virtual/modules/websites/tools/ether/default.nix

   1 { lib, pkgs, config, myconfig, mylibs, ... }:
   2 let
   3   etherpad = pkgs.callPackage ./etherpad_lite.nix {
   4     inherit (mylibs) fetchedGithub;
   5     env = myconfig.env.tools.etherpad-lite;
   6   };
   7
   8   cfg = config.services.myWebsites.tools.etherpad-lite;
   9 in {
  10   options.services.myWebsites.tools.etherpad-lite = {
  11     enable = lib.mkEnableOption "enable etherpad's website";
  12   };
  13
  14   config = lib.mkIf cfg.enable {
  15     systemd.services.etherpad-lite = {
  16       description = "Etherpad-lite";
  17       wantedBy = [ "multi-user.target" ];
  18       after = [ "network.target" "postgresql.service" ];
  19       wants = [ "postgresql.service" ];
  20
  21       environment.NODE_ENV = "production";
  22       environment.HOME = etherpad.webappDir;
  23
  24       path = [ pkgs.nodejs ];
  25
  26       script = ''
  27         exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
  28           --settings ${etherpad.config}
  29       '';
  30
  31       serviceConfig = {
  32         DynamicUser = true;
  33         User = "etherpad-lite";
  34         Group = "etherpad-lite";
  35         WorkingDirectory = etherpad.webappDir;
  36         PrivateTmp = true;
  37         NoNewPrivileges = true;
  38         PrivateDevices = true;
  39         ProtectHome = true;
  40         ProtectControlGroups = true;
  41         ProtectKernelModules = true;
  42         Restart = "always";
  43         Type = "simple";
  44         TimeoutSec = 60;
  45       };
  46     };
  47
  48     services.myWebsites.tools.modules = [
  49       "headers" "proxy" "proxy_http" "proxy_wstunnel"
  50     ];
  51     security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
  52     services.myWebsites.tools.vhostConfs.etherpad-lite = {
  53       certName    = "eldiron";
  54       hosts       = [ "ether.immae.eu" ];
  55       root        = null;
  56       extraConfig = [ ''
  57         Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
  58         RequestHeader set X-Forwarded-Proto "https"
  59
  60         RewriteEngine On
  61
  62         RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
  63         RewriteCond %{QUERY_STRING}         "!noredirect"
  64         RewriteCond %{REQUEST_URI}          "^(.*)$"
  65         RewriteCond ''${redirects:$1|Unknown} "!Unknown"
  66         RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]
  67
  68         RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
  69         RewriteCond %{QUERY_STRING} transport=websocket    [NC]
  70         RewriteRule /(.*)           ws://localhost:${etherpad.listenPort}/$1 [P,L]
  71
  72         <IfModule mod_proxy.c>
  73           ProxyVia On
  74           ProxyRequests Off
  75           ProxyPreserveHost On
  76           ProxyPass         / http://localhost:${etherpad.listenPort}/
  77           ProxyPassReverse  / http://localhost:${etherpad.listenPort}/
  78           ProxyPass         /socket.io ws://localhost:${etherpad.listenPort}/socket.io
  79           ProxyPassReverse  /socket.io ws://localhost:${etherpad.listenPort}/socket.io
  80           <Proxy *>
  81             Options FollowSymLinks MultiViews
  82             AllowOverride None
  83             Require all granted
  84           </Proxy>
  85         </IfModule>
  86       '' ];
  87     };
  88   };
  89 }