nixops/modules/websites/tools/ether/default.nix

   1 { lib, pkgs, config, myconfig, mylibs, ... }:
   2 let
   3   etherpad = pkgs.callPackage ./etherpad_lite.nix {
   4     inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules;
   5     env = myconfig.env.tools.etherpad-lite;
   6   };
   7
   8   cfg = config.services.myWebsites.tools.etherpad-lite;
   9 in {
  10   options.services.myWebsites.tools.etherpad-lite = {
  11     enable = lib.mkEnableOption "enable etherpad's website";
  12   };
  13
  14   config = lib.mkIf cfg.enable {
  15     mySecrets.keys = etherpad.keys;
  16     systemd.services.etherpad-lite = {
  17       description = "Etherpad-lite";
  18       wantedBy = [ "multi-user.target" ];
  19       after = [ "network.target" "postgresql.service" ];
  20       wants = [ "postgresql.service" ];
  21
  22       environment.NODE_ENV = "production";
  23       environment.HOME = etherpad.webappDir;
  24
  25       path = [ pkgs.nodejs ];
  26
  27       script = ''
  28         exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
  29           --settings /var/secrets/webapps/tools-etherpad
  30       '';
  31
  32       serviceConfig = {
  33         DynamicUser = true;
  34         User = "etherpad-lite";
  35         Group = "etherpad-lite";
  36         SupplementaryGroups = "keys";
  37         WorkingDirectory = etherpad.webappDir;
  38         PrivateTmp = true;
  39         NoNewPrivileges = true;
  40         PrivateDevices = true;
  41         ProtectHome = true;
  42         ProtectControlGroups = true;
  43         ProtectKernelModules = true;
  44         Restart = "always";
  45         Type = "simple";
  46         TimeoutSec = 60;
  47         ExecStartPre = "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey";
  48       };
  49     };
  50
  51     services.myWebsites.tools.modules = [
  52       "headers" "proxy" "proxy_http" "proxy_wstunnel"
  53     ];
  54     security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
  55     services.myWebsites.tools.vhostConfs.etherpad-lite = {
  56       certName    = "eldiron";
  57       hosts       = [ "ether.immae.eu" ];
  58       root        = null;
  59       extraConfig = [ ''
  60         Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
  61         RequestHeader set X-Forwarded-Proto "https"
  62
  63         RewriteEngine On
  64
  65         RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
  66         RewriteCond %{QUERY_STRING}         "!noredirect"
  67         RewriteCond %{REQUEST_URI}          "^(.*)$"
  68         RewriteCond ''${redirects:$1|Unknown} "!Unknown"
  69         RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]
  70
  71         RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
  72         RewriteCond %{QUERY_STRING} transport=websocket    [NC]
  73         RewriteRule /(.*)           ws://localhost:${etherpad.listenPort}/$1 [P,L]
  74
  75         <IfModule mod_proxy.c>
  76           ProxyVia On
  77           ProxyRequests Off
  78           ProxyPreserveHost On
  79           ProxyPass         / http://localhost:${etherpad.listenPort}/
  80           ProxyPassReverse  / http://localhost:${etherpad.listenPort}/
  81           <Proxy *>
  82             Options FollowSymLinks MultiViews
  83             AllowOverride None
  84             Require all granted
  85           </Proxy>
  86         </IfModule>
  87       '' ];
  88     };
  89   };
  90 }