[perso/Immae/Config/Nix.git] / systems / eldiron / websites / ether / default.nix

{ lib, pkgs, config, nixpkgsRaw, etherpad-lite, ... }:
let
  env = config.myEnv.tools.etherpad-lite;
  cfg = config.myServices.websites.tools.etherpad-lite;
  # Make sure we’re not rebuilding whole libreoffice just because of a
  # dependency
  libreoffice = nixpkgsRaw.libreoffice-fresh;
  ecfg = config.services.etherpad-lite;
in {
  options.myServices.websites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    myServices.dns.zones."immae.eu".subdomains.ether =
      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;

    myServices.chatonsProperties.services.etherpad = {
      file.datetime = "2021-01-04T00:01:00";
      service = {
        name = "Etherpad";
        description = "Éditeur de texte collaboratif en temps réel. on peut y écrire simultanément.";
        website = "https://ether.immae.eu";
        logo = "https://ether.immae.eu/favicon.ico";
        status.level = "OK";
        status.description = "OK";
        registration."" = ["NONE" "MEMBER" "CLIENT"];
        registration.load = "OPEN";
        install.type = "PACKAGE";
      };
      software = {
        name = "Etherpad";
        website = "https://etherpad.org/";
        license.url = "https://github.com/ether/etherpad-lite/blob/develop/LICENSE";
        license.name = "Apache License Version 2.0";
        version = ecfg.package.version;
        source.url = "https://github.com/ether/etherpad-lite";
        modules = ecfg.package.moduleNames;
      };
    };
    secrets.keys = {
      "webapps/tools-etherpad-apikey" = {
        permissions = "0400";
        text = env.api_key;
      };
      "webapps/tools-etherpad-sessionkey" = {
        permissions = "0400";
        text = env.session_key;
      };
      "webapps/tools-etherpad" = {
        permissions = "0400";
        keyDependencies = [ libreoffice ];
        text = ''
          {
            "title": "Etherpad",
            "favicon": "favicon.ico",
            "skinName": "colibris",
            "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",

            "ip": "",
            "port" : "${ecfg.sockets.node}",
            "showSettingsInAdminPage" : false,
            "dbType" : "postgres",
            "dbSettings" : {
              "user"    : "${env.postgresql.user}",
              "host"    : "${env.postgresql.socket}",
              "password": "${env.postgresql.password}",
              "database": "${env.postgresql.database}",
              "charset" : "utf8mb4"
            },

            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
            "padOptions": {
              "noColors": false,
              "showControls": true,
              "showChat": true,
              "showLineNumbers": true,
              "useMonospaceFont": false,
              "userName": false,
              "userColor": false,
              "rtl": false,
              "alwaysShowChat": false,
              "chatAndUsers": false,
              "lang": "fr"
            },

            "suppressErrorsInPadText" : false,
            "requireSession" : false,
            "editOnly" : false,
            "sessionNoPassword" : false,
            "minify" : false,
            "maxAge" : 21600,
            "abiword" : null,
            "soffice" : "${libreoffice}/bin/soffice",
            "tidyHtml" : "",
            "allowUnknownFileEnds" : true,
            "requireAuthentication" : false,
            "requireAuthorization" : false,
            "trustProxy" : true,
            "disableIPlogging" : false,
            "automaticReconnectionTimeout" : 0,
            "scrollWhenFocusLineIsOutOfViewport": {
              "percentage": {
                "editionAboveViewport": 0,
                "editionBelowViewport": 0
              },
              "duration": 0,
              "scrollWhenCaretIsInTheLastLineOfViewport": false,
              "percentageToScrollWhenUserPressesArrowUp": 0
            },
            "users": {
              "admin": {
                "password": "${env.adminPassword}",
                "is_admin": true
              },
              "ldapauth": {
                "hash": "invalid",
                "url": "ldaps://${env.ldap.host}",
                "accountBase": "${env.ldap.base}",
                "accountPattern": "${env.ldap.filter}",
                "displayNameAttribute": "cn",
                "searchDN": "${env.ldap.dn}",
                "searchPWD": "${env.ldap.password}",
                "groupSearchBase": "${env.ldap.base}",
                "groupAttribute": "member",
                "groupAttributeIsDN": true,
                "searchScope": "sub",
                "groupSearch": "${env.ldap.group_filter}",
                "anonymousReadonly": false
              }
            },
            "ep_mypads": {
              "warning": "This hash is stored in database, changing anything here will not have any consequence",
              "ldap": {
                "url": "ldaps://${env.ldap.host}",
                "bindDN": "${env.ldap.dn}",
                "bindCredentials": "${env.ldap.password}",
                "searchBase": "${env.ldap.base}",
                "searchFilter": "${env.ldap.filter}",
                "properties": {
                  "login": "uid",
                  "email": "mail",
                  "firstname": "givenName",
                  "lastname": "sn"
                },
                "defaultLang": "fr"
              }
            },
            "ep_comments_page": {
              "displayCommentAsIcon": true,
              "highlightSelectedText": true
            },
            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
            "loadTest": false,
            "indentationOnNewLine": false,
            "toolbar": {
              "left": [
                ["bold", "italic", "underline", "strikethrough"],
                ["orderedlist", "unorderedlist", "indent", "outdent"],
                ["undo", "redo"],
                ["clearauthorship"]
              ],
              "right": [
                ["importexport", "timeslider", "savedrevision"],
                ["settings", "embed"],
                ["showusers"]
              ],
              "timeslider": [
                ["timeslider_export", "timeslider_returnToPad"]
              ]
            },
            "loglevel": "INFO",
            "logconfig" : { "appenders": [ { "type": "console" } ] }
          }
        '';
      };
    };
    services.etherpad-lite = {
      enable = true;
      package = etherpad-lite.withModules (p: [
        p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
        p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
        p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
        p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
        p.ep_previewimages p.ep_ruler p.ep_scrollto
        p.ep_set_title_on_pad p.ep_subscript_and_superscript
        p.ep_timesliderdiff
      ]);
      modules = [];
      sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
      apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
      configFile = config.secrets.fullPaths."webapps/tools-etherpad";
    };

