machines/losurdo/nginx/sourcephile.fr/losurdo.nix

   1 { domain, ... }:
   2 { pkgs, lib, config, ... }:
   3 let
   4   inherit (config) networking;
   5   inherit (config.security) gnupg;
   6   inherit (config.services) nginx;
   7   srv = "losurdo";
   8 in
   9 {
  10 services.tor.settings.HiddenServiceDir."${domain}/${srv}".HiddenServicePort = [
  11   { port = 443; target = { port = 8443; }; }
  12 ];
  13 services.nginx = {
  14   virtualHosts."${srv}" = {
  15     serverName = "${srv}.${domain}";
  16     serverAliases = [ domain ];
  17     listen = [ { addr = "0.0.0.0"; port = 8443; ssl = true; } ];
  18     onlySSL = true;
  19     #forceSSL = true;
  20     useACMEHost = domain;
  21     root = "/var/lib/nginx";
  22     extraConfig = ''
  23       access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
  24       error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
  25     '';
  26     locations."/".extraConfig = ''
  27       autoindex off;
  28     '';
  29     locations."/julm".extraConfig = ''
  30       autoindex on;
  31       fancyindex on;
  32       fancyindex_exact_size off;
  33       fancyindex_name_length 255;
  34     '';
  35     locations."/sevy".extraConfig = ''
  36       auth_basic "sevy's area";
  37       auth_basic_user_file ${gnupg.secrets."nginx/sevy/htpasswd".path};
  38       autoindex off;
  39     '';
  40   };
  41 };
  42 systemd.services.nginx = {
  43   serviceConfig.LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
  44   wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
  45   after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
  46 };
  47 security.gnupg.secrets."nginx/sevy/htpasswd" = {
  48   # Generated with: echo "$user:$(openssl passwd -apr1)"
  49   user = nginx.user;
  50   group = nginx.group;
  51 };
  52 }