aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nixops/modules/websites/default.nix2
-rw-r--r--nixops/modules/websites/tools/ether.nix209
-rw-r--r--nixops/modules/websites/tools/ether/default.nix98
-rw-r--r--nixops/modules/websites/tools/ether/etherpad_lite.nix126
4 files changed, 210 insertions, 225 deletions
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
index 06face1..e40c8f4 100644
--- a/nixops/modules/websites/default.nix
+++ b/nixops/modules/websites/default.nix
@@ -129,7 +129,7 @@ in
129 ./tools/mastodon.nix 129 ./tools/mastodon.nix
130 ./tools/mediagoblin.nix 130 ./tools/mediagoblin.nix
131 ./tools/diaspora.nix 131 ./tools/diaspora.nix
132 ./tools/ether 132 ./tools/ether.nix
133 ./tools/peertube 133 ./tools/peertube
134 # built using: 134 # built using:
135 # sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix 135 # sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix
new file mode 100644
index 0000000..1c952af
--- /dev/null
+++ b/nixops/modules/websites/tools/ether.nix
@@ -0,0 +1,209 @@
1{ lib, pkgs, config, myconfig, mylibs, ... }:
2let
3 etherpad = pkgs.webapps.etherpad-lite.withModules
4 (builtins.attrValues pkgs.webapps.etherpad-lite-modules);
5 env = myconfig.env.tools.etherpad-lite;
6 varDir = etherpad.varDir;
7 cfg = config.services.myWebsites.tools.etherpad-lite;
8 # Make sure we’re not rebuilding whole libreoffice just because of a
9 # dependency
10 libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
11in {
12 options.services.myWebsites.tools.etherpad-lite = {
13 enable = lib.mkEnableOption "enable etherpad's website";
14 };
15
16 config = lib.mkIf cfg.enable {
17 mySecrets.keys = [
18 {
19 dest = "webapps/tools-etherpad-apikey";
20 permissions = "0400";
21 text = env.api_key;
22 }
23 {
24 dest = "webapps/tools-etherpad-sessionkey";
25 permissions = "0400";
26 text = env.session_key;
27 }
28 {
29 dest = "webapps/tools-etherpad";
30 permissions = "0400";
31 text = ''
32 {
33 "title": "Etherpad",
34 "favicon": "favicon.ico",
35
36 "ip": "127.0.0.1",
37 "port" : ${env.listenPort},
38 "showSettingsInAdminPage" : false,
39 "dbType" : "postgres",
40 "dbSettings" : {
41 "user" : "${env.postgresql.user}",
42 "host" : "${env.postgresql.socket}",
43 "password": "${env.postgresql.password}",
44 "database": "${env.postgresql.database}",
45 "charset" : "utf8mb4"
46 },
47
48 "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
49 "padOptions": {
50 "noColors": false,
51 "showControls": true,
52 "showChat": true,
53 "showLineNumbers": true,
54 "useMonospaceFont": false,
55 "userName": false,
56 "userColor": false,
57 "rtl": false,
58 "alwaysShowChat": false,
59 "chatAndUsers": false,
60 "lang": "en-gb"
61 },
62
63 "suppressErrorsInPadText" : false,
64 "requireSession" : false,
65 "editOnly" : false,
66 "sessionNoPassword" : false,
67 "minify" : true,
68 "maxAge" : 21600,
69 "abiword" : null,
70 "soffice" : "${libreoffice}/bin/soffice",
71 "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
72 "allowUnknownFileEnds" : true,
73 "requireAuthentication" : false,
74 "requireAuthorization" : false,
75 "trustProxy" : false,
76 "disableIPlogging" : false,
77 "automaticReconnectionTimeout" : 0,
78 "scrollWhenFocusLineIsOutOfViewport": {
79 "percentage": {
80 "editionAboveViewport": 0,
81 "editionBelowViewport": 0
82 },
83 "duration": 0,
84 "scrollWhenCaretIsInTheLastLineOfViewport": false,
85 "percentageToScrollWhenUserPressesArrowUp": 0
86 },
87 "users": {
88 "ldapauth": {