    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
    systemd.services.etherpad-lite-cleanup.serviceConfig.SupplementaryGroups = "keys";
    # Needed so that they get in the closure
    systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];

    services.filesWatcher.etherpad-lite = {
      restart = true;
      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
    };

    services.websites.env.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    security.acme.certs.eldiron.extraDomainNames = [ "ether.immae.eu" ];
    services.websites.env.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
    myServices.monitoring.fromMasterActivatedPlugins = [ "http" ];
    myServices.monitoring.fromMasterObjects.service = [
      {
        service_description = "etherpad website is running on ether.immae.eu";
        host_name = config.hostEnv.fqdn;
        use = "external-web-service";
        check_command = ["check_https" "ether.immae.eu" "/" "<title>Etherpad"];

        servicegroups = "webstatus-webapps";
        _webstatus_name = "Etherpad";
        _webstatus_url = "https://ether.immae.eu/";
      }
    ];
  };
}
Commit	Line	Data
1a64deeb	1	{ lib, pkgs, config, nixpkgsRaw, etherpad-lite, ... }:
bf3b7671	2	let
ab8f306d	3	env = config.myEnv.tools.etherpad-lite;
4288c2f2	4	cfg = config.myServices.websites.tools.etherpad-lite;
bf3b7671 IB	5	# Make sure we’re not rebuilding whole libreoffice just because of a
bf3b7671 IB	6	# dependency
1a64deeb	7	libreoffice = nixpkgsRaw.libreoffice-fresh;
5af8d43b	8	ecfg = config.services.etherpad-lite;
bf3b7671	9	in {
4288c2f2	10	options.myServices.websites.tools.etherpad-lite = {
bf3b7671 IB	11	enable = lib.mkEnableOption "enable etherpad's website";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
1a64deeb IB	15	myServices.dns.zones."immae.eu".subdomains.ether =
	16	with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
	17
	18	myServices.chatonsProperties.services.etherpad = {
	19	file.datetime = "2021-01-04T00:01:00";
	20	service = {
	21	name = "Etherpad";
	22	description = "Éditeur de texte collaboratif en temps réel. on peut y écrire simultanément.";
	23	website = "https://ether.immae.eu";
	24	logo = "https://ether.immae.eu/favicon.ico";
	25	status.level = "OK";
	26	status.description = "OK";
	27	registration."" = ["NONE" "MEMBER" "CLIENT"];
	28	registration.load = "OPEN";
	29	install.type = "PACKAGE";
	30	};
	31	software = {
	32	name = "Etherpad";
	33	website = "https://etherpad.org/";
	34	license.url = "https://github.com/ether/etherpad-lite/blob/develop/LICENSE";
	35	license.name = "Apache License Version 2.0";
	36	version = ecfg.package.version;
	37	source.url = "https://github.com/ether/etherpad-lite";
	38	modules = ecfg.package.moduleNames;
	39	};
	40	};
4c4652aa IB	41	secrets.keys = {
4c4652aa IB	42	"webapps/tools-etherpad-apikey" = {
bf3b7671 IB	43	permissions = "0400";
bf3b7671 IB	44	text = env.api_key;
4c4652aa IB	45	};
4c4652aa IB	46	"webapps/tools-etherpad-sessionkey" = {
bf3b7671 IB	47	permissions = "0400";
bf3b7671 IB	48	text = env.session_key;
4c4652aa IB	49	};
4c4652aa IB	50	"webapps/tools-etherpad" = {
bf3b7671	51	permissions = "0400";
1a64deeb	52	keyDependencies = [ libreoffice ];
bf3b7671 IB	53	text = ''
	54	{
	55	"title": "Etherpad",
	56	"favicon": "favicon.ico",
d3e4c366 IB	57	"skinName": "colibris",
