diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-05-10 19:59:29 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-05-10 19:59:29 +0200 |
commit | 742c28ad92467859fb7f54c4b8b4d09d9864a75e (patch) | |
tree | 165f4ece0a86c8bd437ffc6cc7b1caa7da0987ae | |
parent | 7009832ab635a664e26c73cdc0ca0f8689a57774 (diff) | |
download | Nix-742c28ad92467859fb7f54c4b8b4d09d9864a75e.tar.gz Nix-742c28ad92467859fb7f54c4b8b4d09d9864a75e.tar.zst Nix-742c28ad92467859fb7f54c4b8b4d09d9864a75e.zip |
Move etherpad-lite module outside of nixops
-rw-r--r-- | modules/default.nix | 1 | ||||
-rw-r--r-- | modules/webapps/etherpad-lite.nix | 124 | ||||
-rw-r--r-- | nixops/modules/websites/tools/ether.nix | 51 |
3 files changed, 133 insertions, 43 deletions
diff --git a/modules/default.nix b/modules/default.nix index 20386af..c920a51 100644 --- a/modules/default.nix +++ b/modules/default.nix | |||
@@ -3,6 +3,7 @@ | |||
3 | secrets = ./secrets.nix; | 3 | secrets = ./secrets.nix; |
4 | 4 | ||
5 | diaspora = ./webapps/diaspora.nix; | 5 | diaspora = ./webapps/diaspora.nix; |
6 | etherpad-lite = ./webapps/etherpad-lite.nix; | ||
6 | mastodon = ./webapps/mastodon.nix; | 7 | mastodon = ./webapps/mastodon.nix; |
7 | mediagoblin = ./webapps/mediagoblin.nix; | 8 | mediagoblin = ./webapps/mediagoblin.nix; |
8 | peertube = ./webapps/peertube.nix; | 9 | peertube = ./webapps/peertube.nix; |
diff --git a/modules/webapps/etherpad-lite.nix b/modules/webapps/etherpad-lite.nix new file mode 100644 index 0000000..3e951c5 --- /dev/null +++ b/modules/webapps/etherpad-lite.nix | |||
@@ -0,0 +1,124 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | name = "etherpad-lite"; | ||
4 | cfg = config.services.etherpad-lite; | ||
5 | |||
6 | uid = config.ids.uids.etherpad-lite; | ||
7 | gid = config.ids.gids.etherpad-lite; | ||
8 | in | ||
9 | { | ||
10 | options.services.etherpad-lite = { | ||
11 | enable = lib.mkEnableOption "Enable Etherpad lite’s service"; | ||
12 | user = lib.mkOption { | ||
13 | type = lib.types.str; | ||
14 | default = name; | ||
15 | description = "User account under which Etherpad lite runs"; | ||
16 | }; | ||
17 | group = lib.mkOption { | ||
18 | type = lib.types.str; | ||
19 | default = name; | ||
20 | description = "Group under which Etherpad lite runs"; | ||
21 | }; | ||
22 | dataDir = lib.mkOption { | ||
23 | type = lib.types.path; | ||
24 | default = "/var/lib/${name}"; | ||
25 | description = '' | ||
26 | The directory where Etherpad lite stores its data. | ||
27 | ''; | ||
28 | }; | ||
29 | configFile = lib.mkOption { | ||
30 | type = lib.types.path; | ||
31 | description = '' | ||
32 | The config file path for Etherpad lite. | ||
33 | ''; | ||
34 | }; | ||
35 | sessionKeyFile = lib.mkOption { | ||
36 | type = lib.types.path; | ||
37 | description = '' | ||
38 | The Session key file path for Etherpad lite. | ||
39 | ''; | ||
40 | }; | ||
41 | apiKeyFile = lib.mkOption { | ||
42 | type = lib.types.path; | ||
43 | description = '' | ||
44 | The API key file path for Etherpad lite. | ||
45 | ''; | ||
46 | }; | ||
47 | package = lib.mkOption { | ||
48 | type = lib.types.package; | ||
49 | default = pkgs.webapps.etherpad-lite; | ||
50 | description = '' | ||
51 | Etherpad lite package to use. | ||
52 | ''; | ||
53 | }; | ||
54 | modules = lib.mkOption { | ||
55 | type = lib.types.listOf lib.types.package; | ||
56 | default = []; | ||
57 | description = '' | ||
58 | Etherpad lite modules to use. | ||
59 | ''; | ||
60 | }; | ||
61 | # Output variables | ||
62 | workdir = lib.mkOption { | ||
63 | type = lib.types.package; | ||
64 | default = cfg.package.withModules cfg.modules; | ||
65 | description = '' | ||
66 | Adjusted Etherpad lite package with plugins | ||
67 | ''; | ||
68 | readOnly = true; | ||
69 | }; | ||
70 | systemdStateDirectory = lib.mkOption { | ||
71 | type = lib.types.str; | ||
72 | # Use ReadWritePaths= instead if varDir is outside of /var/lib | ||
73 | default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir; | ||
74 | lib.strings.removePrefix "/var/lib/" cfg.dataDir; | ||
75 | description = '' | ||
76 | Adjusted Etherpad lite data directory for systemd | ||
77 | ''; | ||
78 | readOnly = true; | ||
79 | }; | ||
80 | }; | ||
81 | |||
82 | config = lib.mkIf cfg.enable { | ||
83 | systemd.services.etherpad-lite = { | ||
84 | description = "Etherpad-lite"; | ||
85 | wantedBy = [ "multi-user.target" ]; | ||
86 | after = [ "network.target" "postgresql.service" ]; | ||
