infrastructure/machines/public-cof/cryptpad.nix

{ ... }:
let
  subZone = "beta.rz.ens.wtf";
  main_domain = "pads." + subZone;
  api_domain = "api." + main_domain;
  files_domain = "files." + main_domain;
  sandbox_domain = "sandbox." + main_domain;
in
{
  services.cryptpad = {
    enable = true;
    configFile = "/etc/cryptpad/config.js";
  };
  environment.etc."cryptpad/config.js".source = ./cryptpad.js;

  services.nginx.virtualHosts = {
    "pads.beta.rz.ens.wtf" = {
      forceSSL = true;
      enableACME = true;
      locations = {
        "/" = {
          proxyPass = "http://localhost:3000";
        };
      };
      /*
      extraConfig = ''
        # CryptPad serves static assets over these two domains.
        # `main_domain` is what users will enter in their address bar.
        # Privileged computation such as key management is handled in this scope
        # UI content is loaded via the `sandbox_domain`.
        # "Content Security Policy" headers prevent content loaded via the sandbox
        # from accessing privileged information.
        # These variables must be different to take advantage of CryptPad's sandboxing techniques.
        # In the event of an XSS vulnerability in CryptPad's front-end code
        # this will limit the amount of information accessible to attackers.
        set $main_domain ${main_domain};
        set $sandbox_domain ${sandbox_domain};

        # CryptPad's dynamic content (websocket traffic and encrypted blobs)
        # can be served over separate domains. Using dedicated domains (or subdomains)
        # for these purposes allows you to move them to a separate machine at a later date
        # if you find that a single machine cannot handle all of your users.
        # If you don't use dedicated domains, this can be the same as $main_domain
        # If you do, they'll be added as exceptions to any rules which block connections to remote domains.
        set $api_domain ${api_domain};
        set $files_domain ${files_domain};


        server_name ${main_domain} ${sandbox_domain};

        # diffie-hellman parameters are used to negotiate keys for your session
        # generate strong parameters using the following command
        ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096

        # Speeds things up a little bit when resuming a session
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:5m;

        # You'll need nginx 1.13.0 or better to support TLSv1.3
        ssl_protocols TLSv1.2 TLSv1.3;

        # https://cipherli.st/
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

        # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
        set $styleSrc   "'unsafe-inline' 'self' ${main_domain}";

        # connect-src restricts URLs which can be loaded using script interfaces
        set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}";

        # fonts can be loaded from data-URLs or the main domain
        set $fontSrc    "'self' data: ${main_domain}";

        # images can be loaded from anywhere, though we'd like to deprecate this as it allows the use of images for tracking
        set $imgSrc     "'self' data: * blob: ${main_domain}";

        # frame-src specifies valid sources for nested browsing contexts.
        # this prevents loading any iframes from anywhere other than the sandbox domain
        set $frameSrc   "'self' ${sandbox_domain} blob:";

        # specifies valid sources for loading media using video or audio
        set $mediaSrc   "'self' data: * blob: ${main_domain}";

        # defines valid sources for webworkers and nested browser contexts
        # deprecated in favour of worker-src and frame-src
        set $childSrc   "https://${main_domain}";

        # specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
        # supercedes child-src but is unfortunately not yet universally supported.
        set $workerSrc  "https://${main_domain}";

        # script-src specifies valid sources for javascript, including inline handlers
        set $scriptSrc  "'self' resource: ${main_domain}";

        set $unsafe 0;
        # the following assets are loaded via the sandbox domain
        # they unfortunately still require exceptions to the sandboxing to work correctly.
        if ($uri = "/pad/inner.html") { set $unsafe 1; }
        if ($uri = "/sheet/inner.html") { set $unsafe 1; }
        if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }

        # everything except the sandbox domain is a privileged scope, as they might be used to handle keys
        if ($host != $sandbox_domain) { set $unsafe 0; }

        # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
        if ($unsafe) {
            set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}";
        }

        # The nodejs process can handle all traffic whether accessed over websocket or as static assets
        # We prefer to serve static content from nginx directly and to leave the API server to handle
        # the dynamic content that only it can manage. This is primarily an optimization
        location ^~ /cryptpad_websocket {
            proxy_pass http://localhost:3000;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # WebSocket support (nginx 1.4)
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection upgrade;
        }

        location ^~ /customize.dist/ {
            # This is needed in order to prevent infinite recursion between /customize/ and the root
        }
        # try to load customizeable content via /customize/ and fall back to the default content
        # located at /customize.dist/
        # This is what allows you to override behaviour.
        location ^~ /customize/ {
            rewrite ^/customize/(.*)$ $1 break;
            try_files /customize/$uri /customize.dist/$uri;
        }

        # /api/config is loaded once per page load and is used to retrieve
        # the caching variable which is applied to every other resource
        # which is loaded during that session.
        location = /api/config {
            proxy_pass http://localhost:3000;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        # encrypted blobs are immutable and are thus cached for a year
        location ^~ /blob/ {
            if ($request_method = 'OPTIONS') {
                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
                add_header 'Access-Control-Max-Age' 1728000;
                add_header 'Content-Type' 'application/octet-stream; charset=utf-8';
                add_header 'Content-Length' 0;
                return 204;
            }
            add_header Cache-Control max-age=31536000;
            add_header 'Access-Control-Allow-Origin' '*';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
            add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
            try_files $uri =404;
        }

        # the "block-store" serves encrypted payloads containing users' drive keys
        # these payloads are unlocked via login credentials. They are mutable
        # and are thus never cached. They're small enough that it doesn't matter, in any case.
        location ^~ /block/ {
            add_header Cache-Control max-age=0;
            try_files $uri =404;
        }

        # This block provides an alternative means of loading content
        # otherwise only served via websocket. This is solely for debugging purposes,
        # and is thus not allowed by default.
        #location ^~ /datastore/ {
            #add_header Cache-Control max-age=0;
            #try_files $uri =404;
        #}

        # The nodejs server has some built-in forwarding rules to prevent
        # URLs like /pad from resulting in a 404. This simply adds a trailing slash
        # to a variety of applications.
        location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams)$ {
            rewrite ^(.*)$ $1/ redirect;
        }

        # Finally, serve anything the above exceptions don't govern.
        try_files /www/$uri /www/$uri/index.html /customize/$uri;
      '';
      */
    };
  };

  networking.firewall.allowedTCPPorts = [ 433 80 ];
}