]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/sftp.nix
mermet: nftables: use meta l4proto
[sourcephile-nix.git] / hosts / losurdo / sftp.nix
1 { inputs, pkgs, lib, config, hostName, ... }:
2 let
3 domain = "sourcephile.fr";
4 nginxRoot = "/var/lib/nginx/${domain}/sftp";
5 sftpRoot = "/var/lib/sftp";
6 sftpUsers = [
7 "julm"
8 "sevy"
9 ];
10 in
11 {
12 fileSystems.${sftpRoot} = {
13 device = "${hostName}/var/sftp";
14 fsType = "zfs";
15 };
16 services.sanoid.datasets."${hostName}/var/sftp" = {
17 use_template = [ "snap" ];
18 daily = 31;
19 };
20 /*
21 services.syncoid.commands = {
22 "${hostName}/var/sftp" = {
23 sendOptions = "raw";
24 target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/var/sftp";
25 };
26 };
27 */
28 services.nginx.virtualHosts = let
29 indexConfig = ''
30 autoindex on;
31 fancyindex on;
32 fancyindex_exact_size off;
33 fancyindex_name_length 255;
34 open_file_cache off;
35 #open_file_cache_valid 1s;
36 '';
37 virtualHost = {
38 root = nginxRoot;
39 locations = lib.listToAttrs (map (user:
40 lib.nameValuePair "/${user}/" {
41 extraConfig = ''
42 location /${user}/public/ {
43 ${indexConfig}
44 }
45 location /${user}/perso/ {
46 ${indexConfig}
47 auth_basic secured;
48 auth_basic_user_file ${sftpRoot}/${user}/perso.htpasswd;
49 }
50 '';
51 }
52 ) sftpUsers) // {
53 "/".extraConfig = ''
54 return 403;
55 '';
56 };
57 };
58 in {
59 "sftp.${hostName}.wg" = lib.mkMerge [ virtualHost {
60 listenAddresses = [ "${hostName}.wg" ];
61 extraConfig = ''
62 access_log /var/log/nginx/wg-intra/${hostName}/sftp/access.json json buffer=32k;
63 error_log /var/log/nginx/wg-intra/${hostName}/sftp/error.log warn;
64 '';
65 } ];
66 "sftp.${domain}" = lib.mkMerge [ virtualHost {
67 forceSSL = true;
68 useACMEHost = domain;
69 extraConfig = ''
70 access_log /var/log/nginx/${domain}/${hostName}/sftp/access.json json buffer=32k;
71 error_log /var/log/nginx/${domain}/${hostName}/sftp/error.log warn;
72 '';
73 } ];
74 };
75 systemd.services.nginx = {
76 serviceConfig = {
77 LogsDirectory = lib.mkForce [
78 "nginx/wg-intra/${hostName}/sftp"
79 "nginx/${domain}/${hostName}/sftp"
80 ];
81 BindReadOnlyPaths = lib.concatMap (user: [
82 "${sftpRoot}/${user}/public:${nginxRoot}/${user}/public"
83 "${sftpRoot}/${user}/perso:${nginxRoot}/${user}/perso"
84 ]) sftpUsers;
85 };
86 };
87 fileSystems."${sftpRoot}/torrents" = {
88 device = "/var/lib/transmission/downloaded";
89 options = [ "bind" "ro" ];
90 };
91 fileSystems."${sftpRoot}/podcasts" = {
92 device = "/home/julm/dl";
93 options = [ "bind" "ro" ];
94 };
95 services.openssh.extraConfig = ''
96 Match User sevy
97 AllowAgentForwarding no
98 AllowTcpForwarding no
99 ChrootDirectory ${sftpRoot}
100 ForceCommand internal-sftp -u 0002
101 X11Forwarding no
102 '';
103 }