diff options
Diffstat (limited to 'modules/private')
-rw-r--r-- | modules/private/websites/ressourcerie_banon/cryptpad.nix | 117 |
1 files changed, 114 insertions, 3 deletions
diff --git a/modules/private/websites/ressourcerie_banon/cryptpad.nix b/modules/private/websites/ressourcerie_banon/cryptpad.nix index 961302d..09e938b 100644 --- a/modules/private/websites/ressourcerie_banon/cryptpad.nix +++ b/modules/private/websites/ressourcerie_banon/cryptpad.nix | |||
@@ -1,7 +1,31 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | cfg = config.myServices.websites.ressourcerie_banon.cryptpad; | 3 | cfg = config.myServices.websites.ressourcerie_banon.cryptpad; |
4 | configFile = "${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js"; | 4 | port = config.myEnv.ports.cryptpad_ressourcerie_banon; |
5 | configFile = pkgs.writeText "config.js" '' | ||
6 | // ${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js | ||
7 | module.exports = { | ||
8 | httpUnsafeOrigin: 'https://${domain}', | ||
9 | httpPort: ${toString port}, | ||
10 | adminEmail: 'devnull@mail.immae.eu', | ||
11 | filePath: './datastore/', | ||
12 | archivePath: './data/archive', | ||
13 | pinPath: './data/pins', | ||
14 | taskPath: './data/tasks', | ||
15 | blockPath: './block', | ||
16 | blobPath: './blob', | ||
17 | blobStagingPath: './data/blobstage', | ||
18 | decreePath: './data/decrees', | ||
19 | logPath: './data/logs', | ||
20 | logToStdout: false, | ||
21 | logLevel: 'info', | ||
22 | logFeedback: false, | ||
23 | verbose: false, | ||
24 | }; | ||
25 | ''; | ||
26 | domain = "pad.le-garage-autonome.org"; | ||
27 | api_domain = "pad.le-garage-autonome.org"; | ||
28 | files_domain = "pad.le-garage-autonome.org"; | ||
5 | in { | 29 | in { |
6 | options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banon’s cryptpad"; | 30 | options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banon’s cryptpad"; |
7 | 31 | ||
@@ -23,11 +47,98 @@ in { | |||
23 | WorkingDirectory = "%S/cryptpad/ressourcerie_banon"; | 47 | WorkingDirectory = "%S/cryptpad/ressourcerie_banon"; |
24 | }; | 48 | }; |
25 | }; | 49 | }; |
50 | services.websites.env.production.modules = [ "proxy_wstunnel" ]; | ||
26 | services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = { | 51 | services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = { |
27 | certName = "ressourcerie_banon"; | 52 | certName = "ressourcerie_banon"; |
28 | addToCerts = true; | 53 | addToCerts = true; |
29 | hosts = ["pad.le-garage-autonome.org"]; | 54 | hosts = [domain]; |
30 | root = null; | 55 | root = "${pkgs.cryptpad}/lib/node_modules/cryptpad"; |
56 | extraConfig = [ | ||
57 | '' | ||
58 | RewriteEngine On | ||
59 | |||
60 | Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" | ||
61 | Header set X-XSS-Protection "1; mode=block" | ||
62 | Header set X-Content-Type-Options "nosniff" | ||
63 | Header set Access-Control-Allow-Origin "*" | ||
64 | Header set Permissions-Policy "interest-cohort=()" | ||
65 | |||
66 | Header set Cross-Origin-Resource-Policy "cross-origin" | ||
67 | <If "%{REQUEST_URI} =~ m#^/(sheet|presentation|doc)/.*$#"> | ||
68 | Header set Cross-Origin-Opener-Policy "same-origin" | ||
69 | </If> | ||
70 | Header set Cross-Origin-Embedder-Policy "require-corp" | ||
71 | |||
72 | ErrorDocument 404 /customize.dist/404.html | ||
