]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/nginx/sourcephile.fr/losurdo.nix
syncoid: use a dedicated backup user
[sourcephile-nix.git] / machines / losurdo / nginx / sourcephile.fr / losurdo.nix
1 { domain, ... }:
2 { pkgs, lib, config, ... }:
3 let
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 inherit (config.services) nginx;
7 srv = "losurdo";
8 in
9 {
10 services.nginx = {
11 virtualHosts."${srv}" = {
12 serverName = "${srv}.${domain}";
13 serverAliases = [ domain ];
14 listen = [ { addr = "0.0.0.0"; port = 8443; ssl = true; } ];
15 onlySSL = true;
16 #forceSSL = true;
17 useACMEHost = domain;
18 root = "/var/lib/nginx";
19 extraConfig = ''
20 access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
21 error_log /var/log/nginx/${domain}/${srv}/error.log warn;
22 '';
23 locations."/".extraConfig = ''
24 autoindex off;
25 '';
26 locations."/julm".extraConfig = ''
27 autoindex on;
28 fancyindex on;
29 fancyindex_exact_size off;
30 fancyindex_name_length 255;
31 '';
32 locations."/sevy".extraConfig = ''
33 auth_basic "sevy's area";
34 auth_basic_user_file ${gnupg.secrets."nginx/sevy/htpasswd".path};
35 autoindex off;
36 '';
37 };
38 };
39 systemd.services.nginx = {
40 serviceConfig.LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
41 wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
42 after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
43 };
44 security.gnupg.secrets."nginx/sevy/htpasswd" = {
45 # Generated with: echo "$user:$(openssl passwd -apr1)"
46 user = nginx.user;
47 group = nginx.group;
48 };
49 }