[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / ether.nix

{ lib, pkgs, config, myconfig,  ... }:
let
  env = myconfig.env.tools.etherpad-lite;
  cfg = config.services.myWebsites.tools.etherpad-lite;
  # Make sure we’re not rebuilding whole libreoffice just because of a
  # dependency
  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
  ecfg = config.services.etherpad-lite;
in {
  options.services.myWebsites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = [
      {
        dest = "webapps/tools-etherpad-apikey";
        permissions = "0400";
        text = env.api_key;
      }
      {
        dest = "webapps/tools-etherpad-sessionkey";
        permissions = "0400";
        text = env.session_key;
      }
      {
        dest = "webapps/tools-etherpad";
        permissions = "0400";
        text = ''
          {
            "title": "Etherpad",
            "favicon": "favicon.ico",

            "ip": "",
            "port" : "${ecfg.sockets.node}",
            "showSettingsInAdminPage" : false,
            "dbType" : "postgres",
            "dbSettings" : {
              "user"    : "${env.postgresql.user}",
              "host"    : "${env.postgresql.socket}",
              "password": "${env.postgresql.password}",
              "database": "${env.postgresql.database}",
              "charset" : "utf8mb4"
            },

            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
            "padOptions": {
              "noColors": false,
              "showControls": true,
              "showChat": true,
              "showLineNumbers": true,
              "useMonospaceFont": false,
              "userName": false,
              "userColor": false,
              "rtl": false,
              "alwaysShowChat": false,
              "chatAndUsers": false,
              "lang": "en-gb"
            },

            "suppressErrorsInPadText" : false,
            "requireSession" : false,
            "editOnly" : false,
            "sessionNoPassword" : false,
            "minify" : true,
            "maxAge" : 21600,
            "abiword" : null,
            "soffice" : "${libreoffice}/bin/soffice",
            "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
            "allowUnknownFileEnds" : true,
            "requireAuthentication" : false,
            "requireAuthorization" : false,
            "trustProxy" : false,
            "disableIPlogging" : false,
            "automaticReconnectionTimeout" : 0,
            "scrollWhenFocusLineIsOutOfViewport": {
              "percentage": {
                "editionAboveViewport": 0,
                "editionBelowViewport": 0
              },
              "duration": 0,
              "scrollWhenCaretIsInTheLastLineOfViewport": false,
              "percentageToScrollWhenUserPressesArrowUp": 0
            },
            "users": {
              "ldapauth": {
                "url": "ldaps://${env.ldap.host}",
                "accountBase": "${env.ldap.base}",
                "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
                "displayNameAttribute": "cn",
                "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
                "searchPWD": "${env.ldap.password}",
                "groupSearchBase": "${env.ldap.base}",
                "groupAttribute": "member",
                "groupAttributeIsDN": true,
                "searchScope": "sub",
                "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
                "anonymousReadonly": false
              }
            },
            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
            "loadTest": false,
            "indentationOnNewLine": false,
            "toolbar": {
              "left": [
                ["bold", "italic", "underline", "strikethrough"],
                ["orderedlist", "unorderedlist", "indent", "outdent"],
                ["undo", "redo"],
                ["clearauthorship"]
              ],
              "right": [
                ["importexport", "timeslider", "savedrevision"],
                ["settings", "embed"],
                ["showusers"]
              ],
              "timeslider": [
                ["timeslider_export", "timeslider_returnToPad"]
              ]
            },
            "loglevel": "INFO",
            "logconfig" : { "appenders": [ { "type": "console" } ] }
          }
        '';
      }
    ];
    services.etherpad-lite = {
      enable = true;
      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
      configFile = "/var/secrets/webapps/tools-etherpad";
    };

    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";

