modules/private/websites/tools/ether/default.nix

   1 { lib, pkgs, config,  ... }:
   2 let
   3   env = config.myEnv.tools.etherpad-lite;
   4   cfg = config.myServices.websites.tools.etherpad-lite;
   5   # Make sure we’re not rebuilding whole libreoffice just because of a
   6   # dependency
   7   libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
   8   ecfg = config.services.etherpad-lite;
   9 in {
  10   options.myServices.websites.tools.etherpad-lite = {
  11     enable = lib.mkEnableOption "enable etherpad's website";
  12   };
  13
  14   config = lib.mkIf cfg.enable {
  15     services.duplyBackup.profiles.etherpad-lite = {
  16       rootDir = "/var/lib/private/etherpad-lite";
  17     };
  18     secrets.keys = [
  19       {
  20         dest = "webapps/tools-etherpad-apikey";
  21         permissions = "0400";
  22         text = env.api_key;
  23       }
  24       {
  25         dest = "webapps/tools-etherpad-sessionkey";
  26         permissions = "0400";
  27         text = env.session_key;
  28       }
  29       {
  30         dest = "webapps/tools-etherpad";
  31         permissions = "0400";
  32         text = ''
  33           {
  34             "title": "Etherpad",
  35             "favicon": "favicon.ico",
  36             "skinName": "colibris",
  37             "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
  38
  39             "ip": "",
  40             "port" : "${ecfg.sockets.node}",
  41             "showSettingsInAdminPage" : false,
  42             "dbType" : "postgres",
  43             "dbSettings" : {
  44               "user"    : "${env.postgresql.user}",
  45               "host"    : "${env.postgresql.socket}",
  46               "password": "${env.postgresql.password}",
  47               "database": "${env.postgresql.database}",
  48               "charset" : "utf8mb4"
  49             },
  50
  51             "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
  52             "padOptions": {
  53               "noColors": false,
  54               "showControls": true,
  55               "showChat": true,
  56               "showLineNumbers": true,
  57               "useMonospaceFont": false,
  58               "userName": false,
  59               "userColor": false,
  60               "rtl": false,
  61               "alwaysShowChat": false,
  62               "chatAndUsers": false,
  63               "lang": "fr"
  64             },
  65
  66             "suppressErrorsInPadText" : false,
  67             "requireSession" : false,
  68             "editOnly" : false,
  69             "sessionNoPassword" : false,
  70             "minify" : true,
  71             "maxAge" : 21600,
  72             "abiword" : null,
  73             "soffice" : "${libreoffice}/bin/soffice",
  74             "tidyHtml" : "",
  75             "allowUnknownFileEnds" : true,
  76             "requireAuthentication" : false,
  77             "requireAuthorization" : false,
  78             "trustProxy" : false,
  79             "disableIPlogging" : false,
  80             "automaticReconnectionTimeout" : 0,
  81             "scrollWhenFocusLineIsOutOfViewport": {
  82               "percentage": {
  83                 "editionAboveViewport": 0,
  84                 "editionBelowViewport": 0
  85               },
  86               "duration": 0,
  87               "scrollWhenCaretIsInTheLastLineOfViewport": false,
  88               "percentageToScrollWhenUserPressesArrowUp": 0
  89             },
  90             "users": {
  91               "ldapauth": {
  92                 "hash": "invalid",
  93                 "url": "ldaps://${env.ldap.host}",
  94                 "accountBase": "${env.ldap.base}",
  95                 "accountPattern": "${env.ldap.filter}",
  96                 "displayNameAttribute": "cn",
  97                 "searchDN": "${env.ldap.dn}",
  98                 "searchPWD": "${env.ldap.password}",
  99                 "groupSearchBase": "${env.ldap.base}",
 100                 "groupAttribute": "member",
 101                 "groupAttributeIsDN": true,
 102                 "searchScope": "sub",
 103                 "groupSearch": "${env.ldap.group_filter}",
 104                 "anonymousReadonly": false
 105               }
 106             },
 107             "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
 108             "loadTest": false,
 109             "indentationOnNewLine": false,
 110             "toolbar": {
 111               "left": [
 112                 ["bold", "italic", "underline", "strikethrough"],
 113                 ["orderedlist", "unorderedlist", "indent", "outdent"],
 114                 ["undo", "redo"],
 115                 ["clearauthorship"]
 116               ],
 117               "right": [
 118                 ["importexport", "timeslider", "savedrevision"],
 119                 ["settings", "embed"],
 120                 ["showusers"]
 121               ],
 122               "timeslider": [
 123                 ["timeslider_export", "timeslider_returnToPad"]
 124               ]
 125             },
 126             "loglevel": "INFO",
 127             "logconfig" : { "appenders": [ { "type": "console" } ] }
 128           }
 129         '';
 130       }
 131     ];
 132     services.etherpad-lite = {
 133       enable = true;
 134       modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
 135       sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
 136       apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
 137       configFile = "/var/secrets/webapps/tools-etherpad";
 138     };
 139
 140     systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
 141     # Needed so that they get in the closure
 142     systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
 143
 144     services.filesWatcher.etherpad-lite = {
 145       restart = true;
 146       paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
 147     };
 148
 149     services.websites.env.tools.modules = [
 150       "headers" "proxy" "proxy_http" "proxy_wstunnel"
 151     ];
 152     services.websites.env.tools.vhostConfs.etherpad-lite = {
 153       certName    = "eldiron";
 154       addToCerts  = true;
 155       hosts       = [ "ether.immae.eu" ];
 156       root        = null;
 157       extraConfig = [ ''
 158         Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
 159         RequestHeader set X-Forwarded-Proto "https"
 160
 161         RewriteEngine On
 162
 163         RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
 164         RewriteCond %{QUERY_STRING}         "!noredirect"
 165         RewriteCond %{REQUEST_URI}          "^(.*)$"
 166         RewriteCond ''${redirects:$1|Unknown} "!Unknown"
 167         RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]
 168
 169         RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
 170         RewriteCond %{QUERY_STRING} transport=websocket    [NC]
 171         RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
 172
 173         <IfModule mod_proxy.c>
 174           ProxyVia On
 175           ProxyRequests Off
 176           ProxyPreserveHost On
 177           ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 178           ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 179           <Proxy *>
 180             Options FollowSymLinks MultiViews
 181             AllowOverride None
 182             Require all granted
 183           </Proxy>
 184         </IfModule>
 185       '' ];
 186     };
 187   };
 188 }