blob: c4685a443b7db8102388ffc74ce989164e072220 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
{ lib, pkgs, config, myconfig, mylibs, ... }:
let
etherpad = pkgs.callPackage ./etherpad_lite.nix {
inherit (pkgs.webapps) etherpad-lite etherpad-lite-modules;
env = myconfig.env.tools.etherpad-lite;
};
varDir = etherpad.webappDir.varDir;
cfg = config.services.myWebsites.tools.etherpad-lite;
in {
options.services.myWebsites.tools.etherpad-lite = {
enable = lib.mkEnableOption "enable etherpad's website";
};
config = lib.mkIf cfg.enable {
mySecrets.keys = etherpad.keys;
systemd.services.etherpad-lite = {
description = "Etherpad-lite";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" ];
wants = [ "postgresql.service" ];
environment.NODE_ENV = "production";
environment.HOME = etherpad.webappDir;
path = [ pkgs.nodejs ];
script = ''
exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
--sessionkey /var/secrets/webapps/tools-etherpad-sessionkey \
--apikey /var/secrets/webapps/tools-etherpad-apikey \
--settings /var/secrets/webapps/tools-etherpad
'';
serviceConfig = {
DynamicUser = true;
User = "etherpad-lite";
Group = "etherpad-lite";
SupplementaryGroups = "keys";
WorkingDirectory = etherpad.webappDir;
PrivateTmp = true;
NoNewPrivileges = true;
PrivateDevices = true;
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
Restart = "always";
Type = "simple";
TimeoutSec = 60;
# Use ReadWritePaths= instead if varDir is outside of /var/lib
StateDirectory="etherpad-lite";
ExecStartPre = [
"+${pkgs.coreutils}/bin/install -d -m 0755 -o etherpad-lite -g etherpad-lite ${varDir}/ep_initialized"
"+${pkgs.coreutils}/bin/chown -R etherpad-lite:etherpad-lite ${varDir} /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"
];
};
};
services.myWebsites.tools.modules = [
"headers" "proxy" "proxy_http" "proxy_wstunnel"
];
security.acme.certs."eldiron".extraDomains."ether.immae.eu" = null;
services.myWebsites.tools.vhostConfs.etherpad-lite = {
certName = "eldiron";
hosts = [ "ether.immae.eu" ];
root = null;
extraConfig = [ ''
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
RequestHeader set X-Forwarded-Proto "https"
RewriteEngine On
RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
RewriteCond %{QUERY_STRING} "!noredirect"
RewriteCond %{REQUEST_URI} "^(.*)$"
RewriteCond ''${redirects:$1|Unknown} "!Unknown"
RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) ws://localhost:${etherpad.listenPort}/$1 [P,L]
<IfModule mod_proxy.c>
ProxyVia On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:${etherpad.listenPort}/
ProxyPassReverse / http://localhost:${etherpad.listenPort}/
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride None
Require all granted
</Proxy>
</IfModule>
'' ];
};
};
}
|
