etherpad-lite

Go to file
Christoph c4d7ccef3b Initial commit		2020-05-24 22:57:59 +02:00
old	Initial commit	2020-05-24 22:57:59 +02:00
.gitignore	Initial commit	2020-05-24 22:57:59 +02:00
README.install	Initial commit	2020-05-24 22:57:59 +02:00
README.install

# -----
# Install Etherpad Lite
# -----

# Add repository for  node.js 10.x
#
curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -

# Install nodejs
#
apt install -y nodejs

# Create user/group etherpad
#
_etherpad_user="etherpad"
adduser --system --home=/var/www/etherpad/ --group $_etherpad_user

# Become user etherpad
#
# Note: its a system account, so you have to provide a shell
#
su - etherpad -s /bin/bash

# Get/Install etherpad-lite
#
git clone --branch master https://github.com/ether/etherpad-lite.git

# Exit from user etherpad
#
exit

# Create systemd service file
#
cat <<EOF > /etc/systemd/system/etherpad.service
[Unit]
Description=Etherpad-lite, the collaborative editor.
After=syslog.target network.target

[Service]
Type=simple
User=etherpad
Group=etherpad
WorkingDirectory=/var/www/etherpad/etherpad-lite
Environment=NODE_ENV=production
ExecStart=/usr/bin/nodejs /var/www/etherpad/etherpad-lite/node_modules/ep_etherpad-lite/node/server.js
Restart=always # use mysql plus a complete settings.json to avoid Service hold-off time over, scheduling restart.

[Install]
WantedBy=multi-user.target
EOF


# Start etherpad-lie at boot time
#
systemctl daemon-reload
systemctl enable etherpad.service
systemctl start etherpad.service


# NGINX as Proxy etherpad
#
FQHN="ep-6fwstq-ohv1zato8p.faire-mobilitaet.de"
HOSTNAME="${FQHN%%.*}"

cat <<EOF > /etc/nginx/sites-available/${FQHN}.conf
# -- ${FQHN}


upstream etherpad-lite {
   server 127.0.0.1:9001;
}

server {
   listen 80;
   listen [::]:80;
   server_name ${FQHN};
   rewrite     ^(.*)   https://\$server_name\$1 permanent;
}

# we're in the http context here
map \$http_upgrade \$connection_upgrade {
  default upgrade;
  ''      close;
}

server {

   listen 443 ssl http2;
   listen [::]:443 ssl http2;

   server_name  ${FQHN};

   # - Needed for (automated) updating certificate
   # -
   include snippets/letsencrypt-acme-challenge.conf;


   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
   #
   # To generate a dhparam.pem file, run in a terminal
   #    openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
   #
   ssl_dhparam /etc/nginx/ssl/dhparam.pem;


   # Eable session resumption to improve https performance
   ssl_session_cache shared:SSL:50m;
   ssl_session_timeout 10m;
   ssl_session_tickets off;


   #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE
   # omit SSLv3 because of POODLE
   # omit  TLSv1 TLSv1.1
   ssl_protocols TLSv1.2 TLSv1.3;

   # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
   # Everything better than SHA1 (deprecated)
   #
   ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
   ssl_prefer_server_ciphers on;

   ssl_certificate /var/lib/dehydrated/certs/${FQHN}/fullchain.pem;
   ssl_certificate_key /var/lib/dehydrated/certs/${FQHN}/privkey.pem;

   location / {
      #proxy_pass           http://localhost:9001/;
      proxy_pass           http://etherpad-lite;
      proxy_set_header     Host \$host;
      proxy_pass_header    Server;
      # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
      proxy_buffering      off;
      proxy_set_header     X-Real-IP \$remote_addr;  # http://wiki.nginx.org/HttpProxyModule
      proxy_set_header     X-Forwarded-For \$remote_addr; # EP logs to show the actual remote IP
      proxy_set_header     X-Forwarded-Proto \$scheme; # for EP to set secure cookie flag when https is used
      proxy_set_header     Host \$host;  # pass the host header
      proxy_http_version   1.1;  # recommended with keepalive connections
      # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
      proxy_set_header     Upgrade \$http_upgrade;
      proxy_set_header     Connection \$connection_upgrade;

   }

   access_log  /var/log/nginx/${HOSTNAME}.access.log;
   error_log   /var/log/nginx/${HOSTNAME}.error.log;
}
EOF

# Enable new etherpad site
#
ln -s ../sites-available/${FQHN}.conf /etc/nginx/sites-enabled/

# Restart NGINX servive
#
systemctl restart nginx


# -----
# Configure etherpad
# ----

# Install abiword
#
#  Abiword is needed to get advanced import/export features of pads. Setting
#  it to null disables Abiword and will only allow plain text and HTML
#  import/exports.
#
apt-get install abiword

cp -a /var/www/etherpad/etherpad-lite/settings.json /var/www/etherpad/etherpad-lite/settings.json.ORIG

# Edit settings file 'vim /var/www/etherpad/etherpad-lite/settings.json'
#
# 1.) enable abiword
#    change
#       "abiword": null,
#     to
#    "abiword": /usr/bin/abiword,
#
# 2.) Uncomment section '"users": {' and set password to make admin settings page
#     available - https://${FQHN}/admin
#
# 3.) To suppress these warning messages change 'suppressErrorsInPadText' to true      
#
vim /var/www/etherpad/etherpad-lite/settings.json

# Install the foollowing plugins via admin page
#
#    - adminpads2
#    - delete_after_delay
#    - delete_empty_pads
#    - fileupload
#    - font_color
#    - font_family
#    - font_size
#    - headings2
#    - pad_title
#    - printer
#    - et_title_on_pad
#    - subscript_and_superscript


# Plugin delete_after_delay
#
# Add foolowing code to settings.json
#
#    "ep_delete_after_delay": {
#        "delay": 86400, // one day, in seconds
#        "loop": true,
#        "loopDelay": 3600, // one hour, in seconds
#        "deleteAtStart": true,
#        "text": "The content of this pad has been deleted since it was older than the configured delay."
#    },
#
vim /var/www/etherpad/etherpad-lite/settings.json