diff options
-rw-r--r-- | nixops/modules/websites/default.nix | 2 | ||||
-rw-r--r-- | nixops/modules/websites/tools/ether.nix | 209 | ||||
-rw-r--r-- | nixops/modules/websites/tools/ether/default.nix | 98 | ||||
-rw-r--r-- | nixops/modules/websites/tools/ether/etherpad_lite.nix | 126 |
4 files changed, 210 insertions, 225 deletions
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix index 06face1..e40c8f4 100644 --- a/nixops/modules/websites/default.nix +++ b/nixops/modules/websites/default.nix | |||
@@ -129,7 +129,7 @@ in | |||
129 | ./tools/mastodon.nix | 129 | ./tools/mastodon.nix |
130 | ./tools/mediagoblin.nix | 130 | ./tools/mediagoblin.nix |
131 | ./tools/diaspora.nix | 131 | ./tools/diaspora.nix |
132 | ./tools/ether | 132 | ./tools/ether.nix |
133 | ./tools/peertube | 133 | ./tools/peertube |
134 | # built using: | 134 | # built using: |
135 | # sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix | 135 | # sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix |
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix new file mode 100644 index 0000000..1c952af --- /dev/null +++ b/nixops/modules/websites/tools/ether.nix | |||
@@ -0,0 +1,209 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | ||
2 | let | ||
3 | etherpad = pkgs.webapps.etherpad-lite.withModules | ||
4 | (builtins.attrValues pkgs.webapps.etherpad-lite-modules); | ||
5 | env = myconfig.env.tools.etherpad-lite; | ||
6 | varDir = etherpad.varDir; | ||
7 | cfg = config.services.myWebsites.tools.etherpad-lite; | ||
8 | # Make sure we’re not rebuilding whole libreoffice just because of a | ||
9 | # dependency | ||
10 | libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh; | ||
11 | in { | ||
12 | options.services.myWebsites.tools.etherpad-lite = { | ||
13 | enable = lib.mkEnableOption "enable etherpad's website"; | ||
14 | }; | ||
15 | |||
16 | config = lib.mkIf cfg.enable { | ||
17 | mySecrets.keys = [ | ||
18 | { | ||
19 | dest = "webapps/tools-etherpad-apikey"; | ||
20 | permissions = "0400"; | ||
21 | text = env.api_key; | ||
22 | } | ||
23 | { | ||
24 | dest = "webapps/tools-etherpad-sessionkey"; | ||
25 | permissions = "0400"; | ||
26 | text = env.session_key; | ||
27 | } | ||
28 | { | ||
29 | dest = "webapps/tools-etherpad"; | ||
30 | permissions = "0400"; | ||
31 | text = '' | ||
32 | { | ||
33 | "title": "Etherpad", | ||
34 | "favicon": "favicon.ico", | ||
35 | |||
36 | "ip": "127.0.0.1", | ||
37 | "port" : ${env.listenPort}, | ||
38 | "showSettingsInAdminPage" : false, | ||
39 | "dbType" : "postgres", | ||
40 | "dbSettings" : { | ||
41 | "user" : "${env.postgresql.user}", | ||
42 | "host" : "${env.postgresql.socket}", | ||
43 | "password": "${env.postgresql.password}", | ||
44 | "database": "${env.postgresql.database}", | ||
45 | "charset" : "utf8mb4" | ||
46 | }, | ||
47 | |||
48 | "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", | ||
49 | "padOptions": { | ||
50 | "noColors": false, | ||
51 | "showControls": true, | ||
52 | "showChat": true, | ||
53 | "showLineNumbers": true, | ||
54 | "useMonospaceFont": false, | ||
55 | "userName": false, | ||
56 | "userColor": false, | ||
57 | "rtl": false, | ||
58 | "alwaysShowChat": false, | ||
59 | "chatAndUsers": false, | ||
60 | "lang": "en-gb" | ||
61 | }, | ||
62 | |||
63 | "suppressErrorsInPadText" : false, | ||
64 | "requireSession" : false, | ||
65 | "editOnly" : false, | ||
66 | "sessionNoPassword" : false, | ||
