1 files changed, 251 insertions, 0 deletions
diff --git a/systems/eldiron/websites/ether/default.nix b/systems/eldiron/websites/ether/default.nix
new file mode 100644
index 0000000..3993553
--- /dev/null
+++ b/systems/eldiron/websites/ether/default.nix
@@ -0,0 +1,251 @@
+{ lib, pkgs, config, nixpkgsRaw, etherpad-lite, ... }:
+let
+  env = config.myEnv.tools.etherpad-lite;
+  cfg = config.myServices.websites.tools.etherpad-lite;
+  # Make sure we’re not rebuilding whole libreoffice just because of a
+  # dependency
+  libreoffice = nixpkgsRaw.libreoffice-fresh;
+  ecfg = config.services.etherpad-lite;
+in {
+  options.myServices.websites.tools.etherpad-lite = {
+    enable = lib.mkEnableOption "enable etherpad's website";
+  };
+  config = lib.mkIf cfg.enable {
+    myServices.dns.zones."immae.eu".subdomains.ether =
+      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
+    myServices.chatonsProperties.services.etherpad = {
+      file.datetime = "2021-01-04T00:01:00";
+      service = {
+        name = "Etherpad";
+        description = "Éditeur de texte collaboratif en temps réel. on peut y écrire simultanément.";
+        website = "https://ether.immae.eu";
+        logo = "https://ether.immae.eu/favicon.ico";
+        status.level = "OK";
+        status.description = "OK";
+        registration."" = ["NONE" "MEMBER" "CLIENT"];
+        registration.load = "OPEN";
+        install.type = "PACKAGE";
+      };
+      software = {
+        name = "Etherpad";
+        website = "https://etherpad.org/";
+        license.url = "https://github.com/ether/etherpad-lite/blob/develop/LICENSE";
+        license.name = "Apache License Version 2.0";
+        version = ecfg.package.version;
+        source.url = "https://github.com/ether/etherpad-lite";
+        modules = ecfg.package.moduleNames;
+      };
+    };
+    secrets.keys = {
+      "webapps/tools-etherpad-apikey" = {
+        permissions = "0400";
+        text = env.api_key;
+      };
+      "webapps/tools-etherpad-sessionkey" = {
+        permissions = "0400";
+        text = env.session_key;
+      };
+      "webapps/tools-etherpad" = {
+        permissions = "0400";
+        keyDependencies = [ libreoffice ];
+        text = ''
+          {
+            "title": "Etherpad",
+            "favicon": "favicon.ico",
+            "skinName": "colibris",
+            "skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
+            "ip": "",
+            "port" : "${ecfg.sockets.node}",
+            "showSettingsInAdminPage" : false,
+            "dbType" : "postgres",
+            "dbSettings" : {
+              "user"    : "${env.postgresql.user}",
+              "host"    : "${env.postgresql.socket}",
+              "password": "${env.postgresql.password}",
+              "database": "${env.postgresql.database}",
+              "charset" : "utf8mb4"
+            },
+            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
+            "padOptions": {
+              "noColors": false,
+              "showControls": true,
+              "showChat": true,
+              "showLineNumbers": true,
+              "useMonospaceFont": false,
+              "userName": false,
+              "userColor": false,
+              "rtl": false,
+              "alwaysShowChat": false,
+              "chatAndUsers": false,
+              "lang": "fr"
+            },
+            "suppressErrorsInPadText" : false,
+            "requireSession" : false,
+            "editOnly" : false,
+            "sessionNoPassword" : false,
+            "minify" : false,
+            "maxAge" : 21600,
+            "abiword" : null,
+            "soffice" : "${libreoffice}/bin/soffice",
+            "tidyHtml" : "",
+            "allowUnknownFileEnds" : true,
+            "requireAuthentication" : false,
+            "requireAuthorization" : false,
+            "trustProxy" : true,
+            "disableIPlogging" : false,
+            "automaticReconnectionTimeout" : 0,
+            "scrollWhenFocusLineIsOutOfViewport": {
+              "percentage": {
+                "editionAboveViewport": 0,
+                "editionBelowViewport": 0
+              },
+              "duration": 0,
+              "scrollWhenCaretIsInTheLastLineOfViewport": false,
+              "percentageToScrollWhenUserPressesArrowUp": 0
+            },
+            "users": {
+              "admin": {
+                "password": "${env.adminPassword}",
+                "is_admin": true
+              },
