diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 15:50:00 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 15:50:00 +0200 |
commit | e905cd0bda71f359597ecb1f4554d3edb27e2ccb (patch) | |
tree | 400a78ec5a07f45a224177c5d87a6cfc7863259c /nixops | |
parent | b9c11a4dfd5afab304503fd61efe773b5a0da6a7 (diff) | |
download | Nix-e905cd0bda71f359597ecb1f4554d3edb27e2ccb.tar.gz Nix-e905cd0bda71f359597ecb1f4554d3edb27e2ccb.tar.zst Nix-e905cd0bda71f359597ecb1f4554d3edb27e2ccb.zip |
Move missing passwords in etherpad to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
-rw-r--r-- | nixops/modules/websites/tools/ether/default.nix | 6 | ||||
-rw-r--r-- | nixops/modules/websites/tools/ether/etherpad_lite.nix | 214 |
2 files changed, 116 insertions, 104 deletions
diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix index 6d845ac..7fdcb57 100644 --- a/nixops/modules/websites/tools/ether/default.nix +++ b/nixops/modules/websites/tools/ether/default.nix | |||
@@ -16,8 +16,8 @@ in { | |||
16 | systemd.services.etherpad-lite = { | 16 | systemd.services.etherpad-lite = { |
17 | description = "Etherpad-lite"; | 17 | description = "Etherpad-lite"; |
18 | wantedBy = [ "multi-user.target" ]; | 18 | wantedBy = [ "multi-user.target" ]; |
19 | after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" ]; | 19 | after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ]; |
20 | wants = [ "postgresql.service" "tools-etherpad-key.service" ]; | 20 | wants = [ "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ]; |
21 | 21 | ||
22 | environment.NODE_ENV = "production"; | 22 | environment.NODE_ENV = "production"; |
23 | environment.HOME = etherpad.webappDir; | 23 | environment.HOME = etherpad.webappDir; |
@@ -44,7 +44,7 @@ in { | |||
44 | Restart = "always"; | 44 | Restart = "always"; |
45 | Type = "simple"; | 45 | Type = "simple"; |
46 | TimeoutSec = 60; | 46 | TimeoutSec = 60; |
47 | ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad"; | 47 | ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad /run/keys/webapps/tools-etherpad-sessionkey /run/keys/webapps/tools-etherpad-apikey"; |
48 | }; | 48 | }; |
49 | }; | 49 | }; |
50 | 50 | ||
diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix index bc62262..689156e 100644 --- a/nixops/modules/websites/tools/ether/etherpad_lite.nix +++ b/nixops/modules/websites/tools/ether/etherpad_lite.nix | |||
@@ -30,109 +30,121 @@ let | |||
30 | "ep_subscript_and_superscript" | 30 | "ep_subscript_and_superscript" |
31 | "ep_timesliderdiff" | 31 | "ep_timesliderdiff" |
32 | ]; | 32 | ]; |
33 | keys.tools-etherpad = { | 33 | keys = { |
34 | destDir = "/run/keys/webapps"; | 34 | tools-etherpad-apikey = { |
35 | permissions = "0400"; | 35 | destDir = "/run/keys/webapps"; |
36 | text = | 36 | permissions = "0400"; |
37 | # Make sure we’re not rebuilding whole libreoffice just because of a | 37 | text = env.api_key; |
38 | # dependency | 38 | }; |
39 | let libreoffice = (import <nixpkgs> {}).libreoffice-fresh; | 39 | tools-etherpad-sessionkey = { |
40 | in | 40 | destDir = "/run/keys/webapps"; |
41 | '' | 41 | permissions = "0400"; |
42 | { | 42 | text = env.session_key; |
43 | "title": "Etherpad", | 43 | }; |
44 | "favicon": "favicon.ico", | 44 | tools-etherpad = { |
45 | destDir = "/run/keys/webapps"; | ||
46 | permissions = "0400"; | ||
47 | text = | ||
48 | # Make sure we’re not rebuilding whole libreoffice just because of a | ||
49 | # dependency | ||
50 | let libreoffice = (import <nixpkgs> {}).libreoffice-fresh; | ||