d3e4c366 IB	58	"skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
bf3b7671	59
5af8d43b IB	60	"ip": "",
5af8d43b IB	61	"port" : "${ecfg.sockets.node}",
bf3b7671 IB	62	"showSettingsInAdminPage" : false,
	63	"dbType" : "postgres",
	64	"dbSettings" : {
	65	"user" : "${env.postgresql.user}",
	66	"host" : "${env.postgresql.socket}",
	67	"password": "${env.postgresql.password}",
	68	"database": "${env.postgresql.database}",
	69	"charset" : "utf8mb4"
	70	},
	71
	72	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	73	"padOptions": {
	74	"noColors": false,
	75	"showControls": true,
	76	"showChat": true,
	77	"showLineNumbers": true,
	78	"useMonospaceFont": false,
	79	"userName": false,
	80	"userColor": false,
	81	"rtl": false,
	82	"alwaysShowChat": false,
	83	"chatAndUsers": false,
78228078	84	"lang": "fr"
bf3b7671 IB	85	},
	86
	87	"suppressErrorsInPadText" : false,
	88	"requireSession" : false,
	89	"editOnly" : false,
	90	"sessionNoPassword" : false,
1a64deeb	91	"minify" : false,
bf3b7671 IB	92	"maxAge" : 21600,
	93	"abiword" : null,
	94	"soffice" : "${libreoffice}/bin/soffice",
78228078	95	"tidyHtml" : "",
bf3b7671 IB	96	"allowUnknownFileEnds" : true,
	97	"requireAuthentication" : false,
	98	"requireAuthorization" : false,
1a64deeb	99	"trustProxy" : true,
bf3b7671 IB	100	"disableIPlogging" : false,
	101	"automaticReconnectionTimeout" : 0,
	102	"scrollWhenFocusLineIsOutOfViewport": {
	103	"percentage": {
	104	"editionAboveViewport": 0,
	105	"editionBelowViewport": 0
	106	},
	107	"duration": 0,
	108	"scrollWhenCaretIsInTheLastLineOfViewport": false,
	109	"percentageToScrollWhenUserPressesArrowUp": 0
	110	},
	111	"users": {
f0d942ac IB	112	"admin": {
	113	"password": "${env.adminPassword}",
	114	"is_admin": true
	115	},
bf3b7671	116	"ldapauth": {
d3e4c366	117	"hash": "invalid",
bf3b7671 IB	118	"url": "ldaps://${env.ldap.host}",
bf3b7671 IB	119	"accountBase": "${env.ldap.base}",
ab8f306d	120	"accountPattern": "${env.ldap.filter}",
bf3b7671	121	"displayNameAttribute": "cn",
ab8f306d	122	"searchDN": "${env.ldap.dn}",
bf3b7671 IB	123	"searchPWD": "${env.ldap.password}",
	124	"groupSearchBase": "${env.ldap.base}",
	125	"groupAttribute": "member",
	126	"groupAttributeIsDN": true,
	127	"searchScope": "sub",
ab8f306d	128	"groupSearch": "${env.ldap.group_filter}",
bf3b7671 IB	129	"anonymousReadonly": false
	130	}
	131	},
f0d942ac IB	132	"ep_mypads": {
	133	"warning": "This hash is stored in database, changing anything here will not have any consequence",
	134	"ldap": {
	135	"url": "ldaps://${env.ldap.host}",
	136	"bindDN": "${env.ldap.dn}",
	137	"bindCredentials": "${env.ldap.password}",
	138	"searchBase": "${env.ldap.base}",
	139	"searchFilter": "${env.ldap.filter}",
	140	"properties": {
	141	"login": "uid",
	142	"email": "mail",
	143	"firstname": "givenName",
	144	"lastname": "sn"
	145	},
	146	"defaultLang": "fr"
	147	}
	148	},
4b0a82cc IB	149	"ep_comments_page": {
	150	"displayCommentAsIcon": true,
	151	"highlightSelectedText": true
	152	},
bf3b7671 IB	153	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
	154	"loadTest": false,
	155	"indentationOnNewLine": false,
	156	"toolbar": {
	157	"left": [
	158	["bold", "italic", "underline", "strikethrough"],
	159	["orderedlist", "unorderedlist", "indent", "outdent"],
	160	["undo", "redo"],
	161	["clearauthorship"]
	162	],
	163	"right": [