67 | "minify" : true, | ||
68 | "maxAge" : 21600, | ||
69 | "abiword" : null, | ||
70 | "soffice" : "${libreoffice}/bin/soffice", | ||
71 | "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", | ||
72 | "allowUnknownFileEnds" : true, | ||
73 | "requireAuthentication" : false, | ||
74 | "requireAuthorization" : false, | ||
75 | "trustProxy" : false, | ||
76 | "disableIPlogging" : false, | ||
77 | "automaticReconnectionTimeout" : 0, | ||
78 | "scrollWhenFocusLineIsOutOfViewport": { | ||
79 | "percentage": { | ||
80 | "editionAboveViewport": 0, | ||
81 | "editionBelowViewport": 0 | ||
82 | }, | ||
83 | "duration": 0, | ||
84 | "scrollWhenCaretIsInTheLastLineOfViewport": false, | ||
85 | "percentageToScrollWhenUserPressesArrowUp": 0 | ||
86 | }, | ||
87 | "users": { | ||
88 | "ldapauth": { | ||
89 | "url": "ldaps://${env.ldap.host}", | ||
90 | "accountBase": "${env.ldap.base}", | ||
91 | "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", | ||
92 | "displayNameAttribute": "cn", | ||
93 | "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", | ||
94 | "searchPWD": "${env.ldap.password}", | ||
95 | "groupSearchBase": "${env.ldap.base}", | ||
96 | "groupAttribute": "member", | ||
97 | "groupAttributeIsDN": true, | ||
98 | "searchScope": "sub", | ||
99 | "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", | ||
100 | "anonymousReadonly": false | ||
101 | } | ||
102 | }, | ||
103 | "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], | ||
104 | "loadTest": false, | ||
105 | "indentationOnNewLine": false, | ||
106 | "toolbar": { | ||
107 | "left": [ | ||
108 | ["bold", "italic", "underline", "strikethrough"], | ||
109 | ["orderedlist", "unorderedlist", "indent", "outdent"], | ||
110 | ["undo", "redo"], | ||
111 | ["clearauthorship"] | ||
112 | ], | ||
113 | "right": [ | ||
114 | ["importexport", "timeslider", "savedrevision"], | ||
115 | ["settings", "embed"], | ||
116 | ["showusers"] | ||
117 | ], | ||
118 | "timeslider": [ | ||
119 | ["timeslider_export", "timeslider_returnToPad"] | ||
120 | ] | ||
121 | }, | ||
122 | "loglevel": "INFO", | ||
123 | "logconfig" : { "appenders": [ { "type": "console" } ] } | ||
124 | } | ||
125 | ''; | ||
126 | } | ||
127 | ]; | ||
128 | systemd.services.etherpad-lite = { | ||
129 | description = "Etherpad-lite"; | ||
130 | wantedBy = [ "multi-user.target" ]; | ||
131 | after = [ "network.target" "postgresql.service" ]; | ||
132 | wants = [ "postgresql.service" ]; | ||
133 | |||
134 | environment.NODE_ENV = "production"; | ||
135 | environment.HOME = etherpad; | ||
136 | |||
137 | path = [ pkgs.nodejs ]; | ||
138 | |||
139 | script = '' | ||
140 | exec ${pkgs.nodejs}/bin/node ${etherpad}/src/node/server.js \ | ||
141 | --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \ | ||
142 | --apikey /var/secrets/webapps/tools-etherpad-apikey \ | ||
143 | --settings /var/secrets/webapps/tools-etherpad | ||
144 | ''; | ||
145 | |||
146 | serviceConfig = { | ||
147 | DynamicUser = true; | ||
148 | User = "etherpad-lite"; | ||
149 | Group = "etherpad-lite"; | ||
150 | SupplementaryGroups = "keys"; | ||
151 | WorkingDirectory = etherpad; | ||
152 | PrivateTmp = true; | ||
153 | NoNewPrivileges = true; | ||
154 | PrivateDevices = true; | ||
155 | ProtectHome = true; | ||
156 | ProtectControlGroups = true; | ||
157 | ProtectKernelModules = true; | ||
158 | Restart = "always"; | ||
159 | Type = "simple"; | ||
160 | TimeoutSec = 60; | ||
