diff options
Diffstat (limited to 'nixops')
-rw-r--r-- | nixops/modules/websites/tools/ether.nix | 51 |
1 files changed, 8 insertions, 43 deletions
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix index 80472f0..3efa363 100644 --- a/nixops/modules/websites/tools/ether.nix +++ b/nixops/modules/websites/tools/ether.nix | |||
@@ -1,9 +1,6 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | 1 | { lib, pkgs, config, myconfig, mylibs, ... }: |
2 | let | 2 | let |
3 | etherpad = pkgs.webapps.etherpad-lite.withModules | ||
4 | (builtins.attrValues pkgs.webapps.etherpad-lite-modules); | ||
5 | env = myconfig.env.tools.etherpad-lite; | 3 | env = myconfig.env.tools.etherpad-lite; |
6 | varDir = etherpad.varDir; | ||
7 | cfg = config.services.myWebsites.tools.etherpad-lite; | 4 | cfg = config.services.myWebsites.tools.etherpad-lite; |
8 | # Make sure we’re not rebuilding whole libreoffice just because of a | 5 | # Make sure we’re not rebuilding whole libreoffice just because of a |
9 | # dependency | 6 | # dependency |
@@ -125,48 +122,16 @@ in { | |||
125 | ''; | 122 | ''; |
126 | } | 123 | } |
127 | ]; | 124 | ]; |
128 | systemd.services.etherpad-lite = { | 125 | services.etherpad-lite = { |
129 | description = "Etherpad-lite"; | 126 | enable = true; |
130 | wantedBy = [ "multi-user.target" ]; | 127 | modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules; |
131 | after = [ "network.target" "postgresql.service" ]; | 128 | sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey"; |
132 | wants = [ "postgresql.service" ]; | 129 | apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey"; |
133 | 130 | configFile = "/var/secrets/webapps/tools-etherpad"; | |
134 | environment.NODE_ENV = "production"; | ||
135 | environment.HOME = etherpad; | ||
136 | |||
137 | path = [ pkgs.nodejs ]; | ||
138 | |||
139 | script = '' | ||
140 | exec ${pkgs.nodejs}/bin/node ${etherpad}/src/node/server.js \ | ||
141 | --sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \ | ||
142 | --apikey /var/secrets/webapps/tools-etherpad-apikey \ | ||
143 | --settings /var/secrets/webapps/tools-etherpad | ||
144 | ''; | ||
145 | |||
146 | serviceConfig = { | ||
147 | DynamicUser = true; | ||
148 | User = "etherpad-lite"; | ||
149 | Group = "etherpad-lite"; | ||
150 | SupplementaryGroups = "keys"; | ||
151 | WorkingDirectory = etherpad; | ||
152 | PrivateTmp = true; | ||
153 | NoNewPrivileges = true; | ||
154 | PrivateDevices = true; | ||
155 | ProtectHome = true; | ||
156 | ProtectControlGroups = true; | ||
157 | ProtectKernelModules = true; | ||
158 | Restart = "always"; | ||
159 | Type = "simple"; | ||
160 | TimeoutSec = 60; | ||
161 | # Use ReadWritePaths= instead if varDir is outside of /var/lib | ||
162 | StateDirectory="etherpad-lite"; | ||
163 | ExecStartPre = [ | ||
164 | "+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized" | ||
165 | "+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey" | ||
166 | ]; | ||
167 | }; | ||
168 | }; | 131 | }; |
169 | 132 | ||
133 | systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys"; | ||
134 | |||
170 | services.myWebsites.tools.modules = [ | 135 | services.myWebsites.tools.modules = [ |
171 | "headers" "proxy" "proxy_http" "proxy_wstunnel" | 136 | "headers" "proxy" "proxy_http" "proxy_wstunnel" |
172 | ]; | 137 | ]; |