51 | in | ||
52 | '' | ||
53 | { | ||
54 | "title": "Etherpad", | ||
55 | "favicon": "favicon.ico", | ||
45 | 56 | ||
46 | "ip": "127.0.0.1", | 57 | "ip": "127.0.0.1", |
47 | "port" : ${env.listenPort}, | 58 | "port" : ${env.listenPort}, |
48 | "showSettingsInAdminPage" : false, | 59 | "showSettingsInAdminPage" : false, |
49 | "dbType" : "postgres", | 60 | "dbType" : "postgres", |
50 | "dbSettings" : { | 61 | "dbSettings" : { |
51 | "user" : "${env.postgresql.user}", | 62 | "user" : "${env.postgresql.user}", |
52 | "host" : "${env.postgresql.socket}", | 63 | "host" : "${env.postgresql.socket}", |
53 | "password": "${env.postgresql.password}", | 64 | "password": "${env.postgresql.password}", |
54 | "database": "${env.postgresql.database}", | 65 | "database": "${env.postgresql.database}", |
55 | "charset" : "utf8mb4" | 66 | "charset" : "utf8mb4" |
56 | }, | 67 | }, |
57 | 68 | ||
58 | "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", | 69 | "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", |
59 | "padOptions": { | 70 | "padOptions": { |
60 | "noColors": false, | 71 | "noColors": false, |
61 | "showControls": true, | 72 | "showControls": true, |
62 | "showChat": true, | 73 | "showChat": true, |
63 | "showLineNumbers": true, | 74 | "showLineNumbers": true, |
64 | "useMonospaceFont": false, | 75 | "useMonospaceFont": false, |
65 | "userName": false, | 76 | "userName": false, |
66 | "userColor": false, | 77 | "userColor": false, |
67 | "rtl": false, | 78 | "rtl": false, |
68 | "alwaysShowChat": false, | 79 | "alwaysShowChat": false, |
69 | "chatAndUsers": false, | 80 | "chatAndUsers": false, |
70 | "lang": "en-gb" | 81 | "lang": "en-gb" |
71 | }, | 82 | }, |
72 | 83 | ||
73 | "suppressErrorsInPadText" : false, | 84 | "suppressErrorsInPadText" : false, |
74 | "requireSession" : false, | 85 | "requireSession" : false, |
75 | "editOnly" : false, | 86 | "editOnly" : false, |
76 | "sessionNoPassword" : false, | 87 | "sessionNoPassword" : false, |
77 | "minify" : true, | 88 | "minify" : true, |
78 | "maxAge" : 21600, | 89 | "maxAge" : 21600, |
79 | "abiword" : null, | 90 | "abiword" : null, |
80 | "soffice" : "${libreoffice}/bin/soffice", | 91 | "soffice" : "${libreoffice}/bin/soffice", |
81 | "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", | 92 | "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", |
82 | "allowUnknownFileEnds" : true, | 93 | "allowUnknownFileEnds" : true, |
83 | "requireAuthentication" : false, | 94 | "requireAuthentication" : false, |
84 | "requireAuthorization" : false, | 95 | "requireAuthorization" : false, |
85 | "trustProxy" : false, | 96 | "trustProxy" : false, |
86 | "disableIPlogging" : false, | 97 | "disableIPlogging" : false, |
87 | "automaticReconnectionTimeout" : 0, | 98 | "automaticReconnectionTimeout" : 0, |
88 | "scrollWhenFocusLineIsOutOfViewport": { | 99 | "scrollWhenFocusLineIsOutOfViewport": { |
89 | "percentage": { | 100 | "percentage": { |
90 | "editionAboveViewport": 0, | 101 | "editionAboveViewport": 0, |
91 | "editionBelowViewport": 0 | 102 | "editionBelowViewport": 0 |
103 | }, | ||
104 | "duration": 0, | ||
105 | "scrollWhenCaretIsInTheLastLineOfViewport": false, | ||
106 | "percentageToScrollWhenUserPressesArrowUp": 0 | ||
92 | }, | 107 | }, |
93 | "duration": 0, | 108 | "users": { |
94 | "scrollWhenCaretIsInTheLastLineOfViewport": false, | 109 | "ldapauth": { |
95 | "percentageToScrollWhenUserPressesArrowUp": 0 | 110 | "url": "ldaps://${env.ldap.host}", |