+              "ldapauth": {
+                "hash": "invalid",
+                "url": "ldaps://${env.ldap.host}",
+                "accountBase": "${env.ldap.base}",
+                "accountPattern": "${env.ldap.filter}",
+                "displayNameAttribute": "cn",
+                "searchDN": "${env.ldap.dn}",
+                "searchPWD": "${env.ldap.password}",
+                "groupSearchBase": "${env.ldap.base}",
+                "groupAttribute": "member",
+                "groupAttributeIsDN": true,
+                "searchScope": "sub",
+                "groupSearch": "${env.ldap.group_filter}",
+                "anonymousReadonly": false
+              }
+            },
+            "ep_mypads": {
+              "warning": "This hash is stored in database, changing anything here will not have any consequence",
+              "ldap": {
+                "url": "ldaps://${env.ldap.host}",
+                "bindDN": "${env.ldap.dn}",
+                "bindCredentials": "${env.ldap.password}",
+                "searchBase": "${env.ldap.base}",
+                "searchFilter": "${env.ldap.filter}",
+                "properties": {
+                  "login": "uid",
+                  "email": "mail",
+                  "firstname": "givenName",
+                  "lastname": "sn"
+                },
+                "defaultLang": "fr"
+              }
+            },
+            "ep_comments_page": {
+              "displayCommentAsIcon": true,
+              "highlightSelectedText": true
+            },
+            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
+            "loadTest": false,
+            "indentationOnNewLine": false,
+            "toolbar": {
+              "left": [
+                ["bold", "italic", "underline", "strikethrough"],
+                ["orderedlist", "unorderedlist", "indent", "outdent"],
+                ["undo", "redo"],
+                ["clearauthorship"]
+              ],
+              "right": [
+                ["importexport", "timeslider", "savedrevision"],
+                ["settings", "embed"],
+                ["showusers"]
+              ],
+              "timeslider": [
+                ["timeslider_export", "timeslider_returnToPad"]
+              ]
+            },
+            "loglevel": "INFO",
+            "logconfig" : { "appenders": [ { "type": "console" } ] }
+          }
+        '';
+      };
+    };
+    services.etherpad-lite = {
+      enable = true;
+      package = etherpad-lite.withModules (p: [
+        p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
+        p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
+        p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
+        p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
+        p.ep_previewimages p.ep_ruler p.ep_scrollto
+        p.ep_set_title_on_pad p.ep_subscript_and_superscript
+        p.ep_timesliderdiff
+      ]);
+      modules = [];
+      sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
+      apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
+      configFile = config.secrets.fullPaths."webapps/tools-etherpad";
+    };
+    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
+    systemd.services.etherpad-lite-cleanup.serviceConfig.SupplementaryGroups = "keys";
+    # Needed so that they get in the closure
+    systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
+    services.filesWatcher.etherpad-lite = {
+      restart = true;
+      paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
+    };
+    services.websites.env.tools.modules = [
+      "headers" "proxy" "proxy_http" "proxy_wstunnel"
+    ];
+    security.acme.certs.eldiron.extraDomainNames = [ "ether.immae.eu" ];
+    services.websites.env.tools.vhostConfs.etherpad-lite = {
+      certName    = "eldiron";
+      hosts       = [ "ether.immae.eu" ];
+      root        = null;
+      extraConfig = [ ''
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
+        RequestHeader set X-Forwarded-Proto "https"
+        RewriteEngine On
+        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
+        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
+        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
+        <IfModule mod_proxy.c>
+          ProxyVia On
+          ProxyRequests Off
+          ProxyPreserveHost On
+          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
+          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
+          <Proxy *>
