aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-05-10 19:59:29 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-05-10 19:59:29 +0200
commit742c28ad92467859fb7f54c4b8b4d09d9864a75e (patch)
tree165f4ece0a86c8bd437ffc6cc7b1caa7da0987ae
parent7009832ab635a664e26c73cdc0ca0f8689a57774 (diff)
downloadNix-742c28ad92467859fb7f54c4b8b4d09d9864a75e.tar.gz
Nix-742c28ad92467859fb7f54c4b8b4d09d9864a75e.tar.zst
Nix-742c28ad92467859fb7f54c4b8b4d09d9864a75e.zip
Move etherpad-lite module outside of nixops
-rw-r--r--modules/default.nix1
-rw-r--r--modules/webapps/etherpad-lite.nix124
-rw-r--r--nixops/modules/websites/tools/ether.nix51
3 files changed, 133 insertions, 43 deletions
diff --git a/modules/default.nix b/modules/default.nix
index 20386af..c920a51 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -3,6 +3,7 @@
3 secrets = ./secrets.nix; 3 secrets = ./secrets.nix;
4 4
5 diaspora = ./webapps/diaspora.nix; 5 diaspora = ./webapps/diaspora.nix;
6 etherpad-lite = ./webapps/etherpad-lite.nix;
6 mastodon = ./webapps/mastodon.nix; 7 mastodon = ./webapps/mastodon.nix;
7 mediagoblin = ./webapps/mediagoblin.nix; 8 mediagoblin = ./webapps/mediagoblin.nix;
8 peertube = ./webapps/peertube.nix; 9 peertube = ./webapps/peertube.nix;
diff --git a/modules/webapps/etherpad-lite.nix b/modules/webapps/etherpad-lite.nix
new file mode 100644
index 0000000..3e951c5
--- /dev/null
+++ b/modules/webapps/etherpad-lite.nix
@@ -0,0 +1,124 @@
1{ lib, pkgs, config, ... }:
2let
3 name = "etherpad-lite";
4 cfg = config.services.etherpad-lite;
5
6 uid = config.ids.uids.etherpad-lite;
7 gid = config.ids.gids.etherpad-lite;
8in
9{
10 options.services.etherpad-lite = {
11 enable = lib.mkEnableOption "Enable Etherpad lite’s service";
12 user = lib.mkOption {
13 type = lib.types.str;
14 default = name;
15 description = "User account under which Etherpad lite runs";
16 };
17 group = lib.mkOption {
18 type = lib.types.str;
19 default = name;
20 description = "Group under which Etherpad lite runs";
21 };
22 dataDir = lib.mkOption {
23 type = lib.types.path;
24 default = "/var/lib/${name}";
25 description = ''
26 The directory where Etherpad lite stores its data.
27 '';
28 };
29 configFile = lib.mkOption {
30 type = lib.types.path;
31 description = ''
32 The config file path for Etherpad lite.
33 '';
34 };
35 sessionKeyFile = lib.mkOption {
36 type = lib.types.path;
37 description = ''
38 The Session key file path for Etherpad lite.
39 '';
40 };
41 apiKeyFile = lib.mkOption {
42 type = lib.types.path;
43 description = ''
44 The API key file path for Etherpad lite.
45 '';
46 };
47 package = lib.mkOption {
48 type = lib.types.package;
49 default = pkgs.webapps.etherpad-lite;
50 description = ''
51 Etherpad lite package to use.
52 '';
53 };
54 modules = lib.mkOption {
55 type = lib.types.listOf lib.types.package;
56 default = [];
57 description = ''
