]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/nginx/sourcephile.fr/losurdo.nix
git-crypt: encrypt .gpg too
[sourcephile-nix.git] / hosts / losurdo / nginx / sourcephile.fr / losurdo.nix
1 { domain, ... }:
2 { pkgs, lib, config, hostName, ... }:
3 let
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 inherit (config.services) nginx;
7 root = "/var/lib/nginx";
8 onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
9 in
10 {
11 services.tor = {
12 relay.onionServices."nginx/${domain}/${hostName}" = {
13 secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path;
14 map = [
15 80
16 #{ port = 443; target = { port = 8443; }; }
17 ];
18 /*
19 authorizedClients = [
20 "descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
21 ];
22 */
23 };
24 /*
25 client.onionServices.${onion} = {
26 clientAuthorizations = [
27 gnupg.secrets."tor/auth/julm".path
28 ];
29 };
30 */
31 };
32 security.gnupg.secrets = lib.genAttrs [
33 "tor/onion/${onion}/hs_ed25519_secret_key"
34 "tor/auth/julm"
35 ] (secret: {
36 systemdConfig.before = [ "tor.service" ];
37 systemdConfig.wantedBy = [ "tor.service" ];
38 }) // {
39 "nginx/perso/htpasswd" = {
40 # Generated with: for i in $PASSWORD_STORE_DIR/hosts/losurdo/nginx/perso/htpasswd/*.gpg; do i="${i#$PASSWORD_STORE_DIR/}"; i=${i%.gpg}; printf %s: "${i##*/}"; pass $i | openssl passwd -apr1 -stdin; done | pass insert -m hosts/losurdo/nginx/perso/htpasswd
41 # Then: nix flake lock --update-input pass
42 systemdConfig.before = [ "nginx.service" ];
43 systemdConfig.wantedBy = [ "nginx.service" ];
44 user = nginx.user;
45 group = nginx.group;
46 };
47 };
48 services.nginx = {
49 virtualHosts."${onion}.onion" = {
50 root = root + "/dl";
51 extraConfig = ''
52 access_log /var/log/nginx/${domain}/${hostName}/access.json json buffer=32k;
53 error_log /var/log/nginx/${domain}/${hostName}/error.log warn;
54 '';
55 locations."/".extraConfig = ''
56 autoindex on;
57 fancyindex on;
58 fancyindex_exact_size off;
59 fancyindex_name_length 255;
60 open_file_cache off;
61 #open_file_cache_valid 1s;
62 '';
63 };
64 virtualHosts."${hostName}.${domain}" = {
65 serverAliases = [ domain ];
66 #onlySSL = true;
67 #addSSL = true;
68 forceSSL = true;
69 useACMEHost = domain;
70 root = root;
71 extraConfig = ''
72 access_log /var/log/nginx/${domain}/${hostName}/access.json json buffer=32k;
73 error_log /var/log/nginx/${domain}/${hostName}/error.log warn;
74 '';
75 locations."/".extraConfig = ''
76 #autoindex on;
77 return 444;
78 '';
79 locations."/dl".extraConfig = ''
80 autoindex on;
81 fancyindex on;
82 fancyindex_exact_size off;
83 fancyindex_name_length 255;
84 open_file_cache off;
85 #open_file_cache_valid 1s;
86 '';
87 locations."/julm".extraConfig = ''
88 autoindex on;
89 fancyindex on;
90 fancyindex_exact_size off;
91 fancyindex_name_length 255;
92 open_file_cache off;
93 #open_file_cache_valid 1s;
94 '';
95 locations."/haskell".extraConfig = ''
96 autoindex on;
97 fancyindex on;
98 fancyindex_exact_size off;
99 fancyindex_name_length 255;
100 open_file_cache off;
101 #open_file_cache_valid 1s;
102 '';
103 locations."/perso" = {
104 basicAuthFile = gnupg.secrets."nginx/perso/htpasswd".path;
105 extraConfig = ''
106 autoindex on;
107 '';
108 };
109 };
110 };
111 systemd.services.nginx = {
112 serviceConfig = {
113 LogsDirectory = lib.mkForce [
114 "nginx/${domain}/${hostName}"
115 "nginx/wg-intra/${hostName}"
116 ];
117 BindReadOnlyPaths = [
118 "/home/julm/work/sourcephile/web:${root}/julm"
119 "/home/julm/dl:${root}/dl"
120 "/home/julm/work/sourcephile/haskell:${root}/haskell"
121 "/home/julm/perso:${root}/perso"
122 ];
123 };
124 };
125 }