]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/nginx/sourcephile.fr/losurdo.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
networking: try net.ipv6.conf.*.addr_gen_mode = 3
[sourcephile-nix.git] / machines / losurdo / nginx / sourcephile.fr / losurdo.nix
1 { domain, ... }:
2 { pkgs, lib, config, ... }:
3 let
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 inherit (config.services) nginx;
7 srv = "losurdo";
8 onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
9 in
10 {
11 services.tor.relay.hiddenServices."${domain}/${srv}" = {
12 map = [
13 80
14 #{ port = 443; target = { port = 8443; }; }
15 ];
16 authorizedClients = [
17 "descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
18 ];
19 };
20 services.tor.client.hiddenServices.${onion} = {
21 clientAuthorizations = [
22 gnupg.secrets."tor/auth/julm".path
23 ];
24 };
25 security.gnupg.secrets."tor/auth/julm" = {};
26 services.nginx = {
27 virtualHosts."${srv}" = {
28 serverName = "${srv}.${domain}";
29 serverAliases = [ domain "${onion}.onion" ];
30 listen = [
31 { addr="127.0.0.1"; port = 80; ssl = false; }
32 { addr="[::1]"; port = 80; ssl = false; }
33 { addr="0.0.0.0"; port = 8443; ssl = true; }
34 { addr="[::]"; port = 8443; ssl = true; }
35 ];
36 #onlySSL = true;
37 #forceSSL = true;
38 addSSL = true;
39 useACMEHost = domain;
40 root = "/var/lib/nginx";
41 extraConfig = ''
42 access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
43 error_log /var/log/nginx/${domain}/${srv}/error.log warn;
44 '';
45 locations."/".extraConfig = ''
46 autoindex off;
47 '';
48 locations."/julm".extraConfig = ''
49 autoindex on;
50 fancyindex on;
51 fancyindex_exact_size off;
52 fancyindex_name_length 255;
53 '';
54 locations."/sevy".extraConfig = ''
55 auth_basic "sevy's area";
56 auth_basic_user_file ${gnupg.secrets."nginx/sevy/htpