1 { lib, pkgs, config, myconfig, mylibs, ... }:
3 etherpad = pkgs.callPackage ./etherpad_lite.nix {
4 inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules;
5 env = myconfig.env.tools.etherpad-lite;
8 varDir = etherpad.webappDir.varDir;
9 cfg = config.services.myWebsites.tools.etherpad-lite;
11 options.services.myWebsites.tools.etherpad-lite = {
12 enable = lib.mkEnableOption "enable etherpad's website";
15 config = lib.mkIf cfg.enable {
16 mySecrets.keys = etherpad.keys;
17 systemd.services.etherpad-lite = {
18 description = "Etherpad-lite";
19 wantedBy = [ "multi-user.target" ];
20 after = [ "network.target" "postgresql.service" ];
21 wants = [ "postgresql.service" ];
23 environment.NODE_ENV = "production";
24 environment.HOME = etherpad.webappDir;
26 path = [ pkgs.nodejs ];
29 exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
30 --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
31 --apikey /var/secrets/webapps/tools-etherpad-apikey \
32 --settings /var/secrets/webapps/tools-etherpad
37 User = "etherpad-lite";
38 Group = "etherpad-lite";
39 SupplementaryGroups = "keys";
40 WorkingDirectory = etherpad.webappDir;
42 NoNewPrivileges = true;
43 PrivateDevices = true;
45 ProtectControlGroups = true;
46 ProtectKernelModules = true;
50 # Use ReadWritePaths= instead if varDir is outside of /var/lib
51 StateDirectory="etherpad-lite";
53 "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
54 "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
59 services.myWebsites.tools.modules = [
60 "headers" "proxy" "proxy_http" "proxy_wstunnel"
62 security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
63 services.myWebsites.tools.vhostConfs.etherpad-lite = {
65 hosts = [ "ether.immae.eu" ];
68 Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
69 RequestHeader set X-Forwarded-Proto "https"
73 RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
74 RewriteCond %{QUERY_STRING} "!noredirect"
75 RewriteCond %{REQUEST_URI} "^(.*)$"
76 RewriteCond ''${redirects:$1|Unknown} "!Unknown"
77 RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
79 RewriteCond %{REQUEST_URI} ^/socket.io [NC]
80 RewriteCond %{QUERY_STRING} transport=websocket [NC]
81 RewriteRule /(.*) ws://localhost:${etherpad.listenPort}/$1 [P,L]
83 <IfModule mod_proxy.c>
87 ProxyPass / http://localhost:${etherpad.listenPort}/
88 ProxyPassReverse / http://localhost:${etherpad.listenPort}/
90 Options FollowSymLinks MultiViews