[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / ether / default.nix

{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  etherpad = pkgs.callPackage ./etherpad_lite.nix {
    inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules;
    env = myconfig.env.tools.etherpad-lite;
  };

  varDir = etherpad.webappDir.varDir;
  cfg = config.services.myWebsites.tools.etherpad-lite;
in {
  options.services.myWebsites.tools.etherpad-lite = {
    enable = lib.mkEnableOption "enable etherpad's website";
  };

  config = lib.mkIf cfg.enable {
    mySecrets.keys = etherpad.keys;
    systemd.services.etherpad-lite = {
      description = "Etherpad-lite";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "postgresql.service" ];
      wants = [ "postgresql.service" ];

      environment.NODE_ENV = "production";
      environment.HOME = etherpad.webappDir;

      path = [ pkgs.nodejs ];

      script = ''
        exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
          --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
          --apikey /var/secrets/webapps/tools-etherpad-apikey \
          --settings /var/secrets/webapps/tools-etherpad
      '';

      serviceConfig = {
        DynamicUser = true;
        User = "etherpad-lite";
        Group = "etherpad-lite";
        SupplementaryGroups = "keys";
        WorkingDirectory = etherpad.webappDir;
        PrivateTmp = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        ProtectHome = true;
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        Restart = "always";
        Type = "simple";
        TimeoutSec = 60;
        # Use ReadWritePaths= instead if varDir is outside of /var/lib
        StateDirectory="etherpad-lite";
        ExecStartPre = [
          "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
          "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
        ];
      };
    };

    services.myWebsites.tools.modules = [
      "headers" "proxy" "proxy_http" "proxy_wstunnel"
    ];
    security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
    services.myWebsites.tools.vhostConfs.etherpad-lite = {
      certName    = "eldiron";
      hosts       = [ "ether.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
        RequestHeader set X-Forwarded-Proto "https"

        RewriteEngine On

        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
        RewriteCond %{QUERY_STRING}         "!noredirect"
        RewriteCond %{REQUEST_URI}          "^(.*)$"
        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]

        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
        RewriteRule /(.*)           ws://localhost:${etherpad.listenPort}/$1 [P,L]

        <IfModule mod_proxy.c>
          ProxyVia On
          ProxyRequests Off
          ProxyPreserveHost On
          ProxyPass         / http://localhost:${etherpad.listenPort}/
          ProxyPassReverse  / http://localhost:${etherpad.listenPort}/
          <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride None
            Require all granted
          </Proxy>
        </IfModule>
      '' ];
    };
  };
}