Add cryptpad to ressourcerie banon

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-05-23 22:07:22 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2021-05-23 22:07:22 +0200
commit: 1feea3fe58cbaa709bdf91925860c2c96680e61d (patch)
tree: 75f6a36d4156dd1f3ec6673a9e8a686ca0052479 /modules
parent: 54d97019c035ccccceb53fb8531d1bc8bea5816a (diff)
download: Nix-1feea3fe58cbaa709bdf91925860c2c96680e61d.tar.gz
Nix-1feea3fe58cbaa709bdf91925860c2c96680e61d.tar.zst
Nix-1feea3fe58cbaa709bdf91925860c2c96680e61d.zip
1 files changed, 114 insertions, 3 deletions
diff --git a/modules/private/websites/ressourcerie_banon/cryptpad.nix b/modules/private/websites/ressourcerie_banon/cryptpad.nix
index 961302d..09e938b 100644
--- a/modules/private/websites/ressourcerie_banon/cryptpad.nix
+++ b/modules/private/websites/ressourcerie_banon/cryptpad.nix
@@ -1,7 +1,31 @@
 { lib, pkgs, config, ... }:
 let
  cfg = config.myServices.websites.ressourcerie_banon.cryptpad;
-  configFile = "${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js";
+  port = config.myEnv.ports.cryptpad_ressourcerie_banon;
+  configFile = pkgs.writeText "config.js" ''
+    // ${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js
+    module.exports = {
+      httpUnsafeOrigin: 'https://${domain}',
+      httpPort: ${toString port},
+      adminEmail: 'devnull@mail.immae.eu',
+      filePath: './datastore/',
+      archivePath: './data/archive',
+      pinPath: './data/pins',
+      taskPath: './data/tasks',
+      blockPath: './block',
+      blobPath: './blob',
+      blobStagingPath: './data/blobstage',
+      decreePath: './data/decrees',
+      logPath: './data/logs',
+      logToStdout: false,
+      logLevel: 'info',
+      logFeedback: false,
+      verbose: false,
+    };
+  '';
+  domain = "pad.le-garage-autonome.org";
+  api_domain = "pad.le-garage-autonome.org";
+  files_domain = "pad.le-garage-autonome.org";
 in {
  options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banon’s cryptpad";
@@ -23,11 +47,98 @@ in {
        WorkingDirectory = "%S/cryptpad/ressourcerie_banon";
      };
    };
+    services.websites.env.production.modules = [ "proxy_wstunnel" ];
    services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = {
      certName = "ressourcerie_banon";
      addToCerts = true;
-      hosts = ["pad.le-garage-autonome.org"];
+      hosts = [domain];
-      root = null;
+      root = "${pkgs.cryptpad}/lib/node_modules/cryptpad";
+      extraConfig = [
+        ''
+          RewriteEngine On
+          Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+          Header set X-XSS-Protection "1; mode=block"
+          Header set X-Content-Type-Options "nosniff"
+          Header set Access-Control-Allow-Origin "*"
+          Header set Permissions-Policy "interest-cohort=()"
+          Header set Cross-Origin-Resource-Policy "cross-origin"
+          <If "%{REQUEST_URI} =~ m#^/(sheet|presentation|doc)/.*$#">
+            Header set Cross-Origin-Opener-Policy "same-origin"
+          </If>
+          Header set Cross-Origin-Embedder-Policy "require-corp"
+          ErrorDocument 404 /customize.dist/404.html
+          <If "%{QUERY_STRING} =~ m#ver=.*?#">
+            Header set Cache-Control "max-age=31536000"
+          </If>
+          <If "%{REQUEST_URI} =~ m#^/.*(\/|\.html)$#">
+            Header set Cache-Control "no-cache"
+          </If>
+          SetEnv styleSrc   "'unsafe-inline' 'self' ${domain}"
+          SetEnv connectSrc "'self' https://${domain} ${domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}"
+          SetEnv fontSrc    "'self' data: ${domain}"
+          SetEnv imgSrc     "'self' data: * blob: ${domain}"
+          SetEnv frameSrc   "'self' blob:"
+          SetEnv mediaSrc   "'self' data: * blob: ${domain}"
+          SetEnv childSrc   "https://${domain}"
+          SetEnv workerSrc  "https://${domain}"
+          SetEnv scriptSrc  "'self' resource: ${domain}"
+          Header set Content-Security-Policy "default-src 'none'; child-src %{childSrc}e; worker-src %{workerSrc}e; media-src %{mediaSrc}e; style-src %{styleSrc}e; script-src %{scriptSrc}e; connect-src %{connectSrc}e; font-src %{fontSrc}e; img-src %{imgSrc}e; frame-src %{frameSrc}e;"