89 "url": "ldaps://${env.ldap.host}",
90 "accountBase": "${env.ldap.base}",
91 "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
92 "displayNameAttribute": "cn",
93 "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
94 "searchPWD": "${env.ldap.password}",
95 "groupSearchBase": "${env.ldap.base}",
96 "groupAttribute": "member",
97 "groupAttributeIsDN": true,
98 "searchScope": "sub",
99 "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
100 "anonymousReadonly": false
101 }
102 },
103 "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
104 "loadTest": false,
105 "indentationOnNewLine": false,
106 "toolbar": {
107 "left": [
108 ["bold", "italic", "underline", "strikethrough"],
109 ["orderedlist", "unorderedlist", "indent", "outdent"],
110 ["undo", "redo"],
111 ["clearauthorship"]
112 ],
113 "right": [
114 ["importexport", "timeslider", "savedrevision"],
115 ["settings", "embed"],
116 ["showusers"]
117 ],
118 "timeslider": [
119 ["timeslider_export", "timeslider_returnToPad"]
120 ]
121 },
122 "loglevel": "INFO",
123 "logconfig" : { "appenders": [ { "type": "console" } ] }
124 }
125 '';
126 }
127 ];
128 systemd.services.etherpad-lite = {
129 description = "Etherpad-lite";
130 wantedBy = [ "multi-user.target" ];
131 after = [ "network.target" "postgresql.service" ];
132 wants = [ "postgresql.service" ];
133
134 environment.NODE_ENV = "production";
135 environment.HOME = etherpad;
136
137 path = [ pkgs.nodejs ];
138
139 script = ''
140 exec ${pkgs.nodejs}/bin/node ${etherpad}/src/node/server.js \
141 --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
142 --apikey /var/secrets/webapps/tools-etherpad-apikey \
143 --settings /var/secrets/webapps/tools-etherpad
144 '';
145
146 serviceConfig = {
147 DynamicUser = true;
148 User = "etherpad-lite";
149 Group = "etherpad-lite";
150 SupplementaryGroups = "keys";
151 WorkingDirectory = etherpad;
152 PrivateTmp = true;
153 NoNewPrivileges = true;
154 PrivateDevices = true;
155 ProtectHome = true;
156 ProtectControlGroups = true;
157 ProtectKernelModules = true;
158 Restart = "always";
159 Type = "simple";
160 TimeoutSec = 60;
161 # Use ReadWritePaths= instead if varDir is outside of /var/lib
162 StateDirectory="etherpad-lite";
163 ExecStartPre = [
164 "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
165 "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
166 ];
167 };
168 };
169
170 services.myWebsites.tools.modules = [
171 "headers" "proxy" "proxy_http" "proxy_wstunnel"
172 ];
173 security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
174 services.myWebsites.tools.vhostConfs.etherpad-lite = {
175 certName = "eldiron";
176 hosts = [ "ether.immae.eu" ];
177 root = null;
178 extraConfig = [ ''
179 Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
180 RequestHeader set X-Forwarded-Proto "https"
181
182 RewriteEngine On
183
184 RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
185 RewriteCond %{QUERY_STRING} "!noredirect"
186 RewriteCond %{REQUEST_URI} "^(.*)$"
187 RewriteCond ''${redirects:$1|Unknown} "!Unknown"
188 RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
189
190 RewriteCond %{REQUEST_URI} ^/socket.io [NC]
191 RewriteCond %{QUERY_STRING} transport=websocket [NC]
192 RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,L]
193
194 <IfModule mod_proxy.c>
195 ProxyVia On
196 ProxyRequests Off
197 ProxyPreserveHost On
198 ProxyPass / http://localhost:${env.listenPort}/
199 ProxyPassReverse / http://localhost:${env.listenPort}/
200 <Proxy *>
