From 176d2a772358f2988ec5749843282d7c9f4a2cdc Mon Sep 17 00:00:00 2001
From: Hunter Haugen <hunter@haugen.email>
Date: Sat, 28 Feb 2026 20:18:17 -0800
Subject: [PATCH] Add etherpad to ruil

---
 hosts/ruil/configuration.nix         |  1 +
 hosts/ruil/modules/etherpad-lite.nix | 51 ++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 hosts/ruil/modules/etherpad-lite.nix

diff --git a/hosts/ruil/configuration.nix b/hosts/ruil/configuration.nix
index 144f8f0..b1ed5f1 100644
--- a/hosts/ruil/configuration.nix
+++ b/hosts/ruil/configuration.nix
@@ -4,6 +4,7 @@
   imports = [
     ./hardware-configuration.nix
     ./modules/vaultwarden.nix
+    ./modules/etherpad-lite.nix
     (modulesPath + "/virtualisation/digital-ocean-config.nix")
   ];
 
diff --git a/hosts/ruil/modules/etherpad-lite.nix b/hosts/ruil/modules/etherpad-lite.nix
new file mode 100644
index 0000000..416d112
--- /dev/null
+++ b/hosts/ruil/modules/etherpad-lite.nix
@@ -0,0 +1,51 @@
+{ pkgs, ... }:
+
+{
+  users.users.etherpad = {
+    isSystemUser = true;
+    group = "etherpad";
+  };
+  users.groups.etherpad = { };
+
+  environment.etc."etherpad-lite/settings.json".text = builtins.toJSON {
+    ip = "127.0.0.1";
+    port = 9001;
+    trustProxy = true;
+    dbType = "rustydb";
+    dbSettings = {
+      filename = "/var/lib/etherpad-lite/rusty.db";
+    };
+  };
+
+  # Etherpad on etherpad.hunner.dev (Cloudflare proxy -> nginx -> localhost:9001).
+  systemd.services.etherpad-lite = {
+    description = "Etherpad Lite";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      User = "etherpad";
+      Group = "etherpad";
+      StateDirectory = "etherpad-lite";
+      WorkingDirectory = "/var/lib/etherpad-lite";
+      ExecStart = "${pkgs.etherpad-lite}/bin/etherpad-lite --settings /etc/etherpad-lite/settings.json --sessionkey /var/lib/etherpad-lite/SESSIONKEY.txt --apikey /var/lib/etherpad-lite/APIKEY.txt";
+      Restart = "on-failure";
+      RestartSec = "5s";
+    };
+  };
+
+  # ACME certificate for Cloudflare Full (strict) origin TLS.
+  services.nginx.virtualHosts."etherpad.hunner.dev" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:9001";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+      extraConfig = ''
+        proxy_read_timeout 360s;
+      '';
+    };
+  };
+}