diff options
Diffstat (limited to 'modules/private/websites/tools/ether')
-rw-r--r-- | modules/private/websites/tools/ether/default.nix | 175 |
1 files changed, 175 insertions, 0 deletions
diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix new file mode 100644 index 0000000..ebcbf61 --- /dev/null +++ b/modules/private/websites/tools/ether/default.nix | |||
@@ -0,0 +1,175 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | env = myconfig.env.tools.etherpad-lite; | ||
4 | cfg = config.myServices.websites.tools.etherpad-lite; | ||
5 | # Make sure we’re not rebuilding whole libreoffice just because of a | ||
6 | # dependency | ||
7 | libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh; | ||
8 | ecfg = config.services.etherpad-lite; | ||
9 | in { | ||
10 | options.myServices.websites.tools.etherpad-lite = { | ||
11 | enable = lib.mkEnableOption "enable etherpad's website"; | ||
12 | }; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = [ | ||
16 | { | ||
17 | dest = "webapps/tools-etherpad-apikey"; | ||
18 | permissions = "0400"; | ||
19 | text = env.api_key; | ||
20 | } | ||
21 | { | ||
22 | dest = "webapps/tools-etherpad-sessionkey"; | ||
23 | permissions = "0400"; | ||
24 | text = env.session_key; | ||
25 | } | ||
26 | { | ||
27 | dest = "webapps/tools-etherpad"; | ||
28 | permissions = "0400"; | ||
29 | text = '' | ||
30 | { | ||
31 | "title": "Etherpad", | ||
32 | "favicon": "favicon.ico", | ||
33 | |||
34 | "ip": "", | ||
35 | "port" : "${ecfg.sockets.node}", | ||
36 | "showSettingsInAdminPage" : false, | ||
37 | "dbType" : "postgres", | ||
38 | "dbSettings" : { | ||
39 | "user" : "${env.postgresql.user}", | ||
40 | "host" : "${env.postgresql.socket}", | ||
41 | "password": "${env.postgresql.password}", | ||
42 | "database": "${env.postgresql.database}", | ||
43 | "charset" : "utf8mb4" | ||
44 | }, | ||
45 | |||
46 | "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", | ||
47 | "padOptions": { | ||
48 | "noColors": false, | ||
49 | "showControls": true, | ||
50 | "showChat": true, | ||
51 | "showLineNumbers": true, | ||
52 | "useMonospaceFont": false, | ||
53 | "userName": false, | ||
54 | "userColor": false, | ||
55 | "rtl": false, | ||
56 | "alwaysShowChat": false, | ||
57 | "chatAndUsers": false, | ||
58 | "lang": "en-gb" | ||
59 | }, | ||
60 | |||
61 | "suppressErrorsInPadText" : false, | ||
62 | "requireSession" : false, | ||
63 | "editOnly" : false, | ||
64 | "sessionNoPassword" : false, | ||
65 | "minify" : true, | ||
66 | "maxAge" : 21600, | ||
67 | "abiword" : null, | ||
68 | "soffice" : "${libreoffice}/bin/soffice", | ||
69 | "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", | ||
70 | "allowUnknownFileEnds" : true, | ||
71 | "requireAuthentication" : false, | ||
72 | "requireAuthorization" : false, | ||
73 | "trustProxy" : false, | ||
74 | "disableIPlogging" : false, | ||
75 | "automaticReconnectionTimeout" : 0, | ||
76 | "scrollWhenFocusLineIsOutOfViewport": { | ||
77 | "percentage": { | ||
78 | "editionAboveViewport": 0, | ||
79 | "editionBelowViewport": 0 | ||
80 | }, | ||
81 | "duration": 0, | ||
82 | "scrollWhenCaretIsInTheLastLineOfViewport": false, | ||
83 | "percentageToScrollWhenUserPressesArrowUp": 0 | ||
84 | }, | ||
85 | "users": { | ||
86 | "ldapauth": { | ||
87 | "url": "ldaps://${env.ldap.host}", | ||
