diff options
Diffstat (limited to 'nixops/modules/websites/tools/ether/default.nix')
-rw-r--r-- | nixops/modules/websites/tools/ether/default.nix | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix new file mode 100644 index 0000000..5ee3433 --- /dev/null +++ b/nixops/modules/websites/tools/ether/default.nix | |||
@@ -0,0 +1,89 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | ||
2 | let | ||
3 | etherpad = pkgs.callPackage ./etherpad_lite.nix { | ||
4 | inherit (mylibs) fetchedGithub; | ||
5 | env = myconfig.env.tools.etherpad-lite; | ||
6 | }; | ||
7 | |||
8 | cfg = config.services.myWebsites.tools.etherpad-lite; | ||
9 | in { | ||
10 | options.services.myWebsites.tools.etherpad-lite = { | ||
11 | enable = lib.mkEnableOption "enable etherpad's website"; | ||
12 | }; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | systemd.services.etherpad-lite = { | ||
16 | description = "Etherpad-lite"; | ||
17 | wantedBy = [ "multi-user.target" ]; | ||
18 | after = [ "network.target" "postgresql.service" ]; | ||
19 | wants = [ "postgresql.service" ]; | ||
20 | |||
21 | environment.NODE_ENV = "production"; | ||
22 | environment.HOME = etherpad.webappDir; | ||
23 | |||
24 | path = [ pkgs.nodejs ]; | ||
25 | |||
26 | script = '' | ||
27 | exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ | ||
28 | --settings ${etherpad.config} | ||
29 | ''; | ||
30 | |||
31 | serviceConfig = { | ||
32 | DynamicUser = true; | ||
33 | User = "etherpad-lite"; | ||
34 | Group = "etherpad-lite"; | ||
35 | WorkingDirectory = etherpad.webappDir; | ||
36 | PrivateTmp = true; | ||
37 | NoNewPrivileges = true; | ||
38 | PrivateDevices = true; | ||
39 | ProtectHome = true; | ||
40 | ProtectControlGroups = true; | ||
41 | ProtectKernelModules = true; | ||
42 | Restart = "always"; | ||
43 | Type = "simple"; | ||
44 | TimeoutSec = 60; | ||
45 | }; | ||
46 | }; | ||
47 | |||
48 | services.myWebsites.tools.modules = [ | ||
49 | "headers" "proxy" "proxy_http" "proxy_wstunnel" | ||
50 | ]; | ||
51 | security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null; | ||
52 | services.myWebsites.tools.vhostConfs.etherpad-lite = { | ||
53 | certName = "eldiron"; | ||
54 | hosts = [ "ether.immae.eu" ]; | ||
55 | root = null; | ||
56 | extraConfig = [ '' | ||
57 | Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" | ||
58 | RequestHeader set X-Forwarded-Proto "https" | ||
59 | |||
60 | RewriteEngine On | ||
61 | |||
62 | RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}" | ||
63 | RewriteCond %{QUERY_STRING} "!noredirect" | ||
64 | RewriteCond %{REQUEST_URI} "^(.*)$" | ||
65 | RewriteCond ''${redirects:$1|Unknown} "!Unknown" | ||
66 | RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD] | ||
67 | |||
68 | RewriteCond %{REQUEST_URI} ^/socket.io [NC] | ||
69 | RewriteCond %{QUERY_STRING} transport=websocket [NC] | ||
70 | RewriteRule /(.*) ws://localhost:${etherpad.listenPort}/$1 [P,L] | ||
71 | |||
72 | <IfModule mod_proxy.c> | ||
73 | ProxyVia On | ||
74 | ProxyRequests Off | ||
75 | ProxyPreserveHost On | ||
76 | ProxyPass / http://localhost:${etherpad.listenPort}/ | ||
77 | ProxyPassReverse / http://localhost:${etherpad.listenPort}/ | ||
78 | ProxyPass /socket.io ws://localhost:${etherpad.listenPort}/socket.io | ||
79 | ProxyPassReverse /socket.io ws://localhost:${etherpad.listenPort}/socket.io | ||
80 | <Proxy *> | ||
81 | Options FollowSymLinks MultiViews | ||
82 | AllowOverride None | ||
83 | Require all granted | ||
84 | </Proxy> | ||
85 | </IfModule> | ||
86 | '' ]; | ||
87 | }; | ||
88 | }; | ||
89 | } | ||