+          RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
+          RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
+          RewriteRule .* ws://localhost:${toString port}%{REQUEST_URI} [P,NE,QSA,L]
+          RewriteRule ^/customize/(.*)$ /customize.dist/$1 [L]
+          ProxyPassMatch "^/(api/(config|broadcast).*)$" "http://localhost:${toString port}/$1"
+          ProxyPassReverse /api http://localhost:${toString port}/api
+          ProxyPreserveHost On
+          RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+          <LocationMatch /blob/>
+            Header set Cache-Control "max-age=31536000"
+            Header set Access-Control-Allow-Origin "*"
+            Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
+            Header set Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
+            Header set Access-Control-Expose-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
+            RewriteCond %{REQUEST_METHOD} OPTIONS
+            RewriteRule ^(.*)$ $1 [R=204,L]
+          </LocationMatch>
+          <LocationMatch /block/>
+            Header set Cache-Control "max-age=0"
+          </locationMatch>
+          RewriteRule ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc)$ $1/ [R=302,L]
+          RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI} -f
+          RewriteRule (.*) /www/$1 [L]
+          RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI}/index.html -f
+          RewriteRule (.*) /www/$1/index.html [L]
+          RewriteCond %{DOCUMENT_ROOT}/customize.dist/%{REQUEST_URI} -f
+          RewriteRule (.*) /customize.dist/$1 [L]
+          <Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/www>
+            AllowOverride None
+            Require all granted
+            DirectoryIndex index.html
+          </Directory>
+          <Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/customize.dist>
+            AllowOverride None
+            Require all granted
+            DirectoryIndex index.html
+          </Directory>
+          ''
+      ];
    };
  };
 }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-05-23 22:07:22 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2021-05-23 22:07:22 +0200
commit	1feea3fe58cbaa709bdf91925860c2c96680e61d (patch)
tree	75f6a36d4156dd1f3ec6673a9e8a686ca0052479 /modules
parent	54d97019c035ccccceb53fb8531d1bc8bea5816a (diff)
download	Nix-1feea3fe58cbaa709bdf91925860c2c96680e61d.tar.gz Nix-1feea3fe58cbaa709bdf91925860c2c96680e61d.tar.zst Nix-1feea3fe58cbaa709bdf91925860c2c96680e61d.zip

diff --git a/modules/private/websites/ressourcerie_banon/cryptpad.nix b/modules/private/websites/ressourcerie_banon/cryptpad.nix index 961302d..09e938b 100644 --- a/modules/private/websites/ressourcerie_banon/cryptpad.nix +++ b/modules/private/websites/ressourcerie_banon/cryptpad.nix
@@ -1,7 +1,31 @@
1	{ lib, pkgs, config, ... }:	1	{ lib, pkgs, config, ... }:
2	let	2	let
3	cfg = config.myServices.websites.ressourcerie_banon.cryptpad;	3	cfg = config.myServices.websites.ressourcerie_banon.cryptpad;
4	configFile = "${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js";	4	port = config.myEnv.ports.cryptpad_ressourcerie_banon;
		5	configFile = pkgs.writeText "config.js" ''
		6	// ${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js
		7	module.exports = {
		8	httpUnsafeOrigin: 'https://${domain}',
		9	httpPort: ${toString port},
		10	adminEmail: 'devnull@mail.immae.eu',
		11	filePath: './datastore/',
		12	archivePath: './data/archive',
		13	pinPath: './data/pins',
		14	taskPath: './data/tasks',
		15	blockPath: './block',
		16	blobPath: './blob',
		17	blobStagingPath: './data/blobstage',
		18	decreePath: './data/decrees',
		19	logPath: './data/logs',
		20	logToStdout: false,
		21	logLevel: 'info',
		22	logFeedback: false,
		23	verbose: false,
		24	};
		25	'';
		26	domain = "pad.le-garage-autonome.org";
		27	api_domain = "pad.le-garage-autonome.org";
		28	files_domain = "pad.le-garage-autonome.org";
5	in {	29	in {
6	options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banon’s cryptpad";	30	options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banon’s cryptpad";
7		31
@@ -23,11 +47,98 @@ in {
23	WorkingDirectory = "%S/cryptpad/ressourcerie_banon";	47	WorkingDirectory = "%S/cryptpad/ressourcerie_banon";
