Merge pull request #251687 from martinetd/cryptpad

- [Localsend](https://localsend.org/), an open source cross-platform alternative to AirDrop. Available as [programs.localsend](#opt-programs.localsend.enable).

- [cryptpad](https://cryptpad.org/), a privacy-oriented collaborative platform (docs/drive/etc), has been added back. Available as [services.cryptpad](#opt-services.cryptpad.enable).

- [realm](https://github.com/zhboner/realm), a simple, high performance relay server written in rust. Available as [services.realm.enable](#opt-services.realm.enable).

- [Gotenberg](https://gotenberg.dev), an API server for converting files to PDFs that can be used alongside Paperless-ngx. Available as [services.gotenberg](options.html#opt-services.gotenberg).

  ./services/web-apps/convos.nix

  ./services/web-apps/crabfit.nix

  ./services/web-apps/davis.nix

  ./services/web-apps/cryptpad.nix

  ./services/web-apps/dex.nix

  ./services/web-apps/discourse.nix

  ./services/web-apps/documize.nix

    (mkRemovedOptionModule [ "services" "virtuoso" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "openfire" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "riak" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "cryptpad" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "rtsp-simple-server" ] "Package has been completely rebranded by upstream as mediamtx, and thus the service and the package were renamed in NixOS as well.")

    (mkRemovedOptionModule [ "services" "prayer" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "restya-board" ] "The corresponding package was removed from nixpkgs.")

{

  config,

  lib,

  pkgs,

  ...

}:

let

  cfg = config.services.cryptpad;

  inherit (lib)

    mkIf

    mkMerge

    mkOption

    strings

    types

    ;

  # The Cryptpad configuration file isn't JSON, but a JavaScript source file that assigns a JSON value

  # to a variable.

  cryptpadConfigFile = builtins.toFile "cryptpad_config.js" ''

    module.exports = ${builtins.toJSON cfg.settings}

  '';

  # Derive domain names for Nginx configuration from Cryptpad configuration

  mainDomain = strings.removePrefix "https://" cfg.settings.httpUnsafeOrigin;

  sandboxDomain =

    if cfg.settings.httpSafeOrigin == null then

      mainDomain

    else

      strings.removePrefix "https://" cfg.settings.httpSafeOrigin;

in

{

  options.services.cryptpad = {

    enable = lib.mkEnableOption "cryptpad";

    package = lib.mkPackageOption pkgs "cryptpad" { };

    configureNginx = mkOption {

      description = ''

        Configure Nginx as a reverse proxy for Cryptpad.

        Note that this makes some assumptions on your setup, and sets settings that will

        affect other virtualHosts running on your Nginx instance, if any.

        Alternatively you can configure a reverse-proxy of your choice.

      '';

      type = types.bool;

      default = false;

    };

    settings = mkOption {

      description = ''

        Cryptpad configuration settings.

        See https://github.com/cryptpad/cryptpad/blob/main/config/config.example.js for a more extensive

        reference documentation.

        Test your deployed instance through `https://<domain>/checkup/`.

      '';

      type = types.submodule {

        freeformType = (pkgs.formats.json { }).type;

        options = {

          httpUnsafeOrigin = mkOption {

            type = types.str;

            example = "https://cryptpad.example.com";

            default = "";

            description = "This is the URL that users will enter to load your instance";

          };

          httpSafeOrigin = mkOption {

            type = types.nullOr types.str;

            example = "https://cryptpad-ui.example.com. Apparently optional but recommended.";

            description = "Cryptpad sandbox URL";

          };

          httpAddress = mkOption {

            type = types.str;

            default = "127.0.0.1";

            description = "Address on which the Node.js server should listen";

          };

          httpPort = mkOption {

            type = types.int;

            default = 3000;

            description = "Port on which the Node.js server should listen";

          };

          websocketPort = mkOption {

            type = types.int;

            default = 3003;

            description = "Port for the websocket that needs to be separate";

          };

          maxWorkers = mkOption {

            type = types.nullOr types.int;

            default = null;

            description = "Number of child processes, defaults to number of cores available";

          };

          adminKeys = mkOption {

            type = types.listOf types.str;

            default = [ ];

            description = "List of public signing keys of users that can access the admin panel";

            example = [ "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]" ];

          };

          logToStdout = mkOption {

            type = types.bool;

            default = true;

            description = "Controls whether log output should go to stdout of the systemd service";

          };

          logLevel = mkOption {

            type = types.str;

            default = "info";

            description = "Controls log level";

          };

          blockDailyCheck = mkOption {

            type = types.bool;

            default = true;

            description = ''

              Disable telemetry. This setting is only effective if the 'Disable server telemetry'

              setting in the admin menu has been untouched, and will be ignored by cryptpad once

              that option is set either way.

              Note that due to the service confinement, just enabling the option in the admin

              menu will not be able to resolve DNS and fail; this setting must be set as well.

            '';

          };

          installMethod = mkOption {

            type = types.str;

            default = "nixos";

            description = ''

              Install method is listed in telemetry if you agree to it through the consentToContact

              setting in the admin panel.

