hosts/losurdo/sftp.nix

   1 { lib, hostName, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   nginxRoot = "/var/lib/nginx/${domain}/sftp";
   5   sftpRoot = "/var/lib/sftp";
   6   sftpUsers = [
   7     "julm"
   8     "sevy"
   9   ];
  10 in
  11 {
  12   fileSystems.${sftpRoot} = {
  13     device = "${hostName}/var/sftp";
  14     fsType = "zfs";
  15   };
  16   services.sanoid.datasets."${hostName}/var/sftp" = {
  17     use_template = [ "snap" ];
  18     daily = 31;
  19   };
  20   /*
  21     services.syncoid.commands = {
  22     "${hostName}/var/sftp" = {
  23     sendOptions = "raw";
  24     target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/var/sftp";
  25     };
  26     };
  27   */
  28   services.nginx.virtualHosts =
  29     let
  30       indexConfig = ''
  31         autoindex on;
  32         fancyindex on;
  33         fancyindex_exact_size off;
  34         fancyindex_name_length 255;
  35         open_file_cache off;
  36         #open_file_cache_valid 1s;
  37       '';
  38       virtualHost = {
  39         root = nginxRoot;
  40         locations = lib.listToAttrs
  41           (map
  42             (user:
  43               lib.nameValuePair "/${user}/" {
  44                 extraConfig = ''
  45                   location /${user}/public/ {
  46                     ${indexConfig}
  47                   }
  48                   location /${user}/perso/ {
  49                     ${indexConfig}
  50                     auth_basic secured;
  51                     auth_basic_user_file ${sftpRoot}/${user}/perso.htpasswd;
  52                   }
  53                 '';
  54               }
  55             )
  56             sftpUsers) // {
  57           "/".extraConfig = ''
  58             return 403;
  59           '';
  60         };
  61       };
  62     in
  63     {
  64       "sftp.${hostName}.wg" = lib.mkMerge [
  65         virtualHost
  66         {
  67           listenAddresses = [ "${hostName}.wg" ];
  68           extraConfig = ''
  69             access_log /var/log/nginx/wg-intra/${hostName}/sftp/access.json json buffer=32k;
  70             error_log  /var/log/nginx/wg-intra/${hostName}/sftp/error.log warn;
  71           '';
  72         }
  73       ];
  74       "sftp.${domain}" = lib.mkMerge [
  75         virtualHost
  76         {
  77           forceSSL = true;
  78           useACMEHost = domain;
  79           extraConfig = ''
  80             access_log /var/log/nginx/${domain}/${hostName}/sftp/access.json json buffer=32k;
  81             error_log  /var/log/nginx/${domain}/${hostName}/sftp/error.log warn;
  82           '';
  83         }
  84       ];
  85     };
  86   systemd.services.nginx = {
  87     serviceConfig = {
  88       LogsDirectory = lib.mkForce [
  89         "nginx/wg-intra/${hostName}/sftp"
  90         "nginx/${domain}/${hostName}/sftp"
  91       ];
  92       BindReadOnlyPaths = lib.concatMap
  93         (user: [
  94           "${sftpRoot}/${user}/public:${nginxRoot}/${user}/public"
  95           "${sftpRoot}/${user}/perso:${nginxRoot}/${user}/perso"
  96         ])
  97         sftpUsers;
  98     };
  99   };
 100   fileSystems."${sftpRoot}/torrents" = {
 101     device = "/var/lib/transmission/downloaded";
 102     options = [ "bind" "ro" ];
 103   };
 104   fileSystems."${sftpRoot}/podcasts" = {
 105     device = "/home/julm/dl";
 106     options = [ "bind" "ro" ];
 107   };
 108   services.openssh.extraConfig = ''
 109     Match User sevy
 110       AllowAgentForwarding no
 111       AllowTcpForwarding no
 112       ChrootDirectory ${sftpRoot}
 113       ForceCommand internal-sftp -u 0002
 114       X11Forwarding no
 115   '';
 116 }