From: Ismaël Bouya <ismael.bouya@normalesup.org>
Date: Fri, 10 May 2019 17:59:29 +0000 (+0200)
Subject: Move etherpad-lite module outside of nixops
X-Git-Tag: nur_publish~37
X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=commitdiff_plain;h=742c28ad92467859fb7f54c4b8b4d09d9864a75e

Move etherpad-lite module outside of nixops
---

diff --git a/modules/default.nix b/modules/default.nix
index 20386af..c920a51 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -3,6 +3,7 @@
   secrets = ./secrets.nix;
 
   diaspora = ./webapps/diaspora.nix;
+  etherpad-lite = ./webapps/etherpad-lite.nix;
   mastodon = ./webapps/mastodon.nix;
   mediagoblin = ./webapps/mediagoblin.nix;
   peertube = ./webapps/peertube.nix;
diff --git a/modules/webapps/etherpad-lite.nix b/modules/webapps/etherpad-lite.nix
new file mode 100644
index 0000000..3e951c5
--- /dev/null
+++ b/modules/webapps/etherpad-lite.nix
@@ -0,0 +1,124 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "etherpad-lite";
+  cfg = config.services.etherpad-lite;
+
+  uid = config.ids.uids.etherpad-lite;
+  gid = config.ids.gids.etherpad-lite;
+in
+{
+  options.services.etherpad-lite = {
+    enable = lib.mkEnableOption "Enable Etherpad lite’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Etherpad lite runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Etherpad lite runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Etherpad lite stores its data.
+      '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The config file path for Etherpad lite.
+        '';
+    };
+    sessionKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The Session key file path for Etherpad lite.
+        '';
+    };
+    apiKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The API key file path for Etherpad lite.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.etherpad-lite;
+      description = ''
+        Etherpad lite package to use.
+        '';
+    };
+    modules = lib.mkOption {
+      type = lib.types.listOf lib.types.package;
+      default = [];
+      description = ''
+        Etherpad lite modules to use.
+        '';
+    };
+    # Output variables
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.withModules cfg.modules;
+      description = ''
+      Adjusted Etherpad lite package with plugins
+      '';
+      readOnly = true;
+    };
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Etherpad lite data directory for systemd
+      '';
+      readOnly = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.etherpad-lite = {
+      description = "Etherpad-lite";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "postgresql.service" ];
+      wants = [ "postgresql.service" ];
+
+      environment.NODE_ENV = "production";
+      environment.HOME = cfg.workdir;
+
+      path = [ pkgs.nodejs ];
+
+      script = ''
+        exec ${pkgs.nodejs}/bin/node ${cfg.workdir}/src/node/server.js \
+          --sessionkey ${cfg.sessionKeyFile} \
+          --apikey ${cfg.apiKeyFile} \
+          --settings ${cfg.configFile}
+      '';
+
+      serviceConfig = {
+        DynamicUser = true;
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.workdir;
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        Restart = "always";
+        Type = "simple";
+        TimeoutSec = 60;
+        StateDirectory= cfg.systemdStateDirectory;
+        ExecStartPre = [
+          "+${pkgs.coreutils}/bin/install -d -m 0755 -o ${cfg.user} -g ${cfg.group} ${cfg.dataDir}/ep_initialized"
+          "+${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} ${cfg.configFile} ${cfg.sessionKeyFile} ${cfg.apiKeyFile}"
+        ];
+      };
+    };
+
+  };
+}
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix
index 80472f0..3efa363 100644
--- a/nixops/modules/websites/tools/ether.nix
+++ b/nixops/modules/websites/tools/ether.nix
@@ -1,9 +1,6 @@
 { lib, pkgs, config, myconfig, mylibs, ... }:
 let
-  etherpad = pkgs.webapps.etherpad-lite.withModules
-    (builtins.attrValues pkgs.webapps.etherpad-lite-modules);
   env = myconfig.env.tools.etherpad-lite;
-  varDir = etherpad.varDir;
   cfg = config.services.myWebsites.tools.etherpad-lite;
   # Make sure we’re not rebuilding whole libreoffice just because of a
   # dependency
@@ -125,48 +122,16 @@ in {
         '';
       }
     ];
-    systemd.services.etherpad-lite = {
-      description = "Etherpad-lite";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" "postgresql.service" ];
-      wants = [ "postgresql.service" ];
-
-      environment.NODE_ENV = "production";
-      environment.HOME = etherpad;
-
-      path = [ pkgs.nodejs ];
-
-      script = ''
-        exec ${pkgs.nodejs}/bin/node ${etherpad}/src/node/server.js \
-          --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
-          --apikey /var/secrets/webapps/tools-etherpad-apikey \
-          --settings /var/secrets/webapps/tools-etherpad
-      '';
-
-      serviceConfig = {
-        DynamicUser = true;
-        User = "etherpad-lite";
-        Group = "etherpad-lite";
-        SupplementaryGroups = "keys";
-        WorkingDirectory = etherpad;
-        PrivateTmp = true;
-        NoNewPrivileges = true;
-        PrivateDevices = true;
-        ProtectHome = true;
-        ProtectControlGroups = true;
-        ProtectKernelModules = true;
-        Restart = "always";
-        Type = "simple";
-        TimeoutSec = 60;
-        # Use ReadWritePaths= instead if varDir is outside of /var/lib
-        StateDirectory="etherpad-lite";
-        ExecStartPre = [
-          "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
-          "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
-        ];
-      };
+    services.etherpad-lite = {
+      enable = true;
+      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
+      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
+      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
+      configFile = "/var/secrets/webapps/tools-etherpad";
     };
 
+    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
+
     services.myWebsites.tools.modules = [
       "headers" "proxy" "proxy_http" "proxy_wstunnel"
     ];