]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/nginx/sourcephile.fr/losurdo.nix
knot: setup knsupdate on losurdo
[sourcephile-nix.git] / machines / losurdo / nginx / sourcephile.fr / losurdo.nix
1 { domain, ... }:
2 { pkgs, lib, config, ... }:
3 let
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 inherit (config.services) nginx;
7 srv = "losurdo";
8 onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
9 in
10 {
11 services.tor = {
12 relay.onionServices."nginx/${domain}/${srv}" = {
13 secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path;
14 map = [
15 80
16 #{ port = 443; target = { port = 8443; }; }
17 ];
18 authorizedClients = [
19 "descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
20 ];
21 };
22 client.onionServices.${onion} = {
23 clientAuthorizations = [
24 gnupg.secrets."tor/auth/julm".path
25 ];
26 };
27 };
28 security.gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key" = {};
29 security.gnupg.secrets."tor/auth/julm" = {};
30 services.nginx = {
31 virtualHosts."${srv}.${domain}" = {
32 serverAliases = [ domain "${onion}.onion" ];
33 listen = [
34 { addr="127.0.0.1"; port = 80; ssl = false; }
35 { addr="[::1]"; port = 80; ssl = false; }
36 { addr="0.0.0.0"; port = 8443; ssl = true; }
37 { addr="[::]"; port = 8443; ssl = true; }
38 ];
39 #onlySSL = true;
40 #forceSSL = true;
41 addSSL = true;
42 useACMEHost = domain;
43 root = "/var/lib/nginx";
44 extraConfig = ''
45 access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
46 error_log /var/log/nginx/${domain}/${srv}/error.log warn;
47 '';
48 locations."/".extraConfig = ''
49 autoindex off;
50 '';
51 locations."/julm".extraConfig = ''
52 autoindex on;
53 fancyindex on;
54 fancyindex_exact_size off;
55 fancyindex_name_length 255;
56 open_file_cache_valid 1s;
57 '';
58 locations."/sevy".extraConfig = ''
59 auth_basic "sevy's area";
60 auth_basic_user_file ${gnupg.secrets."nginx/sevy/htpasswd".path};
61 autoindex off;
62 '';
63 };
64 };
65 systemd.services.nginx = {
66 serviceConfig = {
67 LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
68 BindReadOnlyPaths = [
69 "/home/julm/dl:/var/lib/nginx/julm/dl"
70 "/home/julm/haskell:/var/lib/nginx/julm/haskell"
71 ];
72 };
73 wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
74 after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
75 };
76 security.gnupg.secrets."nginx/sevy/htpasswd" = {
77 # Generated with: echo "$user:$(openssl passwd -apr1)"
78 user = nginx.user;
79 group = nginx.group;
80 };
81 }