1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
{ lib, pkgs, config, ... }:
let
cfg = config.myServices.websites.ressourcerie_banon.cryptpad;
port = config.myEnv.ports.cryptpad_ressourcerie_banon;
configFile = pkgs.writeText "config.js" ''
// ${pkgs.cryptpad}/lib/node_modules/cryptpad/config/config.example.js
module.exports = {
httpUnsafeOrigin: 'https://${domain}',
httpPort: ${toString port},
adminEmail: 'devnull@mail.immae.eu',
filePath: './datastore/',
archivePath: './data/archive',
pinPath: './data/pins',
taskPath: './data/tasks',
blockPath: './block',
blobPath: './blob',
blobStagingPath: './data/blobstage',
decreePath: './data/decrees',
logPath: './data/logs',
logToStdout: false,
logLevel: 'info',
logFeedback: false,
verbose: false,
};
'';
domain = "pad.le-garage-autonome.org";
api_domain = "pad.le-garage-autonome.org";
files_domain = "pad.le-garage-autonome.org";
in {
options.myServices.websites.ressourcerie_banon.cryptpad.enable = lib.mkEnableOption "Enable Ressourcerie Banon’s cryptpad";
config = lib.mkIf cfg.enable {
systemd.services.cryptpad-ressourcerie_banon = {
description = "Cryptpad Banon Service";
wantedBy = [ "multi-user.target" ];
after = [ "networking.target" ];
serviceConfig = {
DynamicUser = true;
Environment = [
"CRYPTPAD_CONFIG=${configFile}"
"HOME=%S/cryptpad/ressourcerie_banon"
];
ExecStart = "${pkgs.cryptpad}/bin/cryptpad";
PrivateTmp = true;
Restart = "always";
StateDirectory = "cryptpad/ressourcerie_banon";
WorkingDirectory = "%S/cryptpad/ressourcerie_banon";
};
};
services.websites.env.production.modules = [ "proxy_wstunnel" ];
services.websites.env.production.vhostConfs.ressourcerie_banon_cryptpad = {
certName = "ressourcerie_banon";
addToCerts = true;
hosts = [domain];
root = "${pkgs.cryptpad}/lib/node_modules/cryptpad";
extraConfig = [
''
RewriteEngine On
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Access-Control-Allow-Origin "*"
Header set Permissions-Policy "interest-cohort=()"
Header set Cross-Origin-Resource-Policy "cross-origin"
<If "%{REQUEST_URI} =~ m#^/(sheet|presentation|doc)/.*$#">
Header set Cross-Origin-Opener-Policy "same-origin"
</If>
Header set Cross-Origin-Embedder-Policy "require-corp"
ErrorDocument 404 /customize.dist/404.html
<If "%{QUERY_STRING} =~ m#ver=.*?#">
Header set Cache-Control "max-age=31536000"
</If>
<If "%{REQUEST_URI} =~ m#^/.*(\/|\.html)$#">
Header set Cache-Control "no-cache"
</If>
SetEnv styleSrc "'unsafe-inline' 'self' ${domain}"
SetEnv connectSrc "'self' https://${domain} ${domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}"
SetEnv fontSrc "'self' data: ${domain}"
SetEnv imgSrc "'self' data: * blob: ${domain}"
SetEnv frameSrc "'self' blob:"
SetEnv mediaSrc "'self' data: * blob: ${domain}"
SetEnv childSrc "https://${domain}"
SetEnv workerSrc "https://${domain}"
SetEnv scriptSrc "'self' resource: ${domain}"
Header set Content-Security-Policy "default-src 'none'; child-src %{childSrc}e; worker-src %{workerSrc}e; media-src %{mediaSrc}e; style-src %{styleSrc}e; script-src %{scriptSrc}e; connect-src %{connectSrc}e; font-src %{fontSrc}e; img-src %{imgSrc}e; frame-src %{frameSrc}e;"
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://localhost:${toString port}%{REQUEST_URI} [P,NE,QSA,L]
RewriteRule ^/customize/(.*)$ /customize.dist/$1 [L]
ProxyPassMatch "^/(api/(config|broadcast).*)$" "http://localhost:${toString port}/$1"
ProxyPassReverse /api http://localhost:${toString port}/api
ProxyPreserveHost On
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
<LocationMatch /blob/>
Header set Cache-Control "max-age=31536000"
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header set Access-Control-Allow-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
Header set Access-Control-Expose-Headers "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length"
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=204,L]
</LocationMatch>
<LocationMatch /block/>
Header set Cache-Control "max-age=0"
</locationMatch>
RewriteRule ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc)$ $1/ [R=302,L]
RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI} -f
RewriteRule (.*) /www/$1 [L]
RewriteCond %{DOCUMENT_ROOT}/www/%{REQUEST_URI}/index.html -f
RewriteRule (.*) /www/$1/index.html [L]
RewriteCond %{DOCUMENT_ROOT}/customize.dist/%{REQUEST_URI} -f
RewriteRule (.*) /customize.dist/$1 [L]
<Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/www>
AllowOverride None
Require all granted
DirectoryIndex index.html
</Directory>
<Directory ${pkgs.cryptpad}/lib/node_modules/cryptpad/customize.dist>
AllowOverride None
Require all granted
DirectoryIndex index.html
</Directory>
''
];
};
};
}
|
