modules/private/websites/tools/ether/default.nix

   1 { lib, pkgs, config,  ... }:
   2 let
   3   env = config.myEnv.tools.etherpad-lite;
   4   cfg = config.myServices.websites.tools.etherpad-lite;
   5   # Make sure we’re not rebuilding whole libreoffice just because of a
   6   # dependency
   7   libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
   8   ecfg = config.services.etherpad-lite;
   9 in {
  10   options.myServices.websites.tools.etherpad-lite = {
  11     enable = lib.mkEnableOption "enable etherpad's website";
  12   };
  13
  14   config = lib.mkIf cfg.enable {
  15     services.duplyBackup.profiles.etherpad-lite = {
  16       rootDir = "/var/lib/private/etherpad-lite";
  17     };
  18     secrets.keys = [
  19       {
  20         dest = "webapps/tools-etherpad-apikey";
  21         permissions = "0400";
  22         text = env.api_key;
  23       }
  24       {
  25         dest = "webapps/tools-etherpad-sessionkey";
  26         permissions = "0400";
  27         text = env.session_key;
  28       }
  29       {
  30         dest = "webapps/tools-etherpad";
  31         permissions = "0400";
  32         text = ''
  33           {
  34             "title": "Etherpad",
  35             "favicon": "favicon.ico",
  36             "skinName": "colibris",
  37             "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
  38
  39             "ip": "",
  40             "port" : "${ecfg.sockets.node}",
  41             "showSettingsInAdminPage" : false,
  42             "dbType" : "postgres",
  43             "dbSettings" : {
  44               "user"    : "${env.postgresql.user}",
  45               "host"    : "${env.postgresql.socket}",
  46               "password": "${env.postgresql.password}",
  47               "database": "${env.postgresql.database}",
  48               "charset" : "utf8mb4"
  49             },
  50
  51             "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
  52             "padOptions": {
  53               "noColors": false,
  54               "showControls": true,
  55               "showChat": true,
  56               "showLineNumbers": true,
  57               "useMonospaceFont": false,
  58               "userName": false,
  59               "userColor": false,
  60               "rtl": false,
  61               "alwaysShowChat": false,
  62               "chatAndUsers": false,
  63               "lang": "fr"
  64             },
  65
  66             "suppressErrorsInPadText" : false,
  67             "requireSession" : false,
  68             "editOnly" : false,
  69             "sessionNoPassword" : false,
  70             "minify" : true,
  71             "maxAge" : 21600,
  72             "abiword" : null,
  73             "soffice" : "${libreoffice}/bin/soffice",
  74             "tidyHtml" : "",
  75             "allowUnknownFileEnds" : true,
  76             "requireAuthentication" : false,
  77             "requireAuthorization" : false,
  78             "trustProxy" : false,
  79             "disableIPlogging" : false,
  80             "automaticReconnectionTimeout" : 0,
  81             "scrollWhenFocusLineIsOutOfViewport": {
  82               "percentage": {
  83                 "editionAboveViewport": 0,
  84                 "editionBelowViewport": 0
  85               },
  86               "duration": 0,
  87               "scrollWhenCaretIsInTheLastLineOfViewport": false,
  88               "percentageToScrollWhenUserPressesArrowUp": 0
  89             },
  90             "users": {
  91               "admin": {
  92                 "password": "${env.adminPassword}",
  93                 "is_admin": true
  94               },
  95               "ldapauth": {
  96                 "hash": "invalid",
  97                 "url": "ldaps://${env.ldap.host}",
  98                 "accountBase": "${env.ldap.base}",
  99                 "accountPattern": "${env.ldap.filter}",
 100                 "displayNameAttribute": "cn",
 101                 "searchDN": "${env.ldap.dn}",
 102                 "searchPWD": "${env.ldap.password}",
 103                 "groupSearchBase": "${env.ldap.base}",
 104                 "groupAttribute": "member",
 105                 "groupAttributeIsDN": true,
 106                 "searchScope": "sub",
 107                 "groupSearch": "${env.ldap.group_filter}",
 108                 "anonymousReadonly": false
 109               }
 110             },
 111             "ep_mypads": {
 112               "warning": "This hash is stored in database, changing anything here will not have any consequence",
 113               "ldap": {
 114                 "url": "ldaps://${env.ldap.host}",
 115                 "bindDN": "${env.ldap.dn}",
 116                 "bindCredentials": "${env.ldap.password}",
 117                 "searchBase": "${env.ldap.base}",
 118                 "searchFilter": "${env.ldap.filter}",
 119                 "properties": {
 120                   "login": "uid",
 121                   "email": "mail",
 122                   "firstname": "givenName",
 123                   "lastname": "sn"
 124                 },
 125                 "defaultLang": "fr"
 126               }
 127             },
 128             "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
 129             "loadTest": false,
 130             "indentationOnNewLine": false,
 131             "toolbar": {
 132               "left": [
 133                 ["bold", "italic", "underline", "strikethrough"],
 134                 ["orderedlist", "unorderedlist", "indent", "outdent"],
 135                 ["undo", "redo"],
 136                 ["clearauthorship"]
 137               ],
 138               "right": [
 139                 ["importexport", "timeslider", "savedrevision"],
 140                 ["settings", "embed"],
 141                 ["showusers"]
 142               ],
 143               "timeslider": [
 144                 ["timeslider_export", "timeslider_returnToPad"]
 145               ]
 146             },
 147             "loglevel": "INFO",
 148             "logconfig" : { "appenders": [ { "type": "console" } ] }
 149           }
 150         '';
 151       }
 152     ];
 153     services.etherpad-lite = {
 154       enable = true;
 155       modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
 156       sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
 157       apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
 158       configFile = "/var/secrets/webapps/tools-etherpad";
 159     };
 160
 161     systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
 162     # Needed so that they get in the closure
 163     systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
 164
 165     services.filesWatcher.etherpad-lite = {
 166       restart = true;
 167       paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
 168     };
 169
 170     services.websites.env.tools.modules = [
 171       "headers" "proxy" "proxy_http" "proxy_wstunnel"
 172     ];
 173     services.websites.env.tools.vhostConfs.etherpad-lite = {
 174       certName    = "eldiron";
 175       addToCerts  = true;
 176       hosts       = [ "ether.immae.eu" ];
 177       root        = null;
 178       extraConfig = [ ''
 179         Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
 180         RequestHeader set X-Forwarded-Proto "https"
 181
 182         RewriteEngine On
 183
 184         RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
 185         RewriteCond %{QUERY_STRING}         "!noredirect"
 186         RewriteCond %{REQUEST_URI}          "^(.*)$"
 187         RewriteCond ''${redirects:$1|Unknown} "!Unknown"
 188         RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]
 189
 190         RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
 191         RewriteCond %{QUERY_STRING} transport=websocket    [NC]
 192         RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
 193
 194         <IfModule mod_proxy.c>
 195           ProxyVia On
 196           ProxyRequests Off
 197           ProxyPreserveHost On
 198           ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 199           ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
 200           <Proxy *>
 201             Options FollowSymLinks MultiViews
 202             AllowOverride None
 203             Require all granted
 204           </Proxy>
 205         </IfModule>
 206       '' ];
 207     };
 208   };
 209 }