modules/private/websites/tools/ether/default.nix

   1 { lib, pkgs, config, myconfig,  ... }:
   2 let
   3   env = myconfig.env.tools.etherpad-lite;
   4   cfg = config.myServices.websites.tools.etherpad-lite;
   5   # Make sure we’re not rebuilding whole libreoffice just because of a
   6   # dependency
   7   libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
   8   ecfg = config.services.etherpad-lite;
   9 in {
  10   options.myServices.websites.tools.etherpad-lite = {
  11     enable = lib.mkEnableOption "enable etherpad's website";
  12   };
  13
  14   config = lib.mkIf cfg.enable {
  15     secrets.keys = [
  16       {
  17         dest = "webapps/tools-etherpad-apikey";
  18         permissions = "0400";
  19         text = env.api_key;
  20       }
  21       {
  22         dest = "webapps/tools-etherpad-sessionkey";
  23         permissions = "0400";
  24         text = env.session_key;
  25       }
  26       {
  27         dest = "webapps/tools-etherpad";
  28         permissions = "0400";
  29         text = ''
  30           {
  31             "title": "Etherpad",
  32             "favicon": "favicon.ico",
  33
  34             "ip": "",
  35             "port" : "${ecfg.sockets.node}",
  36             "showSettingsInAdminPage" : false,
  37             "dbType" : "postgres",
  38             "dbSettings" : {
  39               "user"    : "${env.postgresql.user}",
  40               "host"    : "${env.postgresql.socket}",
  41               "password": "${env.postgresql.password}",
  42               "database": "${env.postgresql.database}",
  43               "charset" : "utf8mb4"
  44             },
  45
  46             "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
  47             "padOptions": {
  48               "noColors": false,
  49               "showControls": true,
  50               "showChat": true,
  51               "showLineNumbers": true,
  52               "useMonospaceFont": false,
  53               "userName": false,
  54               "userColor": false,
  55               "rtl": false,
  56               "alwaysShowChat": false,
  57               "chatAndUsers": false,
  58               "lang": "en-gb"
  59             },
  60
  61             "suppressErrorsInPadText" : false,
  62             "requireSession" : false,
  63             "editOnly" : false,
  64             "sessionNoPassword" : false,
  65             "minify" : true,
  66             "maxAge" : 21600,
  67             "abiword" : null,
  68             "soffice" : "${libreoffice}/bin/soffice",
  69             "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
  70             "allowUnknownFileEnds" : true,
  71             "requireAuthentication" : false,
  72             "requireAuthorization" : false,
  73             "trustProxy" : false,
  74             "disableIPlogging" : false,
  75             "automaticReconnectionTimeout" : 0,
  76             "scrollWhenFocusLineIsOutOfViewport": {
  77               "percentage": {
  78                 "editionAboveViewport": 0,
  79                 "editionBelowViewport": 0
  80               },
  81               "duration": 0,
  82               "scrollWhenCaretIsInTheLastLineOfViewport": false,
  83               "percentageToScrollWhenUserPressesArrowUp": 0
  84             },
  85             "users": {
  86               "ldapauth": {
  87                 "url": "ldaps://${env.ldap.host}",
  88                 "accountBase": "${env.ldap.base}",
  89                 "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
  90                 "displayNameAttribute": "cn",
  91                 "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
  92                 "searchPWD": "${env.ldap.password}",
  93                 "groupSearchBase": "${env.ldap.base}",
  94                 "groupAttribute": "member",
  95                 "groupAttributeIsDN": true,
  96                 "searchScope": "sub",
  97                 "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
  98                 "anonymousReadonly": false
  99               }
 100             },
 101             "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
 102             "loadTest": false,
 103             "indentationOnNewLine": false,
 104             "toolbar": {
 105               "left": [
 106                 ["bold", "italic", "underline", "strikethrough"],
 107                 ["orderedlist", "unorderedlist", "indent", "outdent"],
 108                 ["undo", "redo"],
 109                 ["clearauthorship"]
 110               ],
 111               "right": [
 112                 ["importexport", "timeslider", "savedrevision"],
 113                 ["settings", "embed"],
 114                 ["showusers"]
 115               ],
 116               "timeslider": [
 117                 ["timeslider_export", "timeslider_returnToPad"]
 118               ]
 119             },
 120             "loglevel": "INFO",
 121             "logconfig" : { "appenders": [ { "type": "console" } ] }
 122           }
 123         '';
 124       }
 125     ];
 126     services.etherpad-lite = {
 127       enable = true;
 128       modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
 129       sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
 130       apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
 131       configFile = "/var/secrets/webapps/tools-etherpad";
 132     };
 133
 134     systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
 135
 136     services.filesWatcher.etherpad-lite = {
 137       restart = true;
 138       paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
 139     };
 140
 141     services.websites.tools.modules = [
 142       "headers" "proxy" "proxy_http" "proxy_wstunnel"
 143     ];
 144     services.websites.tools.vhostConfs.etherpad-lite = {
 145       certName    = "eldiron";
 146       addToCerts  = true;
 147       hosts       = [ "ether.immae.eu" ];
 148       root        = null;
 149       extraConfig = [ ''
 150         Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
 151         RequestHeader set X-Forwarded-Proto "https"
 152
 153         RewriteEngine On
 154
 155         RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
 156         RewriteCond %{QUERY_STRING}         "!noredirect"
 157         RewriteCond %{REQUEST_URI}          "^(.*)$"
 158         RewriteCond ''${redirects:$1|Unknown} "!Unknown"
 159         RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]
 160
 161         RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
 162         RewriteCond %{QUERY_STRING} transport=websocket    [NC]
 163         RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
 164
 165         <IfModule mod_proxy.c>
 166           ProxyVia On
 167           ProxyRequests Off
 168           ProxyPreserveHost On
 169           ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 170           ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 171           <Proxy *>
 172             Options FollowSymLinks MultiViews
 173             AllowOverride None
 174             Require all granted
 175           </Proxy>
 176         </IfModule>
 177       '' ];
 178     };
 179   };
 180 }