+            Options FollowSymLinks MultiViews
+            AllowOverride None
+            Require all granted
+          </Proxy>
+        </IfModule>
+      '' ];
+    };
+    myServices.monitoring.fromMasterActivatedPlugins = [ "http" ];
+    myServices.monitoring.fromMasterObjects.service = [
+      {
+        service_description = "etherpad website is running on ether.immae.eu";
+        host_name = config.hostEnv.fqdn;
+        use = "external-web-service";
+        check_command = ["check_https" "ether.immae.eu" "/" "<title>Etherpad"];
+        servicegroups = "webstatus-webapps";
+        _webstatus_name = "Etherpad";
+        _webstatus_url = "https://ether.immae.eu/";
+      }
+    ];
+  };
+}

diff --git a/systems/eldiron/websites/ether/default.nix b/systems/eldiron/websites/ether/default.nix new file mode 100644 index 0000000..3993553 --- /dev/null +++ b/systems/eldiron/websites/ether/default.nix
@@ -0,0 +1,251 @@
	1	{ lib, pkgs, config, nixpkgsRaw, etherpad-lite, ... }:
	2	let
	3	env = config.myEnv.tools.etherpad-lite;
	4	cfg = config.myServices.websites.tools.etherpad-lite;
	5	# Make sure we’re not rebuilding whole libreoffice just because of a
	6	# dependency
	7	libreoffice = nixpkgsRaw.libreoffice-fresh;
	8	ecfg = config.services.etherpad-lite;
	9	in {
	10	options.myServices.websites.tools.etherpad-lite = {
	11	enable = lib.mkEnableOption "enable etherpad's website";
	12	};
	13
	14	config = lib.mkIf cfg.enable {
	15	myServices.dns.zones."immae.eu".subdomains.ether =
	16	with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
	17
	18	myServices.chatonsProperties.services.etherpad = {
	19	file.datetime = "2021-01-04T00:01:00";
	20	service = {
	21	name = "Etherpad";
	22	description = "Éditeur de texte collaboratif en temps réel. on peut y écrire simultanément.";
	23	website = "https://ether.immae.eu";
	24	logo = "https://ether.immae.eu/favicon.ico";
	25	status.level = "OK";
	26	status.description = "OK";
	27	registration."" = ["NONE" "MEMBER" "CLIENT"];
	28	registration.load = "OPEN";
	29	install.type = "PACKAGE";
	30	};
	31	software = {
	32	name = "Etherpad";
	33	website = "https://etherpad.org/";
	34	license.url = "https://github.com/ether/etherpad-lite/blob/develop/LICENSE";
	35	license.name = "Apache License Version 2.0";
	36	version = ecfg.package.version;
	37	source.url = "https://github.com/ether/etherpad-lite";
	38	modules = ecfg.package.moduleNames;
	39	};
	40	};
	41	secrets.keys = {
	42	"webapps/tools-etherpad-apikey" = {
	43	permissions = "0400";
	44	text = env.api_key;
	45	};
	46	"webapps/tools-etherpad-sessionkey" = {
	47	permissions = "0400";
	48	text = env.session_key;
	49	};
	50	"webapps/tools-etherpad" = {
	51	permissions = "0400";
	52	keyDependencies = [ libreoffice ];
	53	text = ''
	54	{
	55	"title": "Etherpad",
	56	"favicon": "favicon.ico",
	57	"skinName": "colibris",
	58	"skinVariants": "dark-toolbar light-background super-light-editor full-width-editor",
	59
	60	"ip": "",
	61	"port" : "${ecfg.sockets.node}",
	62	"showSettingsInAdminPage" : false,
	63	"dbType" : "postgres",
	64	"dbSettings" : {
	65	"user" : "${env.postgresql.user}",
	66	"host" : "${env.postgresql.socket}",
	67	"password": "${env.postgresql.password}",
	68	"database": "${env.postgresql.database}",
	69	"charset" : "utf8mb4"
	70	},
	71
	72	"defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
	73	"padOptions": {
	74	"noColors": false,
	75	"showControls": true,
	76	"showChat": true,
	77	"showLineNumbers": true,
	78	"useMonospaceFont": false,
	79	"userName": false,
	80	"userColor": false,
	81	"rtl": false,
	82	"alwaysShowChat": false,
	83	"chatAndUsers": false,
	84	"lang": "fr"
	85	},
	86
	87	"suppressErrorsInPadText" : false,
	88	"requireSession" : false,
	89	"editOnly" : false,
	90	"sessionNoPassword" : false,
	91	"minify" : false,
	92	"maxAge" : 21600,
	93	"abiword" : null,
	94	"soffice" : "${libreoffice}/bin/soffice",
	95	"tidyHtml" : "",
	96	"allowUnknownFileEnds" : true,
	97	"requireAuthentication" : false,
	98	"requireAuthorization" : false,
	99	"trustProxy" : true,
	100	"disableIPlogging" : false,
	101	"automaticReconnectionTimeout" : 0,
	102	"scrollWhenFocusLineIsOutOfViewport": {
	103	"percentage": {
	104	"editionAboveViewport": 0,
	105	"editionBelowViewport": 0
	106	},
	107	"duration": 0,
	108	"scrollWhenCaretIsInTheLastLineOfViewport": false,
	109	"percentageToScrollWhenUserPressesArrowUp": 0
	110	},
	111	"users": {
	112	"admin": {
	113	"password": "${env.adminPassword}",
	114	"is_admin": true
	115	},
	116	"ldapauth": {