96 | }, | 111 | "accountBase": "${env.ldap.base}", |
97 | "users": { | 112 | "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", |
98 | "ldapauth": { | 113 | "displayNameAttribute": "cn", |
99 | "url": "ldaps://${env.ldap.host}", | 114 | "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", |
100 | "accountBase": "${env.ldap.base}", | 115 | "searchPWD": "${env.ldap.password}", |
101 | "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", | 116 | "groupSearchBase": "${env.ldap.base}", |
102 | "displayNameAttribute": "cn", | 117 | "groupAttribute": "member", |
103 | "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", | 118 | "groupAttributeIsDN": true, |
104 | "searchPWD": "${env.ldap.password}", | 119 | "searchScope": "sub", |
105 | "groupSearchBase": "${env.ldap.base}", | 120 | "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", |
106 | "groupAttribute": "member", | 121 | "anonymousReadonly": false |
107 | "groupAttributeIsDN": true, | 122 | } |
108 | "searchScope": "sub", | 123 | }, |
109 | "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", | 124 | "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], |
110 | "anonymousReadonly": false | 125 | "loadTest": false, |
111 | } | 126 | "indentationOnNewLine": false, |
112 | }, | 127 | "toolbar": { |
113 | "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], | 128 | "left": [ |
114 | "loadTest": false, | 129 | ["bold", "italic", "underline", "strikethrough"], |
115 | "indentationOnNewLine": false, | 130 | ["orderedlist", "unorderedlist", "indent", "outdent"], |
116 | "toolbar": { | 131 | ["undo", "redo"], |
117 | "left": [ | 132 | ["clearauthorship"] |
118 | ["bold", "italic", "underline", "strikethrough"], | 133 | ], |
119 | ["orderedlist", "unorderedlist", "indent", "outdent"], | 134 | "right": [ |
120 | ["undo", "redo"], | 135 | ["importexport", "timeslider", "savedrevision"], |
121 | ["clearauthorship"] | 136 | ["settings", "embed"], |
122 | ], | 137 | ["showusers"] |
123 | "right": [ | 138 | ], |
124 | ["importexport", "timeslider", "savedrevision"], | 139 | "timeslider": [ |
125 | ["settings", "embed"], | 140 | ["timeslider_export", "timeslider_returnToPad"] |
126 | ["showusers"] | 141 | ] |
127 | ], | 142 | }, |
128 | "timeslider": [ | 143 | "loglevel": "INFO", |
129 | ["timeslider_export", "timeslider_returnToPad"] | 144 | "logconfig" : { "appenders": [ { "type": "console" } ] } |
130 | ] | 145 | } |
131 | }, | 146 | ''; |
132 | "loglevel": "INFO", | 147 | }; |
133 | "logconfig" : { "appenders": [ { "type": "console" } ] } | ||
134 | } | ||
135 | ''; | ||
136 | }; | 148 | }; |
137 | webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { | 149 | webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { |
138 | __noChroot = true; | 150 | __noChroot = true; |
@@ -170,8 +182,8 @@ let | |||
170 | install -t $out/src/ -vDm 644 src/.ep_initialized | 182 | install -t $out/src/ -vDm 644 src/.ep_initialized |
171 | cp -a node_modules $out/ | 183 | cp -a node_modules $out/ |
172 | cp -a src/* $out/src/ | 184 | cp -a src/* $out/src/ |
173 | ln -sf ${sessionkey} $out/SESSIONKEY.txt | 185 | ln -sf /run/keys/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt |
174 | ln -sf ${apikey} $out/APIKEY.txt | 186 | ln -sf /run/keys/webapps/tools-etherpad-apikey $out/APIKEY.txt |
175 | cp ${jquery} $out/src/static/js/jquery.js | 187 | cp ${jquery} $out/src/static/js/jquery.js |
176 | 188 | ||
177 | mkdir $out/doc | 189 | mkdir $out/doc |