Klub-RZ/infrastructure
4
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity

public-cof: fix cryptpad

Browse source
This commit is contained in:
Raito Bezarius 2021-11-20 21:01:42 +01:00
parent 5e24c6c8c7
commit d8a577b078
3 changed files with 32 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
machines/public-cof/configuration.nix
View file

@ -13,7 +13,7 @@
./nur.nix ./nur.nix
# ./factorio.nix # TODO # ./factorio.nix # TODO
./nginx.nix ./nginx.nix
# ./cryptpad.nix ./cryptpad.nix
./hedgedoc.nix ./hedgedoc.nix
./secrets ./secrets
# TODO monitoring # TODO monitoring

12
machines/public-cof/cryptpad.js
View file

@ -40,7 +40,7 @@ module.exports = {
* cryptpad/docs/example.nginx.conf (see the $main_domain variable) * cryptpad/docs/example.nginx.conf (see the $main_domain variable)
* *
*/ */
httpUnsafeOrigin: 'http://localhost:3000/', httpUnsafeOrigin: 'https://pads.beta.rz.ens.wtf/',
/* httpSafeOrigin is the URL that is used for the 'sandbox' described above. /* httpSafeOrigin is the URL that is used for the 'sandbox' described above.
* If you're testing or developing with CryptPad on your local machine then * If you're testing or developing with CryptPad on your local machine then
@ -58,7 +58,7 @@ module.exports = {
* *
* CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
*/ */
// httpSafeOrigin: "https://some-other-domain.xyz", httpSafeOrigin: "https://sandbox.pads.beta.rz.ens.wtf",
/* httpAddress specifies the address on which the nodejs server /* httpAddress specifies the address on which the nodejs server
* should be accessible. By default it will listen on 127.0.0.1 * should be accessible. By default it will listen on 127.0.0.1
@ -102,11 +102,11 @@ module.exports = {
* which can be found on the settings page for registered users. * which can be found on the settings page for registered users.
* Entries should be strings separated by a comma. * Entries should be strings separated by a comma.
*/ */
/*
adminKeys: [ adminKeys: [
//"https://my.awesome.website/user/#/1/cryptpad-user1/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=", "https://pads.beta.rz.ens.wtf/user/#/1/raito/W1vJY5Mq+8+5SveZAYe0wYRthS88jQIV-Fwf0s36uas="
], ],
*/
/* CryptPad's administration panel includes a "support" tab /* CryptPad's administration panel includes a "support" tab
* wherein administrators with a secret key can view messages * wherein administrators with a secret key can view messages
@ -154,7 +154,7 @@ module.exports = {
* *
* hint: 50MB is 50 * 1024 * 1024 * hint: 50MB is 50 * 1024 * 1024
*/ */
//defaultStorageLimit: 50 * 1024 * 1024, defaultStorageLimit: 50 * 1024 * 1024,
/* ===================== /* =====================

