2 { pkgs, lib, config, ... }:
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 inherit (config.services) nginx;
8 root = "/var/lib/nginx";
9 onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
13 relay.onionServices."nginx/${domain}/${srv}" = {
14 secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path;
17 #{ port = 443; target = { port = 8443; }; }
21 "descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
26 client.onionServices.${onion} = {
27 clientAuthorizations = [
28 gnupg.secrets."tor/auth/julm".path
33 security.gnupg.secrets = lib.genAttrs [
34 "tor/onion/${onion}/hs_ed25519_secret_key"
37 systemdConfig.before = [ "tor.service" ];
38 systemdConfig.wantedBy = [ "tor.service" ];
40 "nginx/perso/htpasswd" = {
41 # Generated with: for i in $PASSWORD_STORE_DIR/hosts/losurdo/nginx/perso/htpasswd/*.gpg; do i="${i#$PASSWORD_STORE_DIR/}"; i=${i%.gpg}; printf %s: "${i##*/}"; pass $i | openssl passwd -apr1 -stdin; done | pass insert -m hosts/losurdo/nginx/perso/htpasswd
42 # Then: nix flake lock --update-input pass
43 systemdConfig.before = [ "nginx.service" ];
44 systemdConfig.wantedBy = [ "nginx.service" ];
50 virtualHosts."${onion}.onion" = {
53 access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
54 error_log /var/log/nginx/${domain}/${srv}/error.log warn;
56 locations."/".extraConfig = ''
59 fancyindex_exact_size off;
60 fancyindex_name_length 255;
62 #open_file_cache_valid 1s;
65 virtualHosts."${srv}.${domain}" = {
66 serverAliases = [ domain ];
73 access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
74 error_log /var/log/nginx/${domain}/${srv}/error.log warn;
76 locations."/".extraConfig = ''
80 locations."/dl".extraConfig = ''
83 fancyindex_exact_size off;
84 fancyindex_name_length 255;
86 #open_file_cache_valid 1s;
88 locations."/julm".extraConfig = ''
91 fancyindex_exact_size off;
92 fancyindex_name_length 255;
94 #open_file_cache_valid 1s;
96 locations."/haskell".extraConfig = ''
99 fancyindex_exact_size off;
100 fancyindex_name_length 255;
102 #open_file_cache_valid 1s;
104 locations."/perso".extraConfig = ''
105 auth_basic "authentication required";
106 auth_basic_user_file ${gnupg.secrets."nginx/perso/htpasswd".path};
111 systemd.services.nginx = {
113 LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
114 BindReadOnlyPaths = [
115 "/home/julm/work/sourcephile/web:${root}/julm"
116 "/home/julm/dl:${root}/dl"
117 "/home/julm/work/sourcephile/haskell:${root}/haskell"
118 "/home/julm/perso:${root}/perso"