87 | wants = [ "postgresql.service" ]; | ||
88 | |||
89 | environment.NODE_ENV = "production"; | ||
90 | environment.HOME = cfg.workdir; | ||
91 | |||
92 | path = [ pkgs.nodejs ]; | ||
93 | |||
94 | script = '' | ||
95 | exec ${pkgs.nodejs}/bin/node ${cfg.workdir}/src/node/server.js \ | ||
96 | --sessionkey ${cfg.sessionKeyFile} \ | ||
97 | --apikey ${cfg.apiKeyFile} \ | ||
98 | --settings ${cfg.configFile} | ||
99 | ''; | ||
100 | |||
101 | serviceConfig = { | ||
102 | DynamicUser = true; | ||
103 | User = cfg.user; | ||
104 | Group = cfg.group; | ||
105 | WorkingDirectory = cfg.workdir; | ||
106 | PrivateTmp = true; | ||
107 | NoNewPrivileges = true; | ||
108 | PrivateDevices = true; | ||
109 | ProtectHome = true; | ||
110 | ProtectControlGroups = true; | ||
111 | ProtectKernelModules = true; | ||
112 | Restart = "always"; | ||
113 | Type = "simple"; | ||
114 | TimeoutSec = 60; | ||
115 | StateDirectory= cfg.systemdStateDirectory; | ||
116 | ExecStartPre = [ | ||
117 | "+${pkgs.coreutils}/bin/install -d -m 0755 -o ${cfg.user} -g ${cfg.group} ${cfg.dataDir}/ep_initialized" | ||
118 | "+${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} ${cfg.configFile} ${cfg.sessionKeyFile} ${cfg.apiKeyFile}" | ||
119 | ]; | ||
120 | }; | ||
121 | }; | ||
122 | |||
123 | }; | ||
124 | } | ||
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix index 80472f0..3efa363 100644 --- a/nixops/modules/websites/tools/ether.nix +++ b/nixops/modules/websites/tools/ether.nix | |||
@@ -1,9 +1,6 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | 1 | { lib, pkgs, config, myconfig, mylibs, ... }: |
2 | let | 2 | let |
3 | etherpad = pkgs.webapps.etherpad-lite.withModules | ||
4 | (builtins.attrValues pkgs.webapps.etherpad-lite-modules); | ||
5 | env = myconfig.env.tools.etherpad-lite; | 3 | env = myconfig.env.tools.etherpad-lite; |
6 | varDir = etherpad.varDir; | ||
7 | cfg = config.services.myWebsites.tools.etherpad-lite; | 4 | cfg = config.services.myWebsites.tools.etherpad-lite; |
8 | # Make sure we’re not rebuilding whole libreoffice just because of a | 5 | # Make sure we’re not rebuilding whole libreoffice just because of a |
9 | # dependency | 6 | # dependency |
@@ -125,48 +122,16 @@ in { | |||
125 | ''; | 122 | ''; |
126 | } | 123 | } |
127 | ]; | 124 | ]; |
128 | systemd.services.etherpad-lite = { | 125 | services.etherpad-lite = { |
129 | description = "Etherpad-lite"; | 126 | enable = true; |
130 | wantedBy = [ "multi-user.target" ]; | 127 | modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules; |
131 | after = [ "network.target" "postgresql.service" ]; | 128 | sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey"; |
132 | wants = [ "postgresql.service" ]; | 129 | apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey"; |
133 | 130 | configFile = "/var/secrets/webapps/tools-etherpad"; | |
134 | environment.NODE_ENV = "production"; | ||
135 | environment.HOME = etherpad; | ||
136 | |||
137 | path = [ pkgs.nodejs ]; | ||
138 | |||
139 | script = '' | ||
140 | exec ${pkgs.nodejs}/bin/node ${etherpad}/src/node/server.js \ | ||
141 | --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \ | ||
142 | --apikey /var/secrets/webapps/tools-etherpad-apikey \ | ||
143 | --settings /var/secrets/webapps/tools-etherpad | ||
144 | ''; | ||
145 | |||
146 | serviceConfig = { | ||
147 | DynamicUser = true; | ||
148 | User = "etherpad-lite"; | ||
149 | Group = "etherpad-lite"; | ||
150 | SupplementaryGroups = "keys"; | ||
151 | WorkingDirectory = etherpad; | ||
152 | PrivateTmp = true; | ||
153 | NoNewPrivileges = true; | ||
154 | PrivateDevices = true; | ||
155 | ProtectHome = true; | ||
156 | ProtectControlGroups = true; | ||
157 | ProtectKernelModules = true; | ||
158 | Restart = "always"; | ||
159 | Type = "simple"; | ||
160 | TimeoutSec = 60; | ||
161 | # Use ReadWritePaths= instead if varDir is outside of /var/lib | ||
162 | StateDirectory="etherpad-lite"; | ||
163 | ExecStartPre = [ | ||
164 | "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized" | ||
165 | "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey" | ||
166 | ]; | ||
167 | }; | ||
168 | }; | 131 | }; |
169 | 132 | ||
133 | systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys"; | ||
134 | |||
170 | services.myWebsites.tools.modules = [ | 135 | services.myWebsites.tools.modules = [ |
171 | "headers" "proxy" "proxy_http" "proxy_wstunnel" | 136 | "headers" "proxy" "proxy_http" "proxy_wstunnel" |
172 | ]; | 137 | ]; |