From 1feea3fe58cbaa709bdf91925860c2c96680e61d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sun, 23 May 2021 22:07:22 +0200 Subject: Add cryptpad to ressourcerie banon --- .../websites/ressourcerie_banon/cryptpad.nix | 117 ++++++++++++++++++++- 1 file changed, 114 insertions(+), 3 deletions(-) (limited to 'modules') diff --git a/modules/private/websites/ressourcerie_banon/cryptpad.nix b/modules/private/websites/ressourcerie_banon/cryptpad.nix index 961302d..09e938b 100644 --- a/modules/private/websites/ressourcerie_banon/cryptpad.nix +++ b/modules/private/websites/ressourcerie_banon/cryptpad.nix @@ -1,7 +1,31 @@ { lib, pkgs, config, ... }: let cfg = config.myServices.websites.ressourcerie_banon.cryptpad; - configFile = "${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js"; + port = config.myEnv.ports.cryptpad_ressourcerie_banon; + configFile = pkgs.writeText "config.js" '' + // ${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js + module.exports = { + httpUnsafeOrigin: 'https://${domain}', + httpPort: ${toString port}, + adminEmail: 'devnull@mail.immae.eu', + filePath: './datastore/', + archivePath: './data/archive', + pinPath: './data/pins', + taskPath: './data/tasks', + blockPath: './block', + blobPath: './blob', + blobStagingPath: './data/blobstage', + decreePath: './data/decrees', + logPath: './data/logs', + logToStdout: false, + logLevel: 'info', + logFeedback: false, + verbose: false, + }; + ''; + domain = "pad.le-garage-autonome.org"; + api_domain = "pad.le-garage-autonome.org"; + files_domain = "pad.le-garage-autonome.org"; in { options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banon’s cryptpad"; @@ -23,11 +47,98 @@ in { WorkingDirectory = "%S/cryptpad/ressourcerie_banon"; }; }; + services.websites.env.production.modules = [ "proxy_wstunnel" ]; services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = { certName = "ressourcerie_banon"; addToCerts = true; - hosts = ["pad.le-garage-autonome.org"]; - root = null; + hosts = [domain]; + root = "${pkgs.cryptpad}/lib/node_modules/cryptpad"; + extraConfig = [ + '' + RewriteEngine On + + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" + Header set X-XSS-Protection "1; mode=block" + Header set X-Content-Type-Options "nosniff" + Header set Access-Control-Allow-Origin "*" + Header set Permissions-Policy "interest-cohort=()" + + Header set Cross-Origin-Resource-Policy "cross-origin" + + Header set Cross-Origin-Opener-Policy "same-origin" + + Header set Cross-Origin-Embedder-Policy "require-corp" + + ErrorDocument 404 /customize.dist/404.html + + + Header set Cache-Control "max-age=31536000" + + + Header set Cache-Control "no-cache" + + + SetEnv styleSrc "'unsafe-inline' 'self' ${domain}" + SetEnv connectSrc "'self' https://${domain} ${domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}" + SetEnv fontSrc "'self' data: ${domain}" + SetEnv imgSrc "'self' data: * blob: ${domain}" + SetEnv frameSrc "'self' blob:" + SetEnv mediaSrc "'self' data: * blob: ${domain}" + SetEnv childSrc "https://${domain}" + SetEnv workerSrc "https://${domain}" + SetEnv scriptSrc "'self' resource: ${domain}" + + Header set Content-Security-Policy "default-src 'none'; child-src %{childSrc}e; worker-src %{workerSrc}e; media-src %{mediaSrc}e; style-src %{styleSrc}e; script-src %{scriptSrc}e; connect-src %{connectSrc}e; font-src %{fontSrc}e; img-src %{imgSrc}e; frame-src %{frameSrc}e;" + + RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC] + RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC] + RewriteRule .* ws://localhost:${toString port}%{REQUEST_URI} [P,NE,QSA,L] + + RewriteRule ^/customize/(.*)$ /customize.dist/$1 [L] + + ProxyPassMatch "^/(api/(config|broadcast).*)$" "http://localhost:${toString port}/$1" + ProxyPassReverse /api http://localhost:${toString port}/api + ProxyPreserveHost On + RequestHeader set X-Real-IP %{REMOTE_ADDR}s + + + Header set Cache-Control "max-age=31536000" + Header set Access-Control-Allow-Origin "*" + Header set Access-Control-Allow-Methods "GET, POST, OPTIONS" + Header set Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length" + Header set Access-Control-Expose-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length" + + RewriteCond %{REQUEST_METHOD} OPTIONS + RewriteRule ^(.*)$ $1 [R=204,L] + + + + Header set Cache-Control "max-age=0" + + + RewriteRule ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc)$ $1/ [R=302,L] + + RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI} -f + RewriteRule (.*) /www/$1 [L] + + RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI}/index.html -f + RewriteRule (.*) /www/$1/index.html [L] + + RewriteCond %{DOCUMENT_ROOT}/customize.dist/%{REQUEST_URI} -f + RewriteRule (.*) /customize.dist/$1 [L] + + + AllowOverride None + Require all granted + DirectoryIndex index.html + + + AllowOverride None + Require all granted + DirectoryIndex index.html + + '' + ]; }; }; } -- cgit v1.2.3