201 Options FollowSymLinks MultiViews
202 AllowOverride None
203 Require all granted
204 </Proxy>
205 </IfModule>
206 '' ];
207 };
208 };
209}
diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix
deleted file mode 100644
index c4685a4..0000000
--- a/nixops/modules/websites/tools/ether/default.nix
+++ /dev/null
@@ -1,98 +0,0 @@
1{ lib, pkgs, config, myconfig, mylibs, ... }:
2let
3 etherpad = pkgs.callPackage ./etherpad_lite.nix {
4 inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules;
5 env = myconfig.env.tools.etherpad-lite;
6 };
7
8 varDir = etherpad.webappDir.varDir;
9 cfg = config.services.myWebsites.tools.etherpad-lite;
10in {
11 options.services.myWebsites.tools.etherpad-lite = {
12 enable = lib.mkEnableOption "enable etherpad's website";
13 };
14
15 config = lib.mkIf cfg.enable {
16 mySecrets.keys = etherpad.keys;
17 systemd.services.etherpad-lite = {
18 description = "Etherpad-lite";
19 wantedBy = [ "multi-user.target" ];
20 after = [ "network.target" "postgresql.service" ];
21 wants = [ "postgresql.service" ];
22
23 environment.NODE_ENV = "production";
24 environment.HOME = etherpad.webappDir;
25
26 path = [ pkgs.nodejs ];
27
28 script = ''
29 exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
30 --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
31 --apikey /var/secrets/webapps/tools-etherpad-apikey \
32 --settings /var/secrets/webapps/tools-etherpad
33 '';
34
35 serviceConfig = {
36 DynamicUser = true;
37 User = "etherpad-lite";
38 Group = "etherpad-lite";
39 SupplementaryGroups = "keys";
40 WorkingDirectory = etherpad.webappDir;
41 PrivateTmp = true;
42 NoNewPrivileges = true;
43 PrivateDevices = true;
44 ProtectHome = true;
45 ProtectControlGroups = true;
46 ProtectKernelModules = true;
47 Restart = "always";
48 Type = "simple";
49 TimeoutSec = 60;
50 # Use ReadWritePaths= instead if varDir is outside of /var/lib
51 StateDirectory="etherpad-lite";
52 ExecStartPre = [
53 "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
54 "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
55 ];
56 };
57 };
58
59 services.myWebsites.tools.modules = [
60 "headers" "proxy" "proxy_http" "proxy_wstunnel"
61 ];
62 security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
63 services.myWebsites.tools.vhostConfs.etherpad-lite = {
64 certName = "eldiron";
65 hosts = [ "ether.immae.eu" ];
66 root = null;
67 extraConfig = [ ''
68 Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
69 RequestHeader set X-Forwarded-Proto "https"
70
71 RewriteEngine On
72
73 RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
74 RewriteCond %{QUERY_STRING} "!noredirect"
75 RewriteCond %{REQUEST_URI} "^(.*)$"
76 RewriteCond ''${redirects:$1|Unknown} "!Unknown"
77 RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
78
79 RewriteCond %{REQUEST_URI} ^/socket.io [NC]
80 RewriteCond %{QUERY_STRING} transport=websocket [NC]
81 RewriteRule /(.*) ws://localhost:${etherpad.listenPort}/$1 [P,L]
82
83 <IfModule mod_proxy.c>
84 ProxyVia On
85 ProxyRequests Off
86 ProxyPreserveHost On
87 ProxyPass / http://localhost:${etherpad.listenPort}/
88 ProxyPassReverse / http://localhost:${etherpad.listenPort}/
89 <Proxy *>
90 Options FollowSymLinks MultiViews
91 AllowOverride None
92 Require all granted
93 </Proxy>
94 </IfModule>
95 '' ];
96 };
97 };
98}
diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix
deleted file mode 100644
index c6f3704..0000000
--- a/nixops/modules/websites/tools/ether/etherpad_lite.nix
