modules/private/websites/tools/ether/default.nix

   1 { lib, pkgs, config,  ... }:
   2 let
   3   env = config.myEnv.tools.etherpad-lite;
   4   cfg = config.myServices.websites.tools.etherpad-lite;
   5   # Make sure we’re not rebuilding whole libreoffice just because of a
   6   # dependency
   7   libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
   8   ecfg = config.services.etherpad-lite;
   9 in {
  10   options.myServices.websites.tools.etherpad-lite = {
  11     enable = lib.mkEnableOption "enable etherpad's website";
  12   };
  13
  14   config = lib.mkIf cfg.enable {
  15     services.duplyBackup.profiles.etherpad-lite = {
  16       rootDir = "/var/lib/private/etherpad-lite";
  17     };
  18     secrets.keys = [
  19       {
  20         dest = "webapps/tools-etherpad-apikey";
  21         permissions = "0400";
  22         text = env.api_key;
  23       }
  24       {
  25         dest = "webapps/tools-etherpad-sessionkey";
  26         permissions = "0400";
  27         text = env.session_key;
  28       }
  29       {
  30         dest = "webapps/tools-etherpad";
  31         permissions = "0400";
  32         text = ''
  33           {
  34             "title": "Etherpad",
  35             "favicon": "favicon.ico",
  36             "skinName": "colibris",
  37             "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
  38
  39             "ip": "",
  40             "port" : "${ecfg.sockets.node}",
  41             "showSettingsInAdminPage" : false,
  42             "dbType" : "postgres",
  43             "dbSettings" : {
  44               "user"    : "${env.postgresql.user}",
  45               "host"    : "${env.postgresql.socket}",
  46               "password": "${env.postgresql.password}",
  47               "database": "${env.postgresql.database}",
  48               "charset" : "utf8mb4"
  49             },
  50
  51             "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
  52             "padOptions": {
  53               "noColors": false,
  54               "showControls": true,
  55               "showChat": true,
  56               "showLineNumbers": true,
  57               "useMonospaceFont": false,
  58               "userName": false,
  59               "userColor": false,
  60               "rtl": false,
  61               "alwaysShowChat": false,
  62               "chatAndUsers": false,
  63               "lang": "fr"
  64             },
  65
  66             "suppressErrorsInPadText" : false,
  67             "requireSession" : false,
  68             "editOnly" : false,
  69             "sessionNoPassword" : false,
  70             "minify" : true,
  71             "maxAge" : 21600,
  72             "abiword" : null,
  73             "soffice" : "${libreoffice}/bin/soffice",
  74             "tidyHtml" : "",
  75             "allowUnknownFileEnds" : true,
  76             "requireAuthentication" : false,
  77             "requireAuthorization" : false,
  78             "trustProxy" : false,
  79             "disableIPlogging" : false,
  80             "automaticReconnectionTimeout" : 0,
  81             "scrollWhenFocusLineIsOutOfViewport": {
  82               "percentage": {
  83                 "editionAboveViewport": 0,
  84                 "editionBelowViewport": 0
  85               },
  86               "duration": 0,
  87               "scrollWhenCaretIsInTheLastLineOfViewport": false,
  88               "percentageToScrollWhenUserPressesArrowUp": 0
  89             },
  90             "users": {
  91               "admin": {
  92                 "password": "${env.adminPassword}",
  93                 "is_admin": true
  94               },
  95               "ldapauth": {
  96                 "hash": "invalid",
  97                 "url": "ldaps://${env.ldap.host}",
  98                 "accountBase": "${env.ldap.base}",
  99                 "accountPattern": "${env.ldap.filter}",
 100                 "displayNameAttribute": "cn",
 101                 "searchDN": "${env.ldap.dn}",
 102                 "searchPWD": "${env.ldap.password}",
 103                 "groupSearchBase": "${env.ldap.base}",
 104                 "groupAttribute": "member",
 105                 "groupAttributeIsDN": true,
 106                 "searchScope": "sub",
 107                 "groupSearch": "${env.ldap.group_filter}",
 108                 "anonymousReadonly": false
 109               }
 110             },
 111             "ep_mypads": {
 112               "warning": "This hash is stored in database, changing anything here will not have any consequence",
