            "disableIPlogging" : false,
            "automaticReconnectionTimeout" : 0,
            "scrollWhenFocusLineIsOutOfViewport": {
              "percentage": {
                "editionAboveViewport": 0,
                "editionBelowViewport": 0
              },
              "duration": 0,
              "scrollWhenCaretIsInTheLastLineOfViewport": false,
              "percentageToScrollWhenUserPressesArrowUp": 0
            },
            "users": {
              "ldapauth": {
                "url": "ldaps://${env.ldap.host}",
                "accountBase": "${env.ldap.base}",
                "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
                "displayNameAttribute": "cn",
                "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
                "searchPWD": "${env.ldap.password}",
                "groupSearchBase": "${env.ldap.base}",
                "groupAttribute": "member",
                "groupAttributeIsDN": true,
                "searchScope": "sub",
                "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
                "anonymousReadonly": false
              }
            },
            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
            "loadTest": false,
            "indentationOnNewLine": false,
            "toolbar": {
              "left": [
                ["bold", "italic", "underline", "strikethrough"],
                ["orderedlist", "unorderedlist", "indent", "outdent"],
                ["undo", "redo"],
                ["clearauthorship"]
              ],
              "right": [
                ["importexport", "timeslider", "savedrevision"],
                ["settings", "embed"],
                ["showusers"]
              ],
              "timeslider": [
                ["timeslider_export", "timeslider_returnToPad"]
              ]
            },
            "loglevel": "INFO",
            "logconfig" : { "appenders": [ { "type": "console" } ] }
          }
        '';
      }
    ];
    services.etherpad-lite = {
      enable = true;
      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
      configFile = "/var/secrets/webapps/tools-etherpad";
    };

    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";

    services.myWebsites.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
    services.myWebsites.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           ws://localhost:${env.listenPort}/$1 [P,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / http://localhost:${env.listenPort}/
          ProxyPassReverse  / http://localhost:${env.listenPort}/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}
Commit	Line	Data
bf3b7671 IB	1	{ lib, pkgs, config, myconfig, mylibs, ... }:
bf3b7671 IB	2	let
bf3b7671	3	env = myconfig.env.tools.etherpad-lite;
bf3b7671 IB	4	cfg = config.services.myWebsites.tools.etherpad-lite;
	5	# Make sure we’re not rebuilding whole libreoffice just because of a
	6	# dependency
	7	libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
	8	in {
	9	options.services.myWebsites.tools.etherpad-lite = {
	10	enable = lib.mkEnableOption "enable etherpad's website";
	11	};
	12
	13	config = lib.mkIf cfg.enable {
1a718805	14	secrets.keys = [
bf3b7671 IB	15	{
	16	dest = "webapps/tools-etherpad-apikey";
	17	permissions = "0400";
	18	text = env.api_key;
	19	}
	20	{
	21	dest = "webapps/tools-etherpad-sessionkey";
	22	permissions = "0400";
	23	text = env.session_key;
	24	}
	25	{
	26	dest = "webapps/tools-etherpad";
	27	permissions = "0400";
	28	text = ''
	29	{
	30	"title": "Etherpad",
	31	"favicon": "favicon.ico",
	32
	33	"ip": "127.0.0.1",
	34	"port" : ${env.listenPort},
	35	"showSettingsInAdminPage" : false,
	36	"dbType" : "postgres",
	37	"dbSettings" : {
	38	"user" : "${env.postgresql.user}",
	39	"host" : "${env.postgresql.socket}",
	40	"password": "${env.postgresql.password}",
	41	"database": "${env.postgresql.database}",
	42	"charset" : "utf8mb4"
	43	},
	44