58 Etherpad lite modules to use.
59 '';
60 };
61 # Output variables
62 workdir = lib.mkOption {
63 type = lib.types.package;
64 default = cfg.package.withModules cfg.modules;
65 description = ''
66 Adjusted Etherpad lite package with plugins
67 '';
68 readOnly = true;
69 };
70 systemdStateDirectory = lib.mkOption {
71 type = lib.types.str;
72 # Use ReadWritePaths= instead if varDir is outside of /var/lib
73 default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
74 lib.strings.removePrefix "/var/lib/" cfg.dataDir;
75 description = ''
76 Adjusted Etherpad lite data directory for systemd
77 '';
78 readOnly = true;
79 };
80 };
81
82 config = lib.mkIf cfg.enable {
83 systemd.services.etherpad-lite = {
84 description = "Etherpad-lite";
85 wantedBy = [ "multi-user.target" ];
86 after = [ "network.target" "postgresql.service" ];
87 wants = [ "postgresql.service" ];
88
89 environment.NODE_ENV = "production";
90 environment.HOME = cfg.workdir;
91
92 path = [ pkgs.nodejs ];
93
94 script = ''
95 exec ${pkgs.nodejs}/bin/node ${cfg.workdir}/src/node/server.js \
96 --sessionkey ${cfg.sessionKeyFile} \
97 --apikey ${cfg.apiKeyFile} \
98 --settings ${cfg.configFile}
99 '';
100
101 serviceConfig = {
102 DynamicUser = true;
103 User = cfg.user;
104 Group = cfg.group;
105 WorkingDirectory = cfg.workdir;
106 PrivateTmp = true;
107 NoNewPrivileges = true;
108 PrivateDevices = true;
109 ProtectHome = true;
110 ProtectControlGroups = true;
111 ProtectKernelModules = true;
112 Restart = "always";
113 Type = "simple";
114 TimeoutSec = 60;
115 StateDirectory= cfg.systemdStateDirectory;
116 ExecStartPre = [
117 "+${pkgs.coreutils}/bin/install -d -m 0755 -o ${cfg.user} -g ${cfg.group} ${cfg.dataDir}/ep_initialized"
118 "+${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} ${cfg.configFile} ${cfg.sessionKeyFile} ${cfg.apiKeyFile}"
119 ];
120 };
121 };
122
123 };
124}
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix
index 80472f0..3efa363 100644
--- a/nixops/modules/websites/tools/ether.nix
+++ b/nixops/modules/websites/tools/ether.nix
@@ -1,9 +1,6 @@
1{ lib, pkgs, config, myconfig, mylibs, ... }: 1{ lib, pkgs, config, myconfig, mylibs, ... }:
2let 2let
3 etherpad = pkgs.webapps.etherpad-lite.withModules
4 (builtins.attrValues pkgs.webapps.etherpad-lite-modules);
5 env = myconfig.env.tools.etherpad-lite; 3 env = myconfig.env.tools.etherpad-lite;
6 varDir = etherpad.varDir;
7 cfg = config.services.myWebsites.tools.etherpad-lite; 4 cfg = config.services.myWebsites.tools.etherpad-lite;
8 # Make sure we’re not rebuilding whole libreoffice just because of a 5 # Make sure we’re not rebuilding whole libreoffice just because of a
9 # dependency 6 # dependency
@@ -125,48 +122,16 @@ in {
125 ''; 122 '';
126 } 123 }
127 ]; 124 ];
128 systemd.services.etherpad-lite = { 125 services.etherpad-lite = {
129 description = "Etherpad-lite"; 126 enable = true;
130 wantedBy = [ "multi-user.target" ]; 127 modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
131 after = [ "network.target" "postgresql.service" ]; 128 sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
132 wants = [ "postgresql.service" ]; 129 apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
133 130 configFile = "/var/secrets/webapps/tools-etherpad";
134 environment.NODE_ENV = "production";
135 environment.HOME = etherpad;
136
137 path = [ pkgs.nodejs ];
138
139 script = ''
140 exec ${pkgs.nodejs}/bin/node ${etherpad}/src/node/server.js \
141 --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
142 --apikey /var/secrets/webapps/tools-etherpad-apikey \
143 --settings /var/secrets/webapps/tools-etherpad
144 '';
145
146 serviceConfig = {
147 DynamicUser = true;
148 User = "etherpad-lite";
149 Group = "etherpad-lite";
150 SupplementaryGroups = "keys";
151 WorkingDirectory = etherpad;
152 PrivateTmp = true;
153 NoNewPrivileges = true;
154 PrivateDevices = true;
155 ProtectHome = true;
156 ProtectControlGroups = true;
157 ProtectKernelModules = true;
158 Restart = "always";
159 Type = "simple";
160 TimeoutSec = 60;
161 # Use ReadWritePaths= instead if varDir is outside of /var/lib
162 StateDirectory="etherpad-lite";
163 ExecStartPre = [
164 "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
165 "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
166 ];
167 };
168 }; 131 };
169 132
133 systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
134
170 services.myWebsites.tools.modules = [ 135 services.myWebsites.tools.modules = [
171 "headers" "proxy" "proxy_http" "proxy_wstunnel" 136 "headers" "proxy" "proxy_http" "proxy_wstunnel"
172 ]; 137 ];