+++ /dev/null
@@ -1,126 +0,0 @@
1{ env, etherpad-lite, etherpad-lite-modules, writeText, pkgs }:
2let
3 listenPort = env.listenPort;
4 sessionkey = writeText "SESSIONKEY.txt" env.session_key;
5 apikey = writeText "APIKEY.txt" env.api_key;
6 keys = [
7 {
8 dest = "webapps/tools-etherpad-apikey";
9 permissions = "0400";
10 text = env.api_key;
11 }
12 {
13 dest = "webapps/tools-etherpad-sessionkey";
14 permissions = "0400";
15 text = env.session_key;
16 }
17 {
18 dest = "webapps/tools-etherpad";
19 permissions = "0400";
20 text =
21 # Make sure we’re not rebuilding whole libreoffice just because of a
22 # dependency
23 let libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
24 in
25 ''
26 {
27 "title": "Etherpad",
28 "favicon": "favicon.ico",
29
30 "ip": "127.0.0.1",
31 "port" : ${env.listenPort},
32 "showSettingsInAdminPage" : false,
33 "dbType" : "postgres",
34 "dbSettings" : {
35 "user" : "${env.postgresql.user}",
36 "host" : "${env.postgresql.socket}",
37 "password": "${env.postgresql.password}",
38 "database": "${env.postgresql.database}",
39 "charset" : "utf8mb4"
40 },
41
42 "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
43 "padOptions": {
44 "noColors": false,
45 "showControls": true,
46 "showChat": true,
47 "showLineNumbers": true,
48 "useMonospaceFont": false,
49 "userName": false,
50 "userColor": false,
51 "rtl": false,
52 "alwaysShowChat": false,
53 "chatAndUsers": false,
54 "lang": "en-gb"
55 },
56
57 "suppressErrorsInPadText" : false,
58 "requireSession" : false,
59 "editOnly" : false,
60 "sessionNoPassword" : false,
61 "minify" : true,
62 "maxAge" : 21600,
63 "abiword" : null,
64 "soffice" : "${libreoffice}/bin/soffice",
65 "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
66 "allowUnknownFileEnds" : true,
67 "requireAuthentication" : false,
68 "requireAuthorization" : false,
69 "trustProxy" : false,
70 "disableIPlogging" : false,
71 "automaticReconnectionTimeout" : 0,
72 "scrollWhenFocusLineIsOutOfViewport": {
73 "percentage": {
74 "editionAboveViewport": 0,
75 "editionBelowViewport": 0
76 },
77 "duration": 0,
78 "scrollWhenCaretIsInTheLastLineOfViewport": false,
79 "percentageToScrollWhenUserPressesArrowUp": 0
80 },
81 "users": {
82 "ldapauth": {
83 "url": "ldaps://${env.ldap.host}",
84 "accountBase": "${env.ldap.base}",
85 "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
86 "displayNameAttribute": "cn",
87 "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
88 "searchPWD": "${env.ldap.password}",
89 "groupSearchBase": "${env.ldap.base}",
90 "groupAttribute": "member",
91 "groupAttributeIsDN": true,
92 "searchScope": "sub",
93 "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
94 "anonymousReadonly": false
95 }
96 },
97 "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
98 "loadTest": false,
99 "indentationOnNewLine": false,
100 "toolbar": {
101 "left": [
102 ["bold", "italic", "underline", "strikethrough"],
103 ["orderedlist", "unorderedlist", "indent", "outdent"],
104 ["undo", "redo"],
105 ["clearauthorship"]
106 ],
107 "right": [
108 ["importexport", "timeslider", "savedrevision"],
109 ["settings", "embed"],
110 ["showusers"]
111 ],
112 "timeslider": [
113 ["timeslider_export", "timeslider_returnToPad"]
114 ]
115 },
116 "loglevel": "INFO",
117 "logconfig" : { "appenders": [ { "type": "console" } ] }
118 }
119 '';
120 }
121 ];
122 webappDir = etherpad-lite.withModules (builtins.attrValues etherpad-lite-modules);
123in
124 {
125 inherit webappDir keys listenPort;
126 }