    services.websites.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
    services.websites.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}
Commit	Line	Data
8a964143	1	{ lib, pkgs, config, myconfig, ... }:
bf3b7671	2	let
bf3b7671	3	env = myconfig.env.tools.etherpad-lite;
bf3b7671 IB	4	cfg = config.services.myWebsites.tools.etherpad-lite;
	5	# Make sure we’re not rebuilding whole libreoffice just because of a
	6	# dependency
	7	libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
5af8d43b	8	ecfg = config.services.etherpad-lite;
bf3b7671 IB	9	in {
	10	options.services.myWebsites.tools.etherpad-lite = {
	11	enable = lib.mkEnableOption "enable etherpad's website";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
1a718805	15	secrets.keys = [
bf3b7671 IB	16	{
	17	dest = "webapps/tools-etherpad-apikey";
	18	permissions = "0400";
	19	text = env.api_key;
	20	}
	21	{
	22	dest = "webapps/tools-etherpad-sessionkey";
	23	permissions = "0400";
	24	text = env.session_key;
	25	}
	26	{
	27	dest = "webapps/tools-etherpad";
	28	permissions = "0400";
	29	text = ''
	30	{
	31	"title": "Etherpad",
	32	"favicon": "favicon.ico",
	33
5af8d43b IB	34	"ip": "",
5af8d43b IB	35	"port" : "${ecfg.sockets.node}",
bf3b7671 IB	36	"showSettingsInAdminPage" : false,
	37	"dbType" : "postgres",
	38	"dbSettings" : {
	39	"user" : "${env.postgresql.user}",
	40	"host" : "${env.postgresql.socket}",
	41	"password": "${env.postgresql.password}",
	42	"database": "${env.postgresql.database}",
	43	"charset" : "utf8mb4"
	44	},
	45
	46	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	47	"padOptions": {
	48	"noColors": false,
	49	"showControls": true,
	50	"showChat": true,
	51	"showLineNumbers": true,
	52	"useMonospaceFont": false,
	53	"userName": false,
	54	"userColor": false,
	55	"rtl": false,
	56	"alwaysShowChat": false,
	57	"chatAndUsers": false,
	58	"lang": "en-gb"
	59	},
	60
	61	"suppressErrorsInPadText" : false,
	62	"requireSession" : false,
	63	"editOnly" : false,
	64	"sessionNoPassword" : false,
	65	"minify" : true,
	66	"maxAge" : 21600,
	67	"abiword" : null,
	68	"soffice" : "${libreoffice}/bin/soffice",
	69	"tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
	70	"allowUnknownFileEnds" : true,
	71	"requireAuthentication" : false,
	72	"requireAuthorization" : false,
	73	"trustProxy" : false,
	74	"disableIPlogging" : false,
	75	"automaticReconnectionTimeout" : 0,
	76	"scrollWhenFocusLineIsOutOfViewport": {
	77	"percentage": {
	78	"editionAboveViewport": 0,
	79	"editionBelowViewport": 0
	80	},
	81	"duration": 0,
	82	"scrollWhenCaretIsInTheLastLineOfViewport": false,
	83	"percentageToScrollWhenUserPressesArrowUp": 0
	84	},
	85	"users": {
	86	"ldapauth": {
	87	"url": "ldaps://${env.ldap.host}",
	88	"accountBase": "${env.ldap.base}",
	89	"accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
	90	"displayNameAttribute": "cn",
	91	"searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
	92	"searchPWD": "${env.ldap.password}",
	93	"groupSearchBase": "${env.ldap.base}",
	94	"groupAttribute": "member",
	95	"groupAttributeIsDN": true,
	96	"searchScope": "sub",
	97	"groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
	98	"anonymousReadonly": false
	99	}
100	},
101	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
102	"loadTest": false,
103	"indentationOnNewLine": false,
104	"toolbar": {
105	"left": [
106	["bold", "italic", "underline", "strikethrough"],
107	["orderedlist", "unorderedlist", "indent", "outdent"],
108	["undo", "redo"],
109	["clearauthorship"]
110	],
111	"right": [
112	["importexport", "timeslider", "savedrevision"],
113	["settings", "embed"],
114	["showusers"]
115	],
116	"timeslider": [
117	["timeslider_export", "timeslider_returnToPad"]
118	]
119	},
120	"loglevel": "INFO",
121	"logconfig" : { "appenders": [ { "type": "console" } ] }
122	}
123	'';
124	}
125	];
742c28ad IB	126	services.etherpad-lite = {
	127	enable = true;
	128	modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
	129	sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
	130	apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
	131	configFile = "/var/secrets/webapps/tools-etherpad";
bf3b7671 IB	132	};
bf3b7671 IB	133
742c28ad IB	134	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
742c28ad IB	135
daf64e3f	136	services.websites.tools.modules = [
bf3b7671 IB	137	"headers" "proxy" "proxy_http" "proxy_wstunnel"
	138	];
	139	security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
daf64e3f	140	services.websites.tools.vhostConfs.etherpad-lite = {
bf3b7671 IB	141	certName = "eldiron";
	142	hosts = [ "ether.immae.eu" ];
	143	root = null;
	144	extraConfig = [ ''
	145	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	146	RequestHeader set X-Forwarded-Proto "https"
	147
	148	RewriteEngine On
	149
	150	RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
	151	RewriteCond %{QUERY_STRING} "!noredirect"
	152	RewriteCond %{REQUEST_URI} "^(.*)$"
	153	RewriteCond ''${redirects:$1\|Unknown} "!Unknown"
	154	RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
	155
	156	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	157	RewriteCond %{QUERY_STRING} transport=websocket [NC]
5af8d43b	158	RewriteRule /(.*) unix://${ecfg.sockets.node}\|ws://ether.immae.eu/$1 [P,NE,QSA,L]
bf3b7671 IB	159
	160	<IfModule mod_proxy.c>
	161	ProxyVia On
	162	ProxyRequests Off
	163	ProxyPreserveHost On
5af8d43b IB	164	ProxyPass / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
5af8d43b IB	165	ProxyPassReverse / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
bf3b7671 IB	166	<Proxy *>
	167	Options FollowSymLinks MultiViews
	168	AllowOverride None
	169	Require all granted
	170	</Proxy>
	171	</IfModule>
	172	'' ];
	173	};
	174	};
	175	}