	117	"hash": "invalid",
	118	"url": "ldaps://${env.ldap.host}",
	119	"accountBase": "${env.ldap.base}",
	120	"accountPattern": "${env.ldap.filter}",
	121	"displayNameAttribute": "cn",
	122	"searchDN": "${env.ldap.dn}",
	123	"searchPWD": "${env.ldap.password}",
	124	"groupSearchBase": "${env.ldap.base}",
	125	"groupAttribute": "member",
	126	"groupAttributeIsDN": true,
	127	"searchScope": "sub",
	128	"groupSearch": "${env.ldap.group_filter}",
	129	"anonymousReadonly": false
	130	}
	131	},
	132	"ep_mypads": {
	133	"warning": "This hash is stored in database, changing anything here will not have any consequence",
	134	"ldap": {
	135	"url": "ldaps://${env.ldap.host}",
	136	"bindDN": "${env.ldap.dn}",
	137	"bindCredentials": "${env.ldap.password}",
	138	"searchBase": "${env.ldap.base}",
	139	"searchFilter": "${env.ldap.filter}",
	140	"properties": {
	141	"login": "uid",
	142	"email": "mail",
	143	"firstname": "givenName",
	144	"lastname": "sn"
	145	},
	146	"defaultLang": "fr"
	147	}
	148	},
	149	"ep_comments_page": {
	150	"displayCommentAsIcon": true,
	151	"highlightSelectedText": true
	152	},
	153	"socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
	154	"loadTest": false,
	155	"indentationOnNewLine": false,
	156	"toolbar": {
	157	"left": [
	158	["bold", "italic", "underline", "strikethrough"],
	159	["orderedlist", "unorderedlist", "indent", "outdent"],
	160	["undo", "redo"],
	161	["clearauthorship"]
	162	],
	163	"right": [
	164	["importexport", "timeslider", "savedrevision"],
	165	["settings", "embed"],
	166	["showusers"]
	167	],
	168	"timeslider": [
	169	["timeslider_export", "timeslider_returnToPad"]
	170	]
	171	},
	172	"loglevel": "INFO",
	173	"logconfig" : { "appenders": [ { "type": "console" } ] }
	174	}
	175	'';
	176	};
	177	};
	178	services.etherpad-lite = {
	179	enable = true;
	180	package = etherpad-lite.withModules (p: [
	181	p.ep_align p.ep_bookmark p.ep_colors p.ep_comments_page
	182	p.ep_cursortrace p.ep_delete_empty_pads p.ep_embedmedia
	183	p.ep_font_size p.ep_headings2 p.ep_immae_buttons p.ep_ldapauth
	184	p.ep_line_height p.ep_markdown p.ep_mypads p.ep_page_view
	185	p.ep_previewimages p.ep_ruler p.ep_scrollto
	186	p.ep_set_title_on_pad p.ep_subscript_and_superscript
	187	p.ep_timesliderdiff
	188	]);
	189	modules = [];
	190	sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey";
	191	apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey";
	192	configFile = config.secrets.fullPaths."webapps/tools-etherpad";
	193	};
	194
	195	systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
	196	systemd.services.etherpad-lite-cleanup.serviceConfig.SupplementaryGroups = "keys";
	197	# Needed so that they get in the closure
	198	systemd.services.etherpad-lite.path = [ libreoffice pkgs.html-tidy ];
	199
	200	services.filesWatcher.etherpad-lite = {
	201	restart = true;
	202	paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
	203	};
	204
	205	services.websites.env.tools.modules = [
	206	"headers" "proxy" "proxy_http" "proxy_wstunnel"
	207	];
	208	security.acme.certs.eldiron.extraDomainNames = [ "ether.immae.eu" ];
	209	services.websites.env.tools.vhostConfs.etherpad-lite = {
	210	certName = "eldiron";
	211	hosts = [ "ether.immae.eu" ];
	212	root = null;
	213	extraConfig = [ ''
	214	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	215	RequestHeader set X-Forwarded-Proto "https"
	216
	217	RewriteEngine On
	218
	219	RewriteCond %{REQUEST_URI} ^/socket.io [NC]
	220	RewriteCond %{QUERY_STRING} transport=websocket [NC]
	221	RewriteRule /(.*) unix://${ecfg.sockets.node}\|ws://ether.immae.eu/$1 [P,NE,QSA,L]
	222
	223	<IfModule mod_proxy.c>
	224	ProxyVia On
	225	ProxyRequests Off
	226	ProxyPreserveHost On
	227	ProxyPass / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
	228	ProxyPassReverse / unix://${ecfg.sockets.node}\|http://ether.immae.eu/
	229	<Proxy *>
	230	Options FollowSymLinks MultiViews
	231	AllowOverride None
	232	Require all granted
	233	</Proxy>
	234	</IfModule>
	235	'' ];
	236	};
	237	myServices.monitoring.fromMasterActivatedPlugins = [ "http" ];
	238	myServices.monitoring.fromMasterObjects.service = [
	239	{
	240	service_description = "etherpad website is running on ether.immae.eu";
	241	host_name = config.hostEnv.fqdn;
	242	use = "external-web-service";
	243	check_command = ["check_https" "ether.immae.eu" "/" "<title>Etherpad"];
	244
	245	servicegroups = "webstatus-webapps";
	246	_webstatus_name = "Etherpad";
	247	_webstatus_url = "https://ether.immae.eu/";
	248	}
	249	];
	250	};
	251	}