]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - nixops/modules/websites/tools/ether.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add certificate creation and handling to websites
[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / ether.nix
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix
index 1c952af5e43a3a3691ff0ee93ae4b9fd6fca0b10..8c9bbb181390021536716bb7c3a8650fcefc8d42 100644 (file)
--- a/nixops/modules/websites/tools/ether.nix
+++ b/nixops/modules/websites/tools/ether.nix
@@ -1,20 +1,18 @@
-{ lib, pkgs, config, myconfig, mylibs, ... }:
+{ lib, pkgs, config, myconfig,  ... }:
 let
-  etherpad = pkgs.webapps.etherpad-lite.withModules
-    (builtins.attrValues pkgs.webapps.etherpad-lite-modules);
   env = myconfig.env.tools.etherpad-lite;
-  varDir = etherpad.varDir;
   cfg = config.services.myWebsites.tools.etherpad-lite;
   # Make sure we’re not rebuilding whole libreoffice just because of a
   # dependency
   libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
+  ecfg = config.services.etherpad-lite;
 in {
   options.services.myWebsites.tools.etherpad-lite = {
     enable = lib.mkEnableOption "enable etherpad's website";
   };
 
   config = lib.mkIf cfg.enable {
-    mySecrets.keys = [
+    secrets.keys = [
       {
         dest = "webapps/tools-etherpad-apikey";
         permissions = "0400";
@@ -33,8 +31,8 @@ in {
             "title": "Etherpad",
             "favicon": "favicon.ico",
 
-            "ip": "127.0.0.1",
-            "port" : ${env.listenPort},
+            "ip": "",
+            "port" : "${ecfg.sockets.node}",
             "showSettingsInAdminPage" : false,
             "dbType" : "postgres",
             "dbSettings" : {
@@ -125,54 +123,22 @@ in {
         '';
       }
     ];
-    systemd.services.etherpad-lite = {
-      description = "Etherpad-lite";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" "postgresql.service" ];
-      wants = [ "postgresql.service" ];
-
-      environment.NODE_ENV = "production";
-      environment.HOME = etherpad;
-
-      path = [ pkgs.nodejs ];
-
-      script = ''
-        exec ${pkgs.nodejs}/bin/node ${etherpad}/src/node/server.js \
-          --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
-          --apikey /var/secrets/webapps/tools-etherpad-apikey \
-          --settings /var/secrets/webapps/tools-etherpad
-      '';
-
-      serviceConfig = {
-        DynamicUser = true;
-        User = "etherpad-lite";
-        Group = "etherpad-lite";
-        SupplementaryGroups = "keys";
-        WorkingDirectory = etherpad;
-        PrivateTmp = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        ProtectHome = true;
-        ProtectControlGroups = true;
-        ProtectKernelModules = true;
-        Restart = "always";
-        Type = "simple";
-        TimeoutSec = 60;
-        # Use ReadWritePaths= instead if varDir is outside of /var/lib
-        StateDirectory="etherpad-lite";
-        ExecStartPre = [
-          "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
-          "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
-        ];
-      };
+    services.etherpad-lite = {
+      enable = true;
+      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
+      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
+      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
+      configFile = "/var/secrets/webapps/tools-etherpad";
     };
 
-    services.myWebsites.tools.modules = [
+    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
+
+    services.websites.tools.modules = [
       "headers" "proxy" "proxy_http" "proxy_wstunnel"
     ];
-    security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
-    services.myWebsites.tools.vhostConfs.etherpad-lite = {
+    services.websites.tools.vhostConfs.etherpad-lite = {
       certName    = "eldiron";
+      addToCerts  = true;
       hosts       = [ "ether.immae.eu" ];
       root        = null;
       extraConfig = [ ''
@@ -189,14 +155,14 @@ in {
 
         RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
         RewriteCond %{QUERY_STRING} transport=websocket    [NC]
-        RewriteRule /(.*)           ws://localhost:${env.listenPort}/$1 [P,L]
+        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
 
         <IfModule mod_proxy.c>
           ProxyVia On
           ProxyRequests Off
           ProxyPreserveHost On
-          ProxyPass         / http://localhost:${env.listenPort}/
-          ProxyPassReverse  / http://localhost:${env.listenPort}/
+          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
+          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
           <Proxy *>
             Options FollowSymLinks MultiViews
             AllowOverride None
My infrastructure configuration