24	};	48	};
25	};	49	};
		50	services.websites.env.production.modules = [ "proxy_wstunnel" ];
26	services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = {	51	services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = {
27	certName = "ressourcerie_banon";	52	certName = "ressourcerie_banon";
28	addToCerts = true;	53	addToCerts = true;
29	hosts = ["pad.le-garage-autonome.org"];	54	hosts = [domain];
30	root = null;	55	root = "${pkgs.cryptpad}/lib/node_modules/cryptpad";
		56	extraConfig = [
		57	''
		58	RewriteEngine On
		59
		60	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
		61	Header set X-XSS-Protection "1; mode=block"
		62	Header set X-Content-Type-Options "nosniff"
		63	Header set Access-Control-Allow-Origin "*"
		64	Header set Permissions-Policy "interest-cohort=()"
		65
		66	Header set Cross-Origin-Resource-Policy "cross-origin"
		67	<If "%{REQUEST_URI} =~ m#^/(sheet\|presentation\|doc)/.*$#">
		68	Header set Cross-Origin-Opener-Policy "same-origin"
		69	</If>
		70	Header set Cross-Origin-Embedder-Policy "require-corp"
		71
		72	ErrorDocument 404 /customize.dist/404.html
		73
		74	<If "%{QUERY_STRING} =~ m#ver=.*?#">
		75	Header set Cache-Control "max-age=31536000"
		76	</If>
		77	<If "%{REQUEST_URI} =~ m#^/.*(\/\|\.html)$#">
		78	Header set Cache-Control "no-cache"
		79	</If>
		80
		81	SetEnv styleSrc "'unsafe-inline' 'self' ${domain}"
		82	SetEnv connectSrc "'self' https://${domain} ${domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}"
		83	SetEnv fontSrc "'self' data: ${domain}"
		84	SetEnv imgSrc "'self' data: * blob: ${domain}"
		85	SetEnv frameSrc "'self' blob:"
		86	SetEnv mediaSrc "'self' data: * blob: ${domain}"
		87	SetEnv childSrc "https://${domain}"
		88	SetEnv workerSrc "https://${domain}"
		89	SetEnv scriptSrc "'self' resource: ${domain}"
		90
		91	Header set Content-Security-Policy "default-src 'none'; child-src %{childSrc}e; worker-src %{workerSrc}e; media-src %{mediaSrc}e; style-src %{styleSrc}e; script-src %{scriptSrc}e; connect-src %{connectSrc}e; font-src %{fontSrc}e; img-src %{imgSrc}e; frame-src %{frameSrc}e;"
		92
		93	RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
		94	RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
		95	RewriteRule .* ws://localhost:${toString port}%{REQUEST_URI} [P,NE,QSA,L]
		96
		97	RewriteRule ^/customize/(.*)$ /customize.dist/$1 [L]
		98
		99	ProxyPassMatch "^/(api/(config\|broadcast).*)$" "http://localhost:${toString port}/$1"
		100	ProxyPassReverse /api http://localhost:${toString port}/api
		101	ProxyPreserveHost On
		102	RequestHeader set X-Real-IP %{REMOTE_ADDR}s
		103
		104	<LocationMatch /blob/>
		105	Header set Cache-Control "max-age=31536000"
		106	Header set Access-Control-Allow-Origin "*"
		107	Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
		108	Header set Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
		109	Header set Access-Control-Expose-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
		110
		111	RewriteCond %{REQUEST_METHOD} OPTIONS
		112	RewriteRule ^(.*)$ $1 [R=204,L]
		113	</LocationMatch>
		114
		115	<LocationMatch /block/>
		116	Header set Cache-Control "max-age=0"
		117	</locationMatch>
		118
		119	RewriteRule ^/(register\|login\|settings\|user\|pad\|drive\|poll\|slide\|code\|whiteboard\|file\|media\|profile\|contacts\|todo\|filepicker\|debug\|kanban\|sheet\|support\|admin\|notifications\|teams\|calendar\|presentation\|doc)$ $1/ [R=302,L]
		120
		121	RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI} -f
		122	RewriteRule (.*) /www/$1 [L]
		123
		124	RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI}/index.html -f
		125	RewriteRule (.*) /www/$1/index.html [L]
		126
		127	RewriteCond %{DOCUMENT_ROOT}/customize.dist/%{REQUEST_URI} -f
		128	RewriteRule (.*) /customize.dist/$1 [L]
		129
		130	<Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/www>
		131	AllowOverride None
		132	Require all granted
		133	DirectoryIndex index.html
		134	</Directory>
		135	<Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/customize.dist>
		136	AllowOverride None
		137	Require all granted
		138	DirectoryIndex index.html
		139	</Directory>
		140	''
		141	];
31	};	142	};
32	};	143	};
33	}	144	}