161 | # Use ReadWritePaths= instead if varDir is outside of /var/lib | ||
162 | StateDirectory="etherpad-lite"; | ||
163 | ExecStartPre = [ | ||
164 | "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized" | ||
165 | "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey" | ||
166 | ]; | ||
167 | }; | ||
168 | }; | ||
169 | |||
170 | services.myWebsites.tools.modules = [ | ||
171 | "headers" "proxy" "proxy_http" "proxy_wstunnel" | ||
172 | ]; | ||
173 | security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null; | ||
174 | services.myWebsites.tools.vhostConfs.etherpad-lite = { | ||
175 | certName = "eldiron"; | ||
176 | hosts = [ "ether.immae.eu" ]; | ||
177 | root = null; | ||
178 | extraConfig = [ '' | ||
179 | Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" | ||
180 | RequestHeader set X-Forwarded-Proto "https" | ||
181 | |||
182 | RewriteEngine On | ||
183 | |||
184 | RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}" | ||
185 | RewriteCond %{QUERY_STRING} "!noredirect" | ||
186 | RewriteCond %{REQUEST_URI} "^(.*)$" | ||
187 | RewriteCond ''${redirects:$1|Unknown} "!Unknown" | ||
188 | RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD] | ||
189 | |||
190 | RewriteCond %{REQUEST_URI} ^/socket.io [NC] | ||
191 | RewriteCond %{QUERY_STRING} transport=websocket [NC] | ||
192 | RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,L] | ||
193 | |||
194 | <IfModule mod_proxy.c> | ||
195 | ProxyVia On | ||
196 | ProxyRequests Off | ||
197 | ProxyPreserveHost On | ||
198 | ProxyPass / http://localhost:${env.listenPort}/ | ||
199 | ProxyPassReverse / http://localhost:${env.listenPort}/ | ||
200 | <Proxy *> | ||
201 | Options FollowSymLinks MultiViews | ||
202 | AllowOverride None | ||
203 | Require all granted | ||
204 | </Proxy> | ||
205 | </IfModule> | ||
206 | '' ]; | ||
207 | }; | ||
208 | }; | ||
209 | } | ||
diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix deleted file mode 100644 index c4685a4..0000000 --- a/nixops/modules/websites/tools/ether/default.nix +++ /dev/null | |||
@@ -1,98 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | ||
2 | let | ||
3 | etherpad = pkgs.callPackage ./etherpad_lite.nix { | ||
4 | inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules; | ||
5 | env = myconfig.env.tools.etherpad-lite; | ||
6 | }; | ||
7 | |||
8 | varDir = etherpad.webappDir.varDir; | ||
9 | cfg = config.services.myWebsites.tools.etherpad-lite; | ||
10 | in { | ||
11 | options.services.myWebsites.tools.etherpad-lite = { | ||
12 | enable = lib.mkEnableOption "enable etherpad's website"; | ||
13 | }; | ||
14 | |||
15 | config = lib.mkIf cfg.enable { | ||
16 | mySecrets.keys = etherpad.keys; | ||
17 | systemd.services.etherpad-lite = { | ||
18 | description = "Etherpad-lite"; | ||
19 | wantedBy = [ "multi-user.target" ]; | ||
20 | after = [ "network.target" "postgresql.service" ]; | ||
21 | wants = [ "postgresql.service" ]; | ||
22 | |||
23 | environment.NODE_ENV = "production"; | ||
24 | environment.HOME = etherpad.webappDir; | ||
25 | |||
26 | path = [ pkgs.nodejs ]; | ||
27 | |||
28 | script = '' | ||
29 | exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ | ||
30 | --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \ | ||
31 | --apikey /var/secrets/webapps/tools-etherpad-apikey \ | ||
32 | --settings /var/secrets/webapps/tools-etherpad | ||
33 | ''; | ||
34 | |||
35 | serviceConfig = { | ||
36 | DynamicUser = true; | ||