            '';

          };

        };

      };

    };

  };

  config = mkIf cfg.enable (mkMerge [

    {

      systemd.services.cryptpad = {

        description = "Cryptpad service";

        wantedBy = [ "multi-user.target" ];

        after = [ "networking.target" ];

        serviceConfig = {

          BindReadOnlyPaths = [

            cryptpadConfigFile

            # apparently needs proc for workers management

            "/proc"

            "/dev/urandom"

          ];

          DynamicUser = true;

          Environment = [

            "CRYPTPAD_CONFIG=${cryptpadConfigFile}"

            "HOME=%S/cryptpad"

          ];

          ExecStart = lib.getExe cfg.package;

          Restart = "always";

          StateDirectory = "cryptpad";

          WorkingDirectory = "%S/cryptpad";

          # security way too many numerous options, from the systemd-analyze security output

          # at end of test: block everything except

          # - SystemCallFiters=@resources is required for node

          # - MemoryDenyWriteExecute for node JIT

          # - RestrictAddressFamilies=~AF_(INET|INET6) / PrivateNetwork to bind to sockets

          # - IPAddressDeny likewise allow localhost if binding to localhost or any otherwise

          # - PrivateUsers somehow service doesn't start with that

          # - DeviceAllow (char-rtc r added by ProtectClock)

          AmbientCapabilities = "";

          CapabilityBoundingSet = "";

          DeviceAllow = "";

          LockPersonality = true;

          NoNewPrivileges = true;

          PrivateDevices = true;

          PrivateTmp = true;

          ProcSubset = "pid";

          ProtectClock = true;

          ProtectControlGroups = true;

          ProtectHome = true;

          ProtectHostname = true;

          ProtectKernelLogs = true;

          ProtectKernelModules = true;

          ProtectKernelTunables = true;

          ProtectProc = "invisible";

          ProtectSystem = "strict";

          RemoveIPC = true;

          RestrictAddressFamilies = [

            "AF_INET"

            "AF_INET6"

          ];

          RestrictNamespaces = true;

          RestrictRealtime = true;

          RestrictSUIDSGID = true;

          RuntimeDirectoryMode = "700";

          SocketBindAllow = [

            "tcp:${builtins.toString cfg.settings.httpPort}"

            "tcp:${builtins.toString cfg.settings.websocketPort}"

          ];

          SocketBindDeny = [ "any" ];

          StateDirectoryMode = "0700";

          SystemCallArchitectures = "native";

          SystemCallFilter = [

            "@pkey"

            "@system-service"

            "~@chown"

            "~@keyring"

            "~@memlock"

            "~@privileged"

            "~@resources"

            "~@setuid"

            "~@timer"

          ];

          UMask = "0077";

        };

        confinement = {

          enable = true;

          binSh = null;

          mode = "chroot-only";

        };

      };

    }

    # block external network access if not phoning home and

    # binding to localhost (default)

    (mkIf

      (

        cfg.settings.blockDailyCheck

        && (builtins.elem cfg.settings.httpAddress [

          "127.0.0.1"

          "::1"

        ])

      )

      {

        systemd.services.cryptpad = {

          serviceConfig = {

            IPAddressAllow = [ "localhost" ];

            IPAddressDeny = [ "any" ];

          };

        };

      }

    )

    # .. conversely allow DNS & TLS if telemetry is explicitly enabled

    (mkIf (!cfg.settings.blockDailyCheck) {

      systemd.services.cryptpad = {

        serviceConfig = {

          BindReadOnlyPaths = [

            "-/etc/resolv.conf"

            "-/run/systemd"

            "/etc/hosts"

            "/etc/ssl/certs/ca-certificates.crt"

          ];

        };

      };

    })

    (mkIf cfg.configureNginx {

      assertions = [

        {

          assertion = cfg.settings.httpUnsafeOrigin != "";

          message = "services.cryptpad.settings.httpUnsafeOrigin is required";

        }

        {

          assertion = strings.hasPrefix "https://" cfg.settings.httpUnsafeOrigin;

          message = "services.cryptpad.settings.httpUnsafeOrigin must start with https://";

        }

        {

          assertion =

            cfg.settings.httpSafeOrigin == null || strings.hasPrefix "https://" cfg.settings.httpSafeOrigin;

          message = "services.cryptpad.settings.httpSafeOrigin must start with https:// (or be unset)";

        }

      ];

      services.nginx = {

        enable = true;

        recommendedTlsSettings = true;

        recommendedProxySettings = true;

        recommendedOptimisation = true;

        recommendedGzipSettings = true;

        virtualHosts = mkMerge [

          {

            "${mainDomain}" = {

              serverAliases = lib.optionals (cfg.settings.httpSafeOrigin != null) [ sandboxDomain ];

              enableACME = lib.mkDefault true;

              forceSSL = true;

              locations."/" = {

                proxyPass = "http://${cfg.settings.httpAddress}:${builtins.toString cfg.settings.httpPort}";

                extraConfig = ''

                  client_max_body_size 150m;

                '';

              };

              locations."/cryptpad_websocket" = {

                proxyPass = "http://${cfg.settings.httpAddress}:${builtins.toString cfg.settings.websocketPort}";

                proxyWebsockets = true;

              };

            };

          }

        ];

      };

    })

  ]);

}

  couchdb = handleTest ./couchdb.nix {};

  crabfit = handleTest ./crabfit.nix {};

  cri-o = handleTestOn ["aarch64-linux" "x86_64-linux"] ./cri-o.nix {};

  cryptpad = runTest ./cryptpad.nix;

  cups-pdf = handleTest ./cups-pdf.nix {};

  curl-impersonate = handleTest ./curl-impersonate.nix {};

  custom-ca = handleTest ./custom-ca.nix {};