	164	["importexport", "timeslider", "savedrevision"],
	165	["settings", "embed"],
	166	["showusers"]
	167	],
	168	"timeslider": [
	169	["timeslider_export", "timeslider_returnToPad"]
	170	]
	171	},
	172	"loglevel": "INFO",
	173	"logconfig" : { "appenders": [ { "type": "console" } ] }
	174	}
	175	'';
4c4652aa IB	176	};
4c4652aa IB	177	};
742c28ad IB	178	services.etherpad-lite = {
742c28ad IB	179	enable = true;
1a64deeb	180	package = etherpad-lite.withModules (p: [
4b0a82cc IB	181	p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
	182	p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
	183	p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
	184	p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
	185	p.ep_previewimages p.ep_ruler p.ep_scrollto
	186	p.ep_set_title_on_pad p.ep_subscript_and_superscript
	187	p.ep_timesliderdiff
	188	]);
	189	modules = [];
da30ae4f IB	190	sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
	191	apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
	192	configFile = config.secrets.fullPaths."webapps/tools-etherpad";
bf3b7671 IB	193	};
bf3b7671 IB	194
742c28ad	195	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
1a64deeb	196	systemd.services.etherpad-lite-cleanup.serviceConfig.SupplementaryGroups = "keys";
78228078 IB	197	# Needed so that they get in the closure
78228078 IB	198	systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
742c28ad	199
17f6eae9 IB	200	services.filesWatcher.etherpad-lite = {
	201	restart = true;
	202	paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
	203	};
	204
29f8cb85	205	services.websites.env.tools.modules = [
bf3b7671 IB	206	"headers" "proxy" "proxy_http" "proxy_wstunnel"
bf3b7671 IB	207	];
1a64deeb	208	security.acme.certs.eldiron.extraDomainNames = [ "ether.immae.eu" ];
29f8cb85	209	services.websites.env.tools.vhostConfs.etherpad-lite = {
bf3b7671 IB	210	certName = "eldiron";
	211	hosts = [ "ether.immae.eu" ];
	212	root = null;
	213	extraConfig = [ ''
	214	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	215	RequestHeader set X-Forwarded-Proto "https"
	216
	217	RewriteEngine On
	218
bf3b7671 IB	219	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
bf3b7671 IB	220	RewriteCond %{QUERY_STRING} transport=websocket [NC]
5af8d43b	221	RewriteRule /(.*) unix://${ecfg.sockets.node}\|ws://ether.immae.eu/$1 [P,NE,QSA,L]
bf3b7671 IB	222
	223	<IfModule mod_proxy.c>
	224	ProxyVia On
	225	ProxyRequests Off
	226	ProxyPreserveHost On
5af8d43b IB	227	ProxyPass / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
5af8d43b IB	228	ProxyPassReverse / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
bf3b7671 IB	229	<Proxy *>
	230	Options FollowSymLinks MultiViews
	231	AllowOverride None
	232	Require all granted
	233	</Proxy>
	234	</IfModule>
	235	'' ];
	236	};
1a64deeb IB	237	myServices.monitoring.fromMasterActivatedPlugins = [ "http" ];
	238	myServices.monitoring.fromMasterObjects.service = [
	239	{
	240	service_description = "etherpad website is running on ether.immae.eu";
	241	host_name = config.hostEnv.fqdn;
	242	use = "external-web-service";
	243	check_command = ["check_https" "ether.immae.eu" "/" "<title>Etherpad"];
	244
	245	servicegroups = "webstatus-webapps";
	246	_webstatus_name = "Etherpad";
	247	_webstatus_url = "https://ether.immae.eu/";
	248	}
	249	];
bf3b7671 IB	250	};
bf3b7671 IB	251	}