machines/losurdo/nginx/sourcephile.fr/losurdo.nix

   1 { domain, ... }:
   2 { pkgs, lib, config, ... }:
   3 let
   4   inherit (config) networking;
   5   inherit (config.security) gnupg;
   6   inherit (config.services) nginx;
   7   srv = "losurdo";
   8   onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
   9 in
  10 {
  11 services.tor.relay.hiddenServices."${domain}/${srv}" = {
  12   map = [
  13     80
  14     #{ port = 443; target = { port = 8443; }; }
  15   ];
  16   authorizedClients = [
  17     "descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
  18   ];
  19 };
  20 services.tor.client.hiddenServices.${onion} = {
  21   clientAuthorizations = [
  22     gnupg.secrets."tor/auth/julm".path
  23   ];
  24 };
  25 security.gnupg.secrets."tor/auth/julm" = {};
  26 services.nginx = {
  27   virtualHosts."${srv}" = {
  28     serverName = "${srv}.${domain}";
  29     serverAliases = [ domain "${onion}.onion" ];
  30     listen = [
  31       { addr="127.0.0.1"; port = 80; ssl = false; }
  32       { addr="[::1]"; port = 80; ssl = false; }
  33       { addr="0.0.0.0"; port = 8443; ssl = true; }
  34       { addr="[::]"; port = 8443; ssl = true; }
  35     ];
  36     #onlySSL = true;
  37     #forceSSL = true;
  38     addSSL = true;
  39     useACMEHost = domain;
  40     root = "/var/lib/nginx";
  41     extraConfig = ''
  42       access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
  43       error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
  44     '';
  45     locations."/".extraConfig = ''
  46       autoindex off;
  47     '';
  48     locations."/julm".extraConfig = ''
  49       autoindex on;
  50       fancyindex on;
  51       fancyindex_exact_size off;
  52       fancyindex_name_length 255;
  53     '';
  54     locations."/sevy".extraConfig = ''
  55       auth_basic "sevy's area";
  56       auth_basic_user_file ${gnupg.secrets."nginx/sevy/htpasswd".path};
  57       autoindex off;
  58     '';
  59   };
  60 };
  61 systemd.services.nginx = {
  62   serviceConfig.LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
  63   wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
  64   after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
  65 };
  66 security.gnupg.secrets."nginx/sevy/htpasswd" = {
  67   # Generated with: echo "$user:$(openssl passwd -apr1)"
  68   user = nginx.user;
  69   group = nginx.group;
  70 };
  71 }