modules/private/websites/tools/ether/default.nix

   1 { lib, pkgs, config,  ... }:
   2 let
   3   env = config.myEnv.tools.etherpad-lite;
   4   cfg = config.myServices.websites.tools.etherpad-lite;
   5   # Make sure we’re not rebuilding whole libreoffice just because of a
   6   # dependency
   7   libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
   8   ecfg = config.services.etherpad-lite;
   9 in {
  10   options.myServices.websites.tools.etherpad-lite = {
  11     enable = lib.mkEnableOption "enable etherpad's website";
  12   };
  13
  14   config = lib.mkIf cfg.enable {
  15     secrets.keys = {
  16       "webapps/tools-etherpad-apikey" = {
  17         permissions = "0400";
  18         text = env.api_key;
  19       };
  20       "webapps/tools-etherpad-sessionkey" = {
  21         permissions = "0400";
  22         text = env.session_key;
  23       };
  24       "webapps/tools-etherpad" = {
  25         permissions = "0400";
  26         text = ''
  27           {
  28             "title": "Etherpad",
  29             "favicon": "favicon.ico",
  30             "skinName": "colibris",
  31             "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
  32
  33             "ip": "",
  34             "port" : "${ecfg.sockets.node}",
  35             "showSettingsInAdminPage" : false,
  36             "dbType" : "postgres",
  37             "dbSettings" : {
  38               "user"    : "${env.postgresql.user}",
  39               "host"    : "${env.postgresql.socket}",
  40               "password": "${env.postgresql.password}",
  41               "database": "${env.postgresql.database}",
  42               "charset" : "utf8mb4"
  43             },
  44
  45             "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
  46             "padOptions": {
  47               "noColors": false,
  48               "showControls": true,
  49               "showChat": true,
  50               "showLineNumbers": true,
  51               "useMonospaceFont": false,
  52               "userName": false,
  53               "userColor": false,
  54               "rtl": false,
  55               "alwaysShowChat": false,
  56               "chatAndUsers": false,
  57               "lang": "fr"
  58             },
  59
  60             "suppressErrorsInPadText" : false,
  61             "requireSession" : false,
  62             "editOnly" : false,
  63             "sessionNoPassword" : false,
  64             "minify" : true,
  65             "maxAge" : 21600,
  66             "abiword" : null,
  67             "soffice" : "${libreoffice}/bin/soffice",
  68             "tidyHtml" : "",
  69             "allowUnknownFileEnds" : true,
  70             "requireAuthentication" : false,
  71             "requireAuthorization" : false,
  72             "trustProxy" : false,
  73             "disableIPlogging" : false,
  74             "automaticReconnectionTimeout" : 0,
  75             "scrollWhenFocusLineIsOutOfViewport": {
  76               "percentage": {
  77                 "editionAboveViewport": 0,
  78                 "editionBelowViewport": 0
  79               },
  80               "duration": 0,
  81               "scrollWhenCaretIsInTheLastLineOfViewport": false,
  82               "percentageToScrollWhenUserPressesArrowUp": 0
  83             },
  84             "users": {
  85               "admin": {
  86                 "password": "${env.adminPassword}",
  87                 "is_admin": true
  88               },
  89               "ldapauth": {
  90                 "hash": "invalid",
  91                 "url": "ldaps://${env.ldap.host}",
  92                 "accountBase": "${env.ldap.base}",
  93                 "accountPattern": "${env.ldap.filter}",
  94                 "displayNameAttribute": "cn",
  95                 "searchDN": "${env.ldap.dn}",
  96                 "searchPWD": "${env.ldap.password}",
  97                 "groupSearchBase": "${env.ldap.base}",
  98                 "groupAttribute": "member",
  99                 "groupAttributeIsDN": true,
 100                 "searchScope": "sub",
 101                 "groupSearch": "${env.ldap.group_filter}",
 102                 "anonymousReadonly": false
 103               }
 104             },
 105             "ep_mypads": {
 106               "warning": "This hash is stored in database, changing anything here will not have any consequence",
 107               "ldap": {
 108                 "url": "ldaps://${env.ldap.host}",
 109                 "bindDN": "${env.ldap.dn}",
 110                 "bindCredentials": "${env.ldap.password}",
 111                 "searchBase": "${env.ldap.base}",
 112                 "searchFilter": "${env.ldap.filter}",
 113                 "properties": {
 114                   "login": "uid",
 115                   "email": "mail",
 116                   "firstname": "givenName",
 117                   "lastname": "sn"
 118                 },
 119                 "defaultLang": "fr"
 120               }
 121             },
 122             "ep_comments_page": {
 123               "displayCommentAsIcon": true,
 124               "highlightSelectedText": true
 125             },
 126             "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
 127             "loadTest": false,
 128             "indentationOnNewLine": false,
 129             "toolbar": {
 130               "left": [
 131                 ["bold", "italic", "underline", "strikethrough"],
 132                 ["orderedlist", "unorderedlist", "indent", "outdent"],
 133                 ["undo", "redo"],
 134                 ["clearauthorship"]
 135               ],
 136               "right": [
 137                 ["importexport", "timeslider", "savedrevision"],
 138                 ["settings", "embed"],
 139                 ["showusers"]
 140               ],
 141               "timeslider": [
 142                 ["timeslider_export", "timeslider_returnToPad"]
 143               ]
 144             },
 145             "loglevel": "INFO",
 146             "logconfig" : { "appenders": [ { "type": "console" } ] }
 147           }
 148         '';
 149       };
 150     };
 151     services.etherpad-lite = {
 152       enable = true;
 153       package = pkgs.webapps.etherpad-lite.withModules (p: [
 154         p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
 155         p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
 156         p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
 157         p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
 158         p.ep_previewimages p.ep_ruler p.ep_scrollto
 159         p.ep_set_title_on_pad p.ep_subscript_and_superscript
 160         p.ep_timesliderdiff
 161       ]);
 162       modules = [];
 163       sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
 164       apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
 165       configFile = config.secrets.fullPaths."webapps/tools-etherpad";
 166     };
 167
 168     systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
 169     # Needed so that they get in the closure
 170     systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
 171
 172     services.filesWatcher.etherpad-lite = {
 173       restart = true;
 174       paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
 175     };
 176
 177     services.websites.env.tools.modules = [
 178       "headers" "proxy" "proxy_http" "proxy_wstunnel"
 179     ];
 180     services.websites.env.tools.vhostConfs.etherpad-lite = {
 181       certName    = "eldiron";
 182       addToCerts  = true;
 183       hosts       = [ "ether.immae.eu" ];
 184       root        = null;
 185       extraConfig = [ ''
 186         Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
 187         RequestHeader set X-Forwarded-Proto "https"
 188
 189         RewriteEngine On
 190
 191         RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
 192         RewriteCond %{QUERY_STRING}         "!noredirect"
 193         RewriteCond %{REQUEST_URI}          "^(.*)$"
 194         RewriteCond ''${redirects:$1|Unknown} "!Unknown"
 195         RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]
 196
 197         RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
 198         RewriteCond %{QUERY_STRING} transport=websocket    [NC]
 199         RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
 200
 201         <IfModule mod_proxy.c>
 202           ProxyVia On
 203           ProxyRequests Off
 204           ProxyPreserveHost On
 205           ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 206           ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 207           <Proxy *>
 208             Options FollowSymLinks MultiViews
 209             AllowOverride None
 210             Require all granted
 211           </Proxy>
 212         </IfModule>
 213       '' ];
 214     };
 215   };
 216 }