hosts/losurdo/nginx/sourcephile.fr/losurdo.nix

   1 { domain, ... }:
   2 { pkgs, lib, config, ... }:
   3 let
   4   inherit (config) networking;
   5   inherit (config.security) gnupg;
   6   inherit (config.services) nginx;
   7   srv = "losurdo";
   8   root = "/var/lib/nginx";
   9   onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
  10 in
  11 {
  12 services.tor = {
  13   relay.onionServices."nginx/${domain}/${srv}" = {
  14     secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path;
  15     map = [
  16       80
  17       #{ port = 443; target = { port = 8443; }; }
  18     ];
  19     /*
  20     authorizedClients = [
  21       "descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
  22     ];
  23     */
  24   };
  25   /*
  26   client.onionServices.${onion} = {
  27     clientAuthorizations = [
  28       gnupg.secrets."tor/auth/julm".path
  29     ];
  30   };
  31   */
  32 };
  33 security.gnupg.secrets = lib.genAttrs [
  34   "tor/onion/${onion}/hs_ed25519_secret_key"
  35   "tor/auth/julm"
  36   ] (secret: {
  37     systemdConfig.before = [ "tor.service" ];
  38     systemdConfig.wantedBy = [ "tor.service" ];
  39   }) // {
  40   "nginx/perso/htpasswd" = {
  41     # Generated with: for i in $PASSWORD_STORE_DIR/hosts/losurdo/nginx/perso/htpasswd/*.gpg; do i="${i#$PASSWORD_STORE_DIR/}"; i=${i%.gpg}; printf %s: "${i##*/}"; pass $i | openssl passwd -apr1 -stdin; done | pass insert -m hosts/losurdo/nginx/perso/htpasswd
  42     # Then: nix flake lock --update-input pass
  43     systemdConfig.before = [ "nginx.service" ];
  44     systemdConfig.wantedBy = [ "nginx.service" ];
  45     user = nginx.user;
  46     group = nginx.group;
  47   };
  48 };
  49 services.nginx = {
  50   virtualHosts."${onion}.onion" = {
  51     root = root + "/dl";
  52     extraConfig = ''
  53       access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
  54       error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
  55     '';
  56     locations."/".extraConfig = ''
  57       autoindex on;
  58       fancyindex on;
  59       fancyindex_exact_size off;
  60       fancyindex_name_length 255;
  61       open_file_cache off;
  62       #open_file_cache_valid 1s;
  63     '';
  64   };
  65   virtualHosts."${srv}.wg" = {
  66     listenAddresses = [ "${srv}.wg" ];
  67     root = root;
  68     extraConfig = ''
  69       access_log /var/log/nginx/wg-intra/${srv}/access.json json buffer=32k;
  70       error_log  /var/log/nginx/wg-intra/${srv}/error.log warn;
  71     '';
  72     locations."/".extraConfig = ''
  73       #autoindex on;
  74       return 444;
  75     '';
  76     locations."/dl".extraConfig = ''
  77       autoindex on;
  78       fancyindex on;
  79       fancyindex_exact_size off;
  80       fancyindex_name_length 255;
  81       open_file_cache off;
  82       #open_file_cache_valid 1s;
  83     '';
  84   };
  85   virtualHosts."${srv}.${domain}" = {
  86     serverAliases = [ domain ];
  87     #onlySSL = true;
  88     #addSSL = true;
  89     forceSSL = true;
  90     useACMEHost = domain;
  91     root = root;
  92     extraConfig = ''
  93       access_log /var/log/nginx/${domain}/${srv}/access.json json buffer=32k;
  94       error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
  95     '';
  96     locations."/".extraConfig = ''
  97       #autoindex on;
  98       return 444;
  99     '';
 100     locations."/dl".extraConfig = ''
 101       autoindex on;
 102       fancyindex on;
 103       fancyindex_exact_size off;
 104       fancyindex_name_length 255;
 105       open_file_cache off;
 106       #open_file_cache_valid 1s;
 107     '';
 108     locations."/julm".extraConfig = ''
 109       autoindex on;
 110       fancyindex on;
 111       fancyindex_exact_size off;
 112       fancyindex_name_length 255;
 113       open_file_cache off;
 114       #open_file_cache_valid 1s;
 115     '';
 116     locations."/haskell".extraConfig = ''
 117       autoindex on;
 118       fancyindex on;
 119       fancyindex_exact_size off;
 120       fancyindex_name_length 255;
 121       open_file_cache off;
 122       #open_file_cache_valid 1s;
 123     '';
 124     locations."/perso" = {
 125       basicAuthFile = gnupg.secrets."nginx/perso/htpasswd".path;
 126       extraConfig = ''
 127         autoindex on;
 128       '';
 129     };
 130   };
 131 };
 132 systemd.services.nginx = {
 133   serviceConfig = {
 134     LogsDirectory = lib.mkForce [
 135       "nginx/${domain}/${srv}"
 136       "nginx/wg-intra/${srv}"
 137     ];
 138     BindReadOnlyPaths = [
 139       "/home/julm/work/sourcephile/web:${root}/julm"
 140       "/home/julm/dl:${root}/dl"
 141       "/home/julm/work/sourcephile/haskell:${root}/haskell"
 142       "/home/julm/perso:${root}/perso"
 143     ];
 144   };
 145 };
 146 }