X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=blobdiff_plain;f=modules%2Fprivate%2Fwebsites%2Fressourcerie_banon%2Fcryptpad.nix;h=09e938b2932dde628a377d7361ff24aba1e1a904;hp=961302da866d5f42dbd870a8b4e1bebcd755c174;hb=1feea3fe58cbaa709bdf91925860c2c96680e61d;hpb=54d97019c035ccccceb53fb8531d1bc8bea5816a
diff --git a/modules/private/websites/ressourcerie_banon/cryptpad.nix b/modules/private/websites/ressourcerie_banon/cryptpad.nix
index 961302d..09e938b 100644
--- a/modules/private/websites/ressourcerie_banon/cryptpad.nix
+++ b/modules/private/websites/ressourcerie_banon/cryptpad.nix
@@ -1,7 +1,31 @@
{ lib, pkgs, config, ... }:
let
cfg = config.myServices.websites.ressourcerie_banon.cryptpad;
- configFile = "${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js";
+ port = config.myEnv.ports.cryptpad_ressourcerie_banon;
+ configFile = pkgs.writeText "config.js" ''
+ // ${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js
+ module.exports = {
+ httpUnsafeOrigin: 'https://${domain}',
+ httpPort: ${toString port},
+ adminEmail: 'devnull@mail.immae.eu',
+ filePath: './datastore/',
+ archivePath: './data/archive',
+ pinPath: './data/pins',
+ taskPath: './data/tasks',
+ blockPath: './block',
+ blobPath: './blob',
+ blobStagingPath: './data/blobstage',
+ decreePath: './data/decrees',
+ logPath: './data/logs',
+ logToStdout: false,
+ logLevel: 'info',
+ logFeedback: false,
+ verbose: false,
+ };
+ '';
+ domain = "pad.le-garage-autonome.org";
+ api_domain = "pad.le-garage-autonome.org";
+ files_domain = "pad.le-garage-autonome.org";
in {
options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banonâs cryptpad";
@@ -23,11 +47,98 @@ in {
WorkingDirectory = "%S/cryptpad/ressourcerie_banon";
};
};
+ services.websites.env.production.modules = [ "proxy_wstunnel" ];
services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = {
certName = "ressourcerie_banon";
addToCerts = true;
- hosts = ["pad.le-garage-autonome.org"];
- root = null;
+ hosts = [domain];
+ root = "${pkgs.cryptpad}/lib/node_modules/cryptpad";
+ extraConfig = [
+ ''
+ RewriteEngine On
+
+ Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+ Header set X-XSS-Protection "1; mode=block"
+ Header set X-Content-Type-Options "nosniff"
+ Header set Access-Control-Allow-Origin "*"
+ Header set Permissions-Policy "interest-cohort=()"
+
+ Header set Cross-Origin-Resource-Policy "cross-origin"
+
+ Header set Cross-Origin-Opener-Policy "same-origin"
+
+ Header set Cross-Origin-Embedder-Policy "require-corp"
+
+ ErrorDocument 404 /customize.dist/404.html
+
+
+ Header set Cache-Control "max-age=31536000"
+
+
+ Header set Cache-Control "no-cache"
+
+
+ SetEnv styleSrc "'unsafe-inline' 'self' ${domain}"
+ SetEnv connectSrc "'self' https://${domain} ${domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}"
+ SetEnv fontSrc "'self' data: ${domain}"
+ SetEnv imgSrc "'self' data: * blob: ${domain}"
+ SetEnv frameSrc "'self' blob:"
+ SetEnv mediaSrc "'self' data: * blob: ${domain}"
+ SetEnv childSrc "https://${domain}"
+ SetEnv workerSrc "https://${domain}"
+ SetEnv scriptSrc "'self' resource: ${domain}"
+
+ Header set Content-Security-Policy "default-src 'none'; child-src %{childSrc}e; worker-src %{workerSrc}e; media-src %{mediaSrc}e; style-src %{styleSrc}e; script-src %{scriptSrc}e; connect-src %{connectSrc}e; font-src %{fontSrc}e; img-src %{imgSrc}e; frame-src %{frameSrc}e;"
+
+ RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
+ RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
+ RewriteRule .* ws://localhost:${toString port}%{REQUEST_URI} [P,NE,QSA,L]
+
+ RewriteRule ^/customize/(.*)$ /customize.dist/$1 [L]
+
+ ProxyPassMatch "^/(api/(config|broadcast).*)$" "http://localhost:${toString port}/$1"
+ ProxyPassReverse /api http://localhost:${toString port}/api
+ ProxyPreserveHost On
+ RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+
+
+ Header set Cache-Control "max-age=31536000"
+ Header set Access-Control-Allow-Origin "*"
+ Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
+ Header set Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
+ Header set Access-Control-Expose-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
+
+ RewriteCond %{REQUEST_METHOD} OPTIONS
+ RewriteRule ^(.*)$ $1 [R=204,L]
+
+
+
+ Header set Cache-Control "max-age=0"
+
+
+ RewriteRule ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc)$ $1/ [R=302,L]
+
+ RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI} -f
+ RewriteRule (.*) /www/$1 [L]
+
+ RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI}/index.html -f
+ RewriteRule (.*) /www/$1/index.html [L]
+
+ RewriteCond %{DOCUMENT_ROOT}/customize.dist/%{REQUEST_URI} -f
+ RewriteRule (.*) /customize.dist/$1 [L]
+
+
+ AllowOverride None
+ Require all granted
+ DirectoryIndex index.html
+
+
+ AllowOverride None
+ Require all granted
+ DirectoryIndex index.html
+
+ ''
+ ];
};
};
}