{ lib, pkgs, config, myconfig, mylibs, ... }:
let
etherpad = pkgs.callPackage ./etherpad_lite.nix {
- inherit (mylibs) fetchedGithub;
+ inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules;
env = myconfig.env.tools.etherpad-lite;
};
+ varDir = etherpad.webappDir.varDir;
cfg = config.services.myWebsites.tools.etherpad-lite;
in {
options.services.myWebsites.tools.etherpad-lite = {
};
config = lib.mkIf cfg.enable {
+ mySecrets.keys = etherpad.keys;
systemd.services.etherpad-lite = {
description = "Etherpad-lite";
wantedBy = [ "multi-user.target" ];
script = ''
exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
- --settings ${etherpad.config}
+ --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
+ --apikey /var/secrets/webapps/tools-etherpad-apikey \
+ --settings /var/secrets/webapps/tools-etherpad
'';
serviceConfig = {
DynamicUser = true;
User = "etherpad-lite";
Group = "etherpad-lite";
+ SupplementaryGroups = "keys";
WorkingDirectory = etherpad.webappDir;
PrivateTmp = true;
NoNewPrivileges = true;
Restart = "always";
Type = "simple";
TimeoutSec = 60;
+ # Use ReadWritePaths= instead if varDir is outside of /var/lib
+ StateDirectory="etherpad-lite";
+ ExecStartPre = [
+ "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
+ "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
+ ];
};
};
ProxyPreserveHost On
ProxyPass / http://localhost:${etherpad.listenPort}/
ProxyPassReverse / http://localhost:${etherpad.listenPort}/
- ProxyPass /socket.io ws://localhost:${etherpad.listenPort}/socket.io
- ProxyPassReverse /socket.io ws://localhost:${etherpad.listenPort}/socket.io
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride None
projects / perso / Immae / Config / Nix.git / blobdiff