73 | |||
74 | <If "%{QUERY_STRING} =~ m#ver=.*?#"> | ||
75 | Header set Cache-Control "max-age=31536000" | ||
76 | </If> | ||
77 | <If "%{REQUEST_URI} =~ m#^/.*(\/|\.html)$#"> | ||
78 | Header set Cache-Control "no-cache" | ||
79 | </If> | ||
80 | |||
81 | SetEnv styleSrc "'unsafe-inline' 'self' ${domain}" | ||
82 | SetEnv connectSrc "'self' https://${domain} ${domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}" | ||
83 | SetEnv fontSrc "'self' data: ${domain}" | ||
84 | SetEnv imgSrc "'self' data: * blob: ${domain}" | ||
85 | SetEnv frameSrc "'self' blob:" | ||
86 | SetEnv mediaSrc "'self' data: * blob: ${domain}" | ||
87 | SetEnv childSrc "https://${domain}" | ||
88 | SetEnv workerSrc "https://${domain}" | ||
89 | SetEnv scriptSrc "'self' resource: ${domain}" | ||
90 | |||
91 | Header set Content-Security-Policy "default-src 'none'; child-src %{childSrc}e; worker-src %{workerSrc}e; media-src %{mediaSrc}e; style-src %{styleSrc}e; script-src %{scriptSrc}e; connect-src %{connectSrc}e; font-src %{fontSrc}e; img-src %{imgSrc}e; frame-src %{frameSrc}e;" | ||
92 | |||
93 | RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] | ||
94 | RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] | ||
95 | RewriteRule .* ws://localhost:${toString port}%{REQUEST_URI} [P,NE,QSA,L] | ||
96 | |||
97 | RewriteRule ^/customize/(.*)$ /customize.dist/$1 [L] | ||
98 | |||
99 | ProxyPassMatch "^/(api/(config|broadcast).*)$" "http://localhost:${toString port}/$1" | ||
100 | ProxyPassReverse /api http://localhost:${toString port}/api | ||
101 | ProxyPreserveHost On | ||
102 | RequestHeader set X-Real-IP %{REMOTE_ADDR}s | ||
103 | |||
104 | <LocationMatch /blob/> | ||
105 | Header set Cache-Control "max-age=31536000" | ||
106 | Header set Access-Control-Allow-Origin "*" | ||
107 | Header set Access-Control-Allow-Methods "GET, POST, OPTIONS" | ||
108 | Header set Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length" | ||
109 | Header set Access-Control-Expose-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length" | ||
110 | |||
111 | RewriteCond %{REQUEST_METHOD} OPTIONS | ||
112 | RewriteRule ^(.*)$ $1 [R=204,L] | ||
113 | </LocationMatch> | ||
114 | |||
115 | <LocationMatch /block/> | ||
116 | Header set Cache-Control "max-age=0" | ||
117 | </locationMatch> | ||
118 | |||
119 | RewriteRule ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc)$ $1/ [R=302,L] | ||
120 | |||
121 | RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI} -f | ||
122 | RewriteRule (.*) /www/$1 [L] | ||
123 | |||
124 | RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI}/index.html -f | ||
125 | RewriteRule (.*) /www/$1/index.html [L] | ||
126 | |||
127 | RewriteCond %{DOCUMENT_ROOT}/customize.dist/%{REQUEST_URI} -f | ||
128 | RewriteRule (.*) /customize.dist/$1 [L] | ||
129 | |||
130 | <Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/www> | ||
131 | AllowOverride None | ||
132 | Require all granted | ||
133 | DirectoryIndex index.html | ||
134 | </Directory> | ||
135 | <Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/customize.dist> | ||
136 | AllowOverride None | ||
137 | Require all granted | ||
138 | DirectoryIndex index.html | ||
139 | </Directory> | ||
140 | '' | ||
141 | ]; | ||
31 | }; | 142 | }; |
32 | }; | 143 | }; |
33 | } | 144 | } |