59
machines/public-cof/cryptpad.nix
View file

@ -1,10 +1,12 @@
{ ... }: { pkgs, ... }:
let let
subZone = "beta.rz.ens.wtf"; subZone = "beta.rz.ens.wtf";
main_domain = "pads." + subZone; main_domain = "pads.${subZone}";
api_domain = "api." + main_domain; sandbox_domain = "sandbox.${main_domain}";
files_domain = "files." + main_domain; # TODO: later
sandbox_domain = "sandbox." + main_domain; api_domain = "api.${main_domain}";
files_domain = "files.${main_domain}";
port = 3000;
in in
{ {
services.cryptpad = { services.cryptpad = {
@ -13,17 +15,21 @@ in
}; };
environment.etc."cryptpad/config.js".source = ./cryptpad.js; environment.etc."cryptpad/config.js".source = ./cryptpad.js;
systemd.services.nginx = {
serviceConfig.BindReadOnlyPaths = [
"/var/lib/private/cryptpad:/www/cryptpad"
];
};
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"pads.beta.rz.ens.wtf" = { "${main_domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { serverAliases = [ sandbox_domain ];
"/" = {
proxyPass = "http://localhost:3000";
};
};
/*
extraConfig = '' extraConfig = ''
root ${pkgs.cryptpad}/lib/node_modules/cryptpad;
index index.html;
# CryptPad serves static assets over these two domains. # CryptPad serves static assets over these two domains.
# `main_domain` is what users will enter in their address bar. # `main_domain` is what users will enter in their address bar.
# Privileged computation such as key management is handled in this scope # Privileged computation such as key management is handled in this scope
@ -42,27 +48,12 @@ in
# if you find that a single machine cannot handle all of your users. # if you find that a single machine cannot handle all of your users.
# If you don't use dedicated domains, this can be the same as $main_domain # If you don't use dedicated domains, this can be the same as $main_domain
# If you do, they'll be added as exceptions to any rules which block connections to remote domains. # If you do, they'll be added as exceptions to any rules which block connections to remote domains.
set $api_domain ${api_domain}; set $api_domain ${main_domain};
set $files_domain ${files_domain}; set $files_domain ${main_domain};
server_name ${main_domain} ${sandbox_domain}; server_name ${main_domain} ${sandbox_domain};
# diffie-hellman parameters are used to negotiate keys for your session
# generate strong parameters using the following command
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
# Speeds things up a little bit when resuming a session
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
# You'll need nginx 1.13.0 or better to support TLSv1.3
ssl_protocols TLSv1.2 TLSv1.3;
# https://cipherli.st/
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
# CSS can be dynamically set inline, loaded from the same domain, or from $main_domain # CSS can be dynamically set inline, loaded from the same domain, or from $main_domain
set $styleSrc "'unsafe-inline' 'self' ${main_domain}"; set $styleSrc "'unsafe-inline' 'self' ${main_domain}";
@ -112,7 +103,7 @@ in
# We prefer to serve static content from nginx directly and to leave the API server to handle # We prefer to serve static content from nginx directly and to leave the API server to handle
# the dynamic content that only it can manage. This is primarily an optimization # the dynamic content that only it can manage. This is primarily an optimization
location ^~ /cryptpad_websocket { location ^~ /cryptpad_websocket {
proxy_pass http://localhost:3000; proxy_pass http://localhost:${toString port};
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -138,7 +129,7 @@ in
# the caching variable which is applied to every other resource # the caching variable which is applied to every other resource
# which is loaded during that session. # which is loaded during that session.
location = /api/config { location = /api/config {
proxy_pass http://localhost:3000; proxy_pass http://localhost:${toString port};
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -146,6 +137,7 @@ in
# encrypted blobs are immutable and are thus cached for a year # encrypted blobs are immutable and are thus cached for a year
location ^~ /blob/ { location ^~ /blob/ {
root /www/cryptpad;
if ($request_method = 'OPTIONS') { if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
@ -155,7 +147,6 @@ in
add_header 'Content-Length' 0; add_header 'Content-Length' 0;
return 204; return 204;
} }
add_header Cache-Control max-age=31536000;
add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
@ -167,6 +158,7 @@ in
# these payloads are unlocked via login credentials. They are mutable # these payloads are unlocked via login credentials. They are mutable
# and are thus never cached. They're small enough that it doesn't matter, in any case. # and are thus never cached. They're small enough that it doesn't matter, in any case.
location ^~ /block/ { location ^~ /block/ {
root /www/cryptpad;
add_header Cache-Control max-age=0; add_header Cache-Control max-age=0;
try_files $uri =404; try_files $uri =404;
} }
@ -189,9 +181,8 @@ in
# Finally, serve anything the above exceptions don't govern. # Finally, serve anything the above exceptions don't govern.
try_files /www/$uri /www/$uri/index.html /customize/$uri; try_files /www/$uri /www/$uri/index.html /customize/$uri;
''; '';
*/
}; };
}; };
networking.firewall.allowedTCPPorts = [ 433 80 ]; networking.firewall.allowedTCPPorts = [ 443 80 ];
} }