	45	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	46	"padOptions": {
	47	"noColors": false,
	48	"showControls": true,
	49	"showChat": true,
	50	"showLineNumbers": true,
	51	"useMonospaceFont": false,
	52	"userName": false,
	53	"userColor": false,
	54	"rtl": false,
	55	"alwaysShowChat": false,
	56	"chatAndUsers": false,
	57	"lang": "en-gb"
	58	},
	59
	60	"suppressErrorsInPadText" : false,
	61	"requireSession" : false,
	62	"editOnly" : false,
	63	"sessionNoPassword" : false,
	64	"minify" : true,
	65	"maxAge" : 21600,
	66	"abiword" : null,
	67	"soffice" : "${libreoffice}/bin/soffice",
	68	"tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
	69	"allowUnknownFileEnds" : true,
	70	"requireAuthentication" : false,
	71	"requireAuthorization" : false,
	72	"trustProxy" : false,
	73	"disableIPlogging" : false,
	74	"automaticReconnectionTimeout" : 0,
	75	"scrollWhenFocusLineIsOutOfViewport": {
	76	"percentage": {
	77	"editionAboveViewport": 0,
	78	"editionBelowViewport": 0
79	},
80	"duration": 0,
81	"scrollWhenCaretIsInTheLastLineOfViewport": false,
82	"percentageToScrollWhenUserPressesArrowUp": 0
83	},
84	"users": {
85	"ldapauth": {
86	"url": "ldaps://${env.ldap.host}",
87	"accountBase": "${env.ldap.base}",
88	"accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
89	"displayNameAttribute": "cn",
90	"searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
91	"searchPWD": "${env.ldap.password}",
92	"groupSearchBase": "${env.ldap.base}",
93	"groupAttribute": "member",
94	"groupAttributeIsDN": true,
95	"searchScope": "sub",
96	"groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
97	"anonymousReadonly": false
98	}
99	},
100	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
101	"loadTest": false,
102	"indentationOnNewLine": false,
103	"toolbar": {
104	"left": [
105	["bold", "italic", "underline", "strikethrough"],
106	["orderedlist", "unorderedlist", "indent", "outdent"],
107	["undo", "redo"],
108	["clearauthorship"]
109	],
110	"right": [
111	["importexport", "timeslider", "savedrevision"],
112	["settings", "embed"],
113	["showusers"]
114	],
115	"timeslider": [
116	["timeslider_export", "timeslider_returnToPad"]
117	]
118	},
119	"loglevel": "INFO",
120	"logconfig" : { "appenders": [ { "type": "console" } ] }
121	}
122	'';
123	}
124	];
742c28ad IB	125	services.etherpad-lite = {
	126	enable = true;
	127	modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
	128	sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
	129	apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
	130	configFile = "/var/secrets/webapps/tools-etherpad";
bf3b7671 IB	131	};
bf3b7671 IB	132
742c28ad IB	133	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
742c28ad IB	134
bf3b7671 IB	135	services.myWebsites.tools.modules = [
	136	"headers" "proxy" "proxy_http" "proxy_wstunnel"
	137	];
	138	security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
	139	services.myWebsites.tools.vhostConfs.etherpad-lite = {
	140	certName = "eldiron";
	141	hosts = [ "ether.immae.eu" ];
	142	root = null;
	143	extraConfig = [ ''
	144	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	145	RequestHeader set X-Forwarded-Proto "https"
	146
	147	RewriteEngine On
	148
	149	RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
	150	RewriteCond %{QUERY_STRING} "!noredirect"
	151	RewriteCond %{REQUEST_URI} "^(.*)$"
	152	RewriteCond ''${redirects:$1\|Unknown} "!Unknown"
	153	RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
	154
	155	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	156	RewriteCond %{QUERY_STRING} transport=websocket [NC]
	157	RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,L]
	158
	159	<IfModule mod_proxy.c>
	160	ProxyVia On
	161	ProxyRequests Off
	162	ProxyPreserveHost On
	163	ProxyPass / http://localhost:${env.listenPort}/
	164	ProxyPassReverse / http://localhost:${env.listenPort}/
	165	<Proxy *>
	166	Options FollowSymLinks MultiViews
	167	AllowOverride None
	168	Require all granted
	169	</Proxy>
	170	</IfModule>
	171	'' ];
	172	};
	173	};
	174	}