]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/websites/ressourcerie_banon/cryptpad.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add cryptpad to ressourcerie banon
[perso/Immae/Config/Nix.git] / modules / private / websites / ressourcerie_banon / cryptpad.nix
1 { lib, pkgs, config, ... }:
2 let
3 cfg = config.myServices.websites.ressourcerie_banon.cryptpad;
4 port = config.myEnv.ports.cryptpad_ressourcerie_banon;
5 configFile = pkgs.writeText "config.js" ''
6 // ${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js
7 module.exports = {
8 httpUnsafeOrigin: 'https://${domain}',
9 httpPort: ${toString port},
10 adminEmail: 'devnull@mail.immae.eu',
11 filePath: './datastore/',
12 archivePath: './data/archive',
13 pinPath: './data/pins',
14 taskPath: './data/tasks',
15 blockPath: './block',
16 blobPath: './blob',
17 blobStagingPath: './data/blobstage',
18 decreePath: './data/decrees',
19 logPath: './data/logs',
20 logToStdout: false,
21 logLevel: 'info',
22 logFeedback: false,
23 verbose: false,
24 };
25 '';
26 domain = "pad.le-garage-autonome.org";
27 api_domain = "pad.le-garage-autonome.org";
28 files_domain = "pad.le-garage-autonome.org";
29 in {
30 options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banon’s cryptpad";
31
32 config = lib.mkIf cfg.enable {
33 systemd.services.cryptpad-ressourcerie_banon = {
34 description = "Cryptpad Banon Service";
35 wantedBy = [ "multi-user.target" ];
36 after = [ "networking.target" ];
37 serviceConfig = {
38 DynamicUser = true;
39 Environment = [
40 "CRYPTPAD_CONFIG=${configFile}"
41 "HOME=%S/cryptpad/ressourcerie_banon"
42 ];
43 ExecStart = "${pkgs.cryptpad}/bin/cryptpad";
44 PrivateTmp = true;
45 Restart = "always";
46 StateDirectory = "cryptpad/ressourcerie_banon";
47 WorkingDirectory = "%S/cryptpad/ressourcerie_banon";
48 };
49 };
50 services.websites.env.production.modules = [ "proxy_wstunnel" ];
51 services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = {
52 certName = "ressourcerie_banon";
53 addToCerts = true;
54 hosts = [domain];
55 root = "${pkgs.cryptpad}/lib/node_modules/cryptpad";
56 extraConfig = [
57 ''
58 RewriteEngine On
59
60 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
61 Header set X-XSS-Protection "1; mode=block"
62 Header set X-Content-Type-Options "nosniff"
63 Header set Access-Control-Allow-Origin "*"
64 Header set Permissions-Policy "interest-cohort=()"
65
66 Header set Cross-Origin-Resource-Policy "cross-origin"
67 <If "%{REQUEST_URI} =~ m#^/(sheet|presentation|doc)/.*$#">
68 Header set Cross-Origin-Opener-Policy "same-origin"
69 </If>
70 Header set Cross-Origin-Embedder-Policy "require-corp"
71
72 ErrorDocument 404 /customize.dist/404.html
73
74 <If "%{QUERY_STRING} =~ m#ver=.*?#">
75 Header set Cache-Control "max-age=31536000"
76 </If>
77 <If "%{REQUEST_URI} =~ m#^/.*(\/|\.html)$#">
78 Header set Cache-Control "no-cache"
79 </If>
80
81 SetEnv styleSrc "'unsafe-inline' 'self' ${domain}"
82 SetEnv connectSrc "'self' https://${domain} ${domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}"
83 SetEnv fontSrc "'self' data: ${domain}"
84 SetEnv imgSrc "'self' data: * blob: ${domain}"
85 SetEnv frameSrc "'self' blob:"
86 SetEnv mediaSrc "'self' data: * blob: ${domain}"
87 SetEnv childSrc "https://${domain}"
88 SetEnv workerSrc "https://${domain}"
89 SetEnv scriptSrc "'self' resource: ${domain}"
90
91 Header set Content-Security-Policy "default-src 'none'; child-src %{childSrc}e; worker-src %{workerSrc}e; media-src %{mediaSrc}e; style-src %{styleSrc}e; script-src %{scriptSrc}e; connect-src %{connectSrc}e; font-src %{fontSrc}e; img-src %{imgSrc}e; frame-src %{frameSrc}e;"
92
93 RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
94 RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
95 RewriteRule .* ws://localhost:${toString port}%{REQUEST_URI} [P,NE,QSA,L]
96
97 RewriteRule ^/customize/(.*)$ /customize.dist/$1 [L]
98
99 ProxyPassMatch "^/(api/(config|broadcast).*)$" "http://localhost:${toString port}/$1"
100 ProxyPassReverse /api http://localhost:${toString port}/api
101 ProxyPreserveHost On
102 RequestHeader set X-Real-IP %{REMOTE_ADDR}s
103
104 <LocationMatch /blob/>
105 Header set Cache-Control "max-age=31536000"
106 Header set Access-Control-Allow-Origin "*"
107 Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
108 Header set Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
109 Header set Access-Control-Expose-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
110
111 RewriteCond %{REQUEST_METHOD} OPTIONS
112 RewriteRule ^(.*)$ $1 [R=204,L]
113 </LocationMatch>
114
115 <LocationMatch /block/>
116 Header set Cache-Control "max-age=0"
117 </locationMatch>
118
119 RewriteRule ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc)$ $1/ [R=302,L]
120
121 RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI} -f
122 RewriteRule (.*) /www/$1 [L]
123
124 RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI}/index.html -f
125 RewriteRule (.*) /www/$1/index.html [L]
126
127 RewriteCond %{DOCUMENT_ROOT}/customize.dist/%{REQUEST_URI} -f
128 RewriteRule (.*) /customize.dist/$1 [L]
129
130 <Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/www>
131 AllowOverride None
132 Require all granted
133 DirectoryIndex index.html
134 </Directory>
135 <Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/customize.dist>
136 AllowOverride None
137 Require all granted
138 DirectoryIndex index.html
139 </Directory>
140 ''
141 ];
142 };
143 };
144 }
My infrastructure configuration