37 | User = "etherpad-lite"; | ||
38 | Group = "etherpad-lite"; | ||
39 | SupplementaryGroups = "keys"; | ||
40 | WorkingDirectory = etherpad.webappDir; | ||
41 | PrivateTmp = true; | ||
42 | NoNewPrivileges = true; | ||
43 | PrivateDevices = true; | ||
44 | ProtectHome = true; | ||
45 | ProtectControlGroups = true; | ||
46 | ProtectKernelModules = true; | ||
47 | Restart = "always"; | ||
48 | Type = "simple"; | ||
49 | TimeoutSec = 60; | ||
50 | # Use ReadWritePaths= instead if varDir is outside of /var/lib | ||
51 | StateDirectory="etherpad-lite"; | ||
52 | ExecStartPre = [ | ||
53 | "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized" | ||
54 | "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey" | ||
55 | ]; | ||
56 | }; | ||
57 | }; | ||
58 | |||
59 | services.myWebsites.tools.modules = [ | ||
60 | "headers" "proxy" "proxy_http" "proxy_wstunnel" | ||
61 | ]; | ||
62 | security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null; | ||
63 | services.myWebsites.tools.vhostConfs.etherpad-lite = { | ||
64 | certName = "eldiron"; | ||
65 | hosts = [ "ether.immae.eu" ]; | ||
66 | root = null; | ||
67 | extraConfig = [ '' | ||
68 | Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" | ||
69 | RequestHeader set X-Forwarded-Proto "https" | ||
70 | |||
71 | RewriteEngine On | ||
72 | |||
73 | RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}" | ||
74 | RewriteCond %{QUERY_STRING} "!noredirect" | ||
75 | RewriteCond %{REQUEST_URI} "^(.*)$" | ||
76 | RewriteCond ''${redirects:$1|Unknown} "!Unknown" | ||
77 | RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD] | ||
78 | |||
79 | RewriteCond %{REQUEST_URI} ^/socket.io [NC] | ||
80 | RewriteCond %{QUERY_STRING} transport=websocket [NC] | ||
81 | RewriteRule /(.*) ws://localhost:${etherpad.listenPort}/$1 [P,L] | ||
82 | |||
83 | <IfModule mod_proxy.c> | ||
84 | ProxyVia On | ||
85 | ProxyRequests Off | ||
86 | ProxyPreserveHost On | ||
87 | ProxyPass / http://localhost:${etherpad.listenPort}/ | ||
88 | ProxyPassReverse / http://localhost:${etherpad.listenPort}/ | ||
89 | <Proxy *> | ||
90 | Options FollowSymLinks MultiViews | ||
91 | AllowOverride None | ||
92 | Require all granted | ||
93 | </Proxy> | ||
94 | </IfModule> | ||
95 | '' ]; | ||
96 | }; | ||
97 | }; | ||
98 | } | ||
diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix deleted file mode 100644 index c6f3704..0000000 --- a/nixops/modules/websites/tools/ether/etherpad_lite.nix +++ /dev/null | |||
@@ -1,126 +0,0 @@ | |||
1 | { env, etherpad-lite, etherpad-lite-modules, writeText, pkgs }: | ||
2 | let | ||
3 | listenPort = env.listenPort; | ||
4 | sessionkey = writeText "SESSIONKEY.txt" env.session_key; | ||
5 | apikey = writeText "APIKEY.txt" env.api_key; | ||
6 | keys = [ | ||
7 | { | ||
8 | dest = "webapps/tools-etherpad-apikey"; | ||
9 | permissions = "0400"; | ||
10 | text = env.api_key; | ||
11 | } | ||
12 | { | ||
13 | dest = "webapps/tools-etherpad-sessionkey"; | ||
14 | permissions = "0400"; | ||
15 | text = env.session_key; | ||
16 | } | ||
17 | { | ||
18 | dest = "webapps/tools-etherpad"; | ||
19 | permissions = "0400"; | ||
20 | text = | ||
21 | # Make sure we’re not rebuilding whole libreoffice just because of a | ||
22 | # dependency | ||
23 | let libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh; | ||
24 | in | ||
25 | '' | ||
26 | { | ||
27 | "title": "Etherpad", | ||
28 | "favicon": "favicon.ico", | ||