 113               "ldap": {
 114                 "url": "ldaps://${env.ldap.host}",
 115                 "bindDN": "${env.ldap.dn}",
 116                 "bindCredentials": "${env.ldap.password}",
 117                 "searchBase": "${env.ldap.base}",
 118                 "searchFilter": "${env.ldap.filter}",
 119                 "properties": {
 120                   "login": "uid",
 121                   "email": "mail",
 122                   "firstname": "givenName",
 123                   "lastname": "sn"
 124                 },
 125                 "defaultLang": "fr"
 126               }
 127             },
 128             "ep_comments_page": {
 129               "displayCommentAsIcon": true,
 130               "highlightSelectedText": true
 131             },
 132             "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
 133             "loadTest": false,
 134             "indentationOnNewLine": false,
 135             "toolbar": {
 136               "left": [
 137                 ["bold", "italic", "underline", "strikethrough"],
 138                 ["orderedlist", "unorderedlist", "indent", "outdent"],
 139                 ["undo", "redo"],
 140                 ["clearauthorship"]
 141               ],
 142               "right": [
 143                 ["importexport", "timeslider", "savedrevision"],
 144                 ["settings", "embed"],
 145                 ["showusers"]
 146               ],
 147               "timeslider": [
 148                 ["timeslider_export", "timeslider_returnToPad"]
 149               ]
 150             },
 151             "loglevel": "INFO",
 152             "logconfig" : { "appenders": [ { "type": "console" } ] }
 153           }
 154         '';
 155       }
 156     ];
 157     services.etherpad-lite = {
 158       enable = true;
 159       package = pkgs.webapps.etherpad-lite.withModules (p: [
 160         p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
 161         p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
 162         p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
 163         p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
 164         p.ep_previewimages p.ep_ruler p.ep_scrollto
 165         p.ep_set_title_on_pad p.ep_subscript_and_superscript
 166         p.ep_timesliderdiff
 167       ]);
 168       modules = [];
 169       sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
 170       apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
 171       configFile = config.secrets.fullPaths."webapps/tools-etherpad";
 172     };
 173
 174     systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
 175     # Needed so that they get in the closure
 176     systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
 177
 178     services.filesWatcher.etherpad-lite = {
 179       restart = true;
 180       paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
 181     };
 182
 183     services.websites.env.tools.modules = [
 184       "headers" "proxy" "proxy_http" "proxy_wstunnel"
 185     ];
 186     services.websites.env.tools.vhostConfs.etherpad-lite = {
 187       certName    = "eldiron";
 188       addToCerts  = true;
 189       hosts       = [ "ether.immae.eu" ];
 190       root        = null;
 191       extraConfig = [ ''
 192         Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
 193         RequestHeader set X-Forwarded-Proto "https"
 194
 195         RewriteEngine On
 196
 197         RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
 198         RewriteCond %{QUERY_STRING}         "!noredirect"
 199         RewriteCond %{REQUEST_URI}          "^(.*)$"
 200         RewriteCond ''${redirects:$1|Unknown} "!Unknown"
 201         RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]
 202
 203         RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
 204         RewriteCond %{QUERY_STRING} transport=websocket    [NC]
 205         RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
 206
 207         <IfModule mod_proxy.c>
 208           ProxyVia On
 209           ProxyRequests Off
 210           ProxyPreserveHost On
 211           ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 212           ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 213           <Proxy *>
 214             Options FollowSymLinks MultiViews
 215             AllowOverride None
 216             Require all granted
 217           </Proxy>
 218         </IfModule>
 219       '' ];
 220     };
 221   };
 222 }