88 | "accountBase": "${env.ldap.base}", | ||
89 | "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", | ||
90 | "displayNameAttribute": "cn", | ||
91 | "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", | ||
92 | "searchPWD": "${env.ldap.password}", | ||
93 | "groupSearchBase": "${env.ldap.base}", | ||
94 | "groupAttribute": "member", | ||
95 | "groupAttributeIsDN": true, | ||
96 | "searchScope": "sub", | ||
97 | "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", | ||
98 | "anonymousReadonly": false | ||
99 | } | ||
100 | }, | ||
101 | "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], | ||
102 | "loadTest": false, | ||
103 | "indentationOnNewLine": false, | ||
104 | "toolbar": { | ||
105 | "left": [ | ||
106 | ["bold", "italic", "underline", "strikethrough"], | ||
107 | ["orderedlist", "unorderedlist", "indent", "outdent"], | ||
108 | ["undo", "redo"], | ||
109 | ["clearauthorship"] | ||
110 | ], | ||
111 | "right": [ | ||
112 | ["importexport", "timeslider", "savedrevision"], | ||
113 | ["settings", "embed"], | ||
114 | ["showusers"] | ||
115 | ], | ||
116 | "timeslider": [ | ||
117 | ["timeslider_export", "timeslider_returnToPad"] | ||
118 | ] | ||
119 | }, | ||
120 | "loglevel": "INFO", | ||
121 | "logconfig" : { "appenders": [ { "type": "console" } ] } | ||
122 | } | ||
123 | ''; | ||
124 | } | ||
125 | ]; | ||
126 | services.etherpad-lite = { | ||
127 | enable = true; | ||
128 | modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules; | ||
129 | sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey"; | ||
130 | apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey"; | ||
131 | configFile = "/var/secrets/webapps/tools-etherpad"; | ||
132 | }; | ||
133 | |||
134 | systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys"; | ||
135 | |||
136 | services.websites.tools.modules = [ | ||
137 | "headers" "proxy" "proxy_http" "proxy_wstunnel" | ||
138 | ]; | ||
139 | services.websites.tools.vhostConfs.etherpad-lite = { | ||
140 | certName = "eldiron"; | ||
141 | addToCerts = true; | ||
142 | hosts = [ "ether.immae.eu" ]; | ||
143 | root = null; | ||
144 | extraConfig = [ '' | ||
145 | Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" | ||
146 | RequestHeader set X-Forwarded-Proto "https" | ||
147 | |||
148 | RewriteEngine On | ||
149 | |||
150 | RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}" | ||
151 | RewriteCond %{QUERY_STRING} "!noredirect" | ||
152 | RewriteCond %{REQUEST_URI} "^(.*)$" | ||
153 | RewriteCond ''${redirects:$1|Unknown} "!Unknown" | ||
154 | RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD] | ||
155 | |||
156 | RewriteCond %{REQUEST_URI} ^/socket.io [NC] | ||
157 | RewriteCond %{QUERY_STRING} transport=websocket [NC] | ||
158 | RewriteRule /(.*) unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L] | ||
159 | |||
160 | <IfModule mod_proxy.c> | ||
161 | ProxyVia On | ||
162 | ProxyRequests Off | ||
163 | ProxyPreserveHost On | ||
164 | ProxyPass / unix://${ecfg.sockets.node}|http://ether.immae.eu/ | ||
165 | ProxyPassReverse / unix://${ecfg.sockets.node}|http://ether.immae.eu/ | ||
166 | <Proxy *> | ||
167 | Options FollowSymLinks MultiViews | ||
168 | AllowOverride None | ||
169 | Require all granted | ||
170 | </Proxy> | ||
171 | </IfModule> | ||
172 | '' ]; | ||
173 | }; | ||
174 | }; | ||
175 | } | ||