29 | |||
30 | "ip": "127.0.0.1", | ||
31 | "port" : ${env.listenPort}, | ||
32 | "showSettingsInAdminPage" : false, | ||
33 | "dbType" : "postgres", | ||
34 | "dbSettings" : { | ||
35 | "user" : "${env.postgresql.user}", | ||
36 | "host" : "${env.postgresql.socket}", | ||
37 | "password": "${env.postgresql.password}", | ||
38 | "database": "${env.postgresql.database}", | ||
39 | "charset" : "utf8mb4" | ||
40 | }, | ||
41 | |||
42 | "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", | ||
43 | "padOptions": { | ||
44 | "noColors": false, | ||
45 | "showControls": true, | ||
46 | "showChat": true, | ||
47 | "showLineNumbers": true, | ||
48 | "useMonospaceFont": false, | ||
49 | "userName": false, | ||
50 | "userColor": false, | ||
51 | "rtl": false, | ||
52 | "alwaysShowChat": false, | ||
53 | "chatAndUsers": false, | ||
54 | "lang": "en-gb" | ||
55 | }, | ||
56 | |||
57 | "suppressErrorsInPadText" : false, | ||
58 | "requireSession" : false, | ||
59 | "editOnly" : false, | ||
60 | "sessionNoPassword" : false, | ||
61 | "minify" : true, | ||
62 | "maxAge" : 21600, | ||
63 | "abiword" : null, | ||
64 | "soffice" : "${libreoffice}/bin/soffice", | ||
65 | "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", | ||
66 | "allowUnknownFileEnds" : true, | ||
67 | "requireAuthentication" : false, | ||
68 | "requireAuthorization" : false, | ||
69 | "trustProxy" : false, | ||
70 | "disableIPlogging" : false, | ||
71 | "automaticReconnectionTimeout" : 0, | ||
72 | "scrollWhenFocusLineIsOutOfViewport": { | ||
73 | "percentage": { | ||
74 | "editionAboveViewport": 0, | ||
75 | "editionBelowViewport": 0 | ||
76 | }, | ||
77 | "duration": 0, | ||
78 | "scrollWhenCaretIsInTheLastLineOfViewport": false, | ||
79 | "percentageToScrollWhenUserPressesArrowUp": 0 | ||
80 | }, | ||
81 | "users": { | ||
82 | "ldapauth": { | ||
83 | "url": "ldaps://${env.ldap.host}", | ||
84 | "accountBase": "${env.ldap.base}", | ||
85 | "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", | ||
86 | "displayNameAttribute": "cn", | ||
87 | "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", | ||
88 | "searchPWD": "${env.ldap.password}", | ||
89 | "groupSearchBase": "${env.ldap.base}", | ||
90 | "groupAttribute": "member", | ||
91 | "groupAttributeIsDN": true, | ||
92 | "searchScope": "sub", | ||
93 | "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", | ||
94 | "anonymousReadonly": false | ||
95 | } | ||
96 | }, | ||
97 | "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], | ||
98 | "loadTest": false, | ||
99 | "indentationOnNewLine": false, | ||
100 | "toolbar": { | ||
101 | "left": [ | ||
102 | ["bold", "italic", "underline", "strikethrough"], | ||
103 | ["orderedlist", "unorderedlist", "indent", "outdent"], | ||
104 | ["undo", "redo"], | ||
105 | ["clearauthorship"] | ||
106 | ], | ||
107 | "right": [ | ||
108 | ["importexport", "timeslider", "savedrevision"], | ||
109 | ["settings", "embed"], | ||
110 | ["showusers"] | ||
111 | ], | ||
112 | "timeslider": [ | ||
113 | ["timeslider_export", "timeslider_returnToPad"] | ||
114 | ] | ||
115 | }, | ||
116 | "loglevel": "INFO", | ||
117 | "logconfig" : { "appenders": [ { "type": "console" } ] } | ||
118 | } | ||
119 | ''; | ||
120 | } | ||
121 | ]; | ||
122 | webappDir = etherpad-lite.withModules (builtins.attrValues etherpad-lite-modules); | ||
123 | in | ||
124 | { | ||
125 | inherit webappDir keys listenPort; | ||
126 | } | ||