]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/websites/tools/ether/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Use attrs for secrets instead of lists
[perso/Immae/Config/Nix.git] / modules / private / websites / tools / ether / default.nix
1 { lib, pkgs, config, ... }:
2 let
3 env = config.myEnv.tools.etherpad-lite;
4 cfg = config.myServices.websites.tools.etherpad-lite;
5 # Make sure we’re not rebuilding whole libreoffice just because of a
6 # dependency
7 libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
8 ecfg = config.services.etherpad-lite;
9 in {
10 options.myServices.websites.tools.etherpad-lite = {
11 enable = lib.mkEnableOption "enable etherpad's website";
12 };
13
14 config = lib.mkIf cfg.enable {
15 services.duplyBackup.profiles.etherpad-lite = {
16 rootDir = "/var/lib/private/etherpad-lite";
17 };
18 secrets.keys = {
19 "webapps/tools-etherpad-apikey" = {
20 permissions = "0400";
21 text = env.api_key;
22 };
23 "webapps/tools-etherpad-sessionkey" = {
24 permissions = "0400";
25 text = env.session_key;
26 };
27 "webapps/tools-etherpad" = {
28 permissions = "0400";
29 text = ''
30 {
31 "title": "Etherpad",
32 "favicon": "favicon.ico",
33 "skinName": "colibris",
34 "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
35
36 "ip": "",
37 "port" : "${ecfg.sockets.node}",
38 "showSettingsInAdminPage" : false,
39 "dbType" : "postgres",
40 "dbSettings" : {
41 "user" : "${env.postgresql.user}",
42 "host" : "${env.postgresql.socket}",
43 "password": "${env.postgresql.password}",
44 "database": "${env.postgresql.database}",
45 "charset" : "utf8mb4"
46 },
47
48 "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
49 "padOptions": {
50 "noColors": false,
51 "showControls": true,
52 "showChat": true,
53 "showLineNumbers": true,
54 "useMonospaceFont": false,
55 "userName": false,
56 "userColor": false,
57 "rtl": false,
58 "alwaysShowChat": false,
59 "chatAndUsers": false,
60 "lang": "fr"
61 },
62
63 "suppressErrorsInPadText" : false,
64 "requireSession" : false,
65 "editOnly" : false,
66 "sessionNoPassword" : false,
67 "minify" : true,
68 "maxAge" : 21600,
69 "abiword" : null,
70 "soffice" : "${libreoffice}/bin/soffice",
71 "tidyHtml" : "",
72 "allowUnknownFileEnds" : true,
73 "requireAuthentication" : false,
74 "requireAuthorization" : false,
75 "trustProxy" : false,
76 "disableIPlogging" : false,
77 "automaticReconnectionTimeout" : 0,
78 "scrollWhenFocusLineIsOutOfViewport": {
79 "percentage": {
80 "editionAboveViewport": 0,
81 "editionBelowViewport": 0
82 },
83 "duration": 0,
84 "scrollWhenCaretIsInTheLastLineOfViewport": false,
85 "percentageToScrollWhenUserPressesArrowUp": 0
86 },
87 "users": {
88 "admin": {
89 "password": "${env.adminPassword}",
90 "is_admin": true
91 },
92 "ldapauth": {
93 "hash": "invalid",
94 "url": "ldaps://${env.ldap.host}",
95 "accountBase": "${env.ldap.base}",
96 "accountPattern": "${env.ldap.filter}",
97 "displayNameAttribute": "cn",
98 "searchDN": "${env.ldap.dn}",
99 "searchPWD": "${env.ldap.password}",
100 "groupSearchBase": "${env.ldap.base}",
101 "groupAttribute": "member",
102 "groupAttributeIsDN": true,
103 "searchScope": "sub",
104 "groupSearch": "${env.ldap.group_filter}",
105 "anonymousReadonly": false
106 }
107 },
108 "ep_mypads": {
109 "warning": "This hash is stored in database, changing anything here will not have any consequence",
110 "ldap": {
111 "url": "ldaps://${env.ldap.host}",
112 "bindDN": "${env.ldap.dn}",
113 "bindCredentials": "${env.ldap.password}",
114 "searchBase": "${env.ldap.base}",
115 "searchFilter": "${env.ldap.filter}",
116 "properties": {
117 "login": "uid",
118 "email": "mail",
119 "firstname": "givenName",
120 "lastname": "sn"
121 },
122 "defaultLang": "fr"
123 }
124 },
125 "ep_comments_page": {
126 "displayCommentAsIcon": true,
127 "highlightSelectedText": true
128 },
129 "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
130 "loadTest": false,
131 "indentationOnNewLine": false,
132 "toolbar": {
133 "left": [
134 ["bold", "italic", "underline", "strikethrough"],
135 ["orderedlist", "unorderedlist", "indent", "outdent"],
136 ["undo", "redo"],
137 ["clearauthorship"]
138 ],
139 "right": [
140 ["importexport", "timeslider", "savedrevision"],
141 ["settings", "embed"],
142 ["showusers"]
143 ],
144 "timeslider": [
145 ["timeslider_export", "timeslider_returnToPad"]
146 ]
147 },
148 "loglevel": "INFO",
149 "logconfig" : { "appenders": [ { "type": "console" } ] }
150 }
151 '';
152 };
153 };
154 services.etherpad-lite = {
155 enable = true;
156 package = pkgs.webapps.etherpad-lite.withModules (p: [
157 p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
158 p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
159 p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
160 p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
161 p.ep_previewimages p.ep_ruler p.ep_scrollto
162 p.ep_set_title_on_pad p.ep_subscript_and_superscript
163 p.ep_timesliderdiff
164 ]);
165 modules = [];
166 sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
167 apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
168 configFile = config.secrets.fullPaths."webapps/tools-etherpad";
169 };
170
171 systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
172 # Needed so that they get in the closure
173 systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
174
175 services.filesWatcher.etherpad-lite = {
176 restart = true;
177 paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
178 };
179
180 services.websites.env.tools.modules = [
181 "headers" "proxy" "proxy_http" "proxy_wstunnel"
182 ];
183 services.websites.env.tools.vhostConfs.etherpad-lite = {
184 certName = "eldiron";
185 addToCerts = true;
186 hosts = [ "ether.immae.eu" ];
187 root = null;
188 extraConfig = [ ''
189 Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
190 RequestHeader set X-Forwarded-Proto "https"
191
192 RewriteEngine On
193
194 RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" config.myEnv.tools.etherpad-lite.redirects}"
195 RewriteCond %{QUERY_STRING} "!noredirect"
196 RewriteCond %{REQUEST_URI} "^(.*)$"
197 RewriteCond ''${redirects:$1|Unknown} "!Unknown"
198 RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
199
200 RewriteCond %{REQUEST_URI} ^/socket.io [NC]
201 RewriteCond %{QUERY_STRING} transport=websocket [NC]
202 RewriteRule /(.*) unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
203
204 <IfModule mod_proxy.c>
205 ProxyVia On
206 ProxyRequests Off
207 ProxyPreserveHost On
208 ProxyPass / unix://${ecfg.sockets.node}|http://ether.immae.eu/
209 ProxyPassReverse / unix://${ecfg.sockets.node}|http://ether.immae.eu/
210 <Proxy *>
211 Options FollowSymLinks MultiViews
212 AllowOverride None
213 Require all granted
214 </Proxy>
215 </IfModule>
216 '' ];
217 };
218 };
219 }
My infrastructure configuration