]> Git — Sourcephile - julm/julm-nix.git/blob - hosts/aubergine/nginx/aubergine.nix
courge: nftables: open ssh on LAN
[julm/julm-nix.git] / hosts / aubergine / nginx / aubergine.nix
1 { lib, config, hostName, ... }:
2 with (import ../networking/names-and-numbers.nix);
3 let
4 inherit (config.networking) domain;
5 root = "/var/lib/nginx";
6 in
7 {
8 services.nginx = {
9 virtualHosts."${hostName}.${domain}" = {
10 serverAliases = [
11 "${wifiIPv4}.1"
12 "${eth1IPv4}.1"
13 "${eth2IPv4}.1"
14 "${eth3IPv4}.1"
15 ];
16 #onlySSL = true;
17 #addSSL = true;
18 #forceSSL = true;
19 #useACMEHost = domain;
20 root = root;
21 extraConfig = ''
22 access_log /var/log/nginx/${domain}/${hostName}/access.json json buffer=32k;
23 error_log /var/log/nginx/${domain}/${hostName}/error.log warn;
24 '';
25 locations."/".extraConfig = ''
26 #autoindex on;
27 return 444;
28 '';
29 locations."/perso/photo" = {
30 #basicAuthFile = gnupg.secrets."nginx/perso/htpasswd".path;
31 extraConfig = ''
32 autoindex on;
33 #fancyindex on;
34 #fancyindex_exact_size off;
35 #fancyindex_name_length 255;
36 open_file_cache off;
37 #open_file_cache_valid 1s;
38 '';
39 };
40 locations."/perso/camera" = {
41 #basicAuthFile = gnupg.secrets."nginx/perso/htpasswd".path;
42 extraConfig = ''
43 autoindex on;
44 #fancyindex on;
45 #fancyindex_exact_size off;
46 #fancyindex_name_length 255;
47 open_file_cache off;
48 #open_file_cache_valid 1s;
49 '';
50 };
51 };
52 };
53 systemd.services.nginx = {
54 serviceConfig = {
55 LogsDirectory = lib.mkForce [
56 "nginx/${domain}/${hostName}"
57 ];
58 BindReadOnlyPaths = [
59 "-/mnt/off2/julm/backup/das1/julm/perso/photo:${root}/perso/photo"
60 "-/mnt/off2/julm/perso/camera:${root}/perso/camera"
61 ];
62 };
63 };
64 }