[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / ether / default.nix

{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  etherpad = pkgs.callPackage ./etherpad_lite.nix {
    inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules;
    env = myconfig.env.tools.etherpad-lite;
  };

  varDir = etherpad.webappDir.varDir;
  cfg = config.services.myWebsites.tools.etherpad-lite;
in {
  options.services.myWebsites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    mySecrets.keys = etherpad.keys;
    systemd.services.etherpad-lite = {
      description = "Etherpad-lite";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "postgresql.service" ];
      wants = [ "postgresql.service" ];

      environment.NODE_ENV = "production";
      environment.HOME = etherpad.webappDir;

      path = [ pkgs.nodejs ];

      script = ''
        exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
          --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
          --apikey /var/secrets/webapps/tools-etherpad-apikey \
          --settings /var/secrets/webapps/tools-etherpad
      '';

      serviceConfig = {
        DynamicUser = true;
        User = "etherpad-lite";
        Group = "etherpad-lite";
        SupplementaryGroups = "keys";
        WorkingDirectory = etherpad.webappDir;
        PrivateTmp = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        ProtectHome = true;
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        Restart = "always";
        Type = "simple";
        TimeoutSec = 60;
        # Use ReadWritePaths= instead if varDir is outside of /var/lib
        StateDirectory="etherpad-lite";
        ExecStartPre = [
          "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
          "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
        ];
      };
    };

    services.myWebsites.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
    services.myWebsites.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           ws://localhost:${etherpad.listenPort}/$1 [P,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / http://localhost:${etherpad.listenPort}/
          ProxyPassReverse  / http://localhost:${etherpad.listenPort}/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}
Commit	Line	Data
17146204 IB	1	{ lib, pkgs, config, myconfig, mylibs, ... }:
	2	let
	3	etherpad = pkgs.callPackage ./etherpad_lite.nix {
a8bfce17	4	inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules;
17146204 IB	5	env = myconfig.env.tools.etherpad-lite;
	6	};
	7
1247e537	8	varDir = etherpad.webappDir.varDir;
17146204 IB	9	cfg = config.services.myWebsites.tools.etherpad-lite;
	10	in {
	11	options.services.myWebsites.tools.etherpad-lite = {
	12	enable = lib.mkEnableOption "enable etherpad's website";
	13	};
	14
	15	config = lib.mkIf cfg.enable {
32c84ff8	16	mySecrets.keys = etherpad.keys;
17146204 IB	17	systemd.services.etherpad-lite = {
	18	description = "Etherpad-lite";
	19	wantedBy = [ "multi-user.target" ];
32c84ff8 IB	20	after = [ "network.target" "postgresql.service" ];
32c84ff8 IB	21	wants = [ "postgresql.service" ];
17146204 IB	22
	23	environment.NODE_ENV = "production";
	24	environment.HOME = etherpad.webappDir;
	25
	26	path = [ pkgs.nodejs ];
	27
	28	script = ''
	29	exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
1247e537 IB	30	--sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
1247e537 IB	31	--apikey /var/secrets/webapps/tools-etherpad-apikey \
32c84ff8	32	--settings /var/secrets/webapps/tools-etherpad
17146204 IB	33	'';
	34
	35	serviceConfig = {
	36	DynamicUser = true;
	37	User = "etherpad-lite";
	38	Group = "etherpad-lite";
51900e34	39	SupplementaryGroups = "keys";
17146204 IB	40	WorkingDirectory = etherpad.webappDir;
	41	PrivateTmp = true;
	42	NoNewPrivileges = true;
	43	PrivateDevices = true;
	44	ProtectHome = true;
	45	ProtectControlGroups = true;
	46	ProtectKernelModules = true;
	47	Restart = "always";
	48	Type = "simple";
	49	TimeoutSec = 60;
1247e537 IB	50	# Use ReadWritePaths= instead if varDir is outside of /var/lib
	51	StateDirectory="etherpad-lite";
	52	ExecStartPre = [
	53	"+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
	54	"+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
	55	];
17146204 IB	56	};
	57	};
	58
	59	services.myWebsites.tools.modules = [
	60	"headers" "proxy" "proxy_http" "proxy_wstunnel"
	61	];
	62	security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
	63	services.myWebsites.tools.vhostConfs.etherpad-lite = {
	64	certName = "eldiron";
	65	hosts = [ "ether.immae.eu" ];
	66	root = null;
	67	extraConfig = [ ''
	68	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	69	RequestHeader set X-Forwarded-Proto "https"
	70
	71	RewriteEngine On
	72
	73	RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
	74	RewriteCond %{QUERY_STRING} "!noredirect"
	75	RewriteCond %{REQUEST_URI} "^(.*)$"
	76	RewriteCond ''${redirects:$1\|Unknown} "!Unknown"
	77	RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
	78
	79	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	80	RewriteCond %{QUERY_STRING} transport=websocket [NC]
	81	RewriteRule /(.*) ws://localhost:${etherpad.listenPort}/$1 [P,L]
	82
	83	<IfModule mod_proxy.c>
	84	ProxyVia On
	85	ProxyRequests Off
	86	ProxyPreserveHost On
	87	ProxyPass / http://localhost:${etherpad.listenPort}/
	88	ProxyPassReverse / http://localhost:${etherpad.listenPort}/
17146204 IB	89	<Proxy *>
	90	Options FollowSymLinks MultiViews
	91	AllowOverride None
	92	Require all granted
	93	</Proxy>
	94	</IfModule>
	95	'' ];
	96	};
	97	};
	98	}