]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/nginx/sourcephile.fr/losurdo.nix
gitolite: add on losurdo
[sourcephile-nix.git] / hosts / losurdo / nginx / sourcephile.fr / losurdo.nix
1 { domain, ... }:
2 { pkgs, lib, config, ... }:
3 let
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 inherit (config.services) nginx;
7 srv = "losurdo";
8 root = "/var/lib/nginx";
9 onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
10 in
11 {
12 services.tor = {
13 relay.onionServices."nginx/${domain}/${srv}" = {
14 secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path;
15 map = [
16 80
17 #{ port = 443; target = { port = 8443; }; }
18 ];
19 authorizedClients = [
20 "descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
21 ];
22 };
23 client.onionServices.${onion} = {
24 clientAuthorizations = [
25 gnupg.secrets."tor/auth/julm".path
26 ];
27 };
28 };
29 security.gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key" = {
30 systemdConfig.before = [ "tor.service" ];
31 systemdConfig.wantedBy = [ "tor.service" ];
32 };
33 security.gnupg.secrets."tor/auth/julm" = {
34 systemdConfig.before = [ "tor.service" ];
35 systemdConfig.wantedBy = [ "tor.service" ];
36 };
37 services.nginx = {
38 virtualHosts."${srv}.${domain}" = {
39 serverAliases = [ domain "${onion}.onion" ];
40 #onlySSL = true;
41 #addSSL = true;
42 forceSSL = true;
43 useACMEHost = domain;
44 root = root;
45 extraConfig = ''
46 access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
47 error_log /var/log/nginx/${domain}/${srv}/error.log warn;
48 '';
49 locations."/".extraConfig = ''
50 #autoindex on;
51 return 444;
52 '';
53 locations."/julm".extraConfig = ''
54 autoindex on;
55 fancyindex on;
56 fancyindex_exact_size off;
57 fancyindex_name_length 255;
58 open_file_cache off;
59 #open_file_cache_valid 1s;
60 '';
61 locations."/haskell".extraConfig = ''
62 autoindex on;
63 fancyindex on;
64 fancyindex_exact_size off;
65 fancyindex_name_length 255;
66 open_file_cache off;
67 #open_file_cache_valid 1s;
68 '';
69 locations."/sevy".extraConfig = ''
70 auth_basic "sevy's area";
71 auth_basic_user_file ${gnupg.secrets."nginx/sevy/htpasswd".path};
72 autoindex off;
73 '';
74 };
75 };
76 systemd.services.nginx = {
77 serviceConfig = {
78 LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
79 BindReadOnlyPaths = [
80 "/home/julm/work/sourcephile/web:${root}/julm"
81 "/home/julm/dl:${root}/dl"
82 "/home/julm/work/sourcephile/haskell:${root}/haskell"
83 ];
84 };
85 wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
86 after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
87 };
88 security.gnupg.secrets."nginx/sevy/htpasswd" = {
89 # Generated with: echo "$user:$(openssl passwd -apr1)"
90 user = nginx.user;
91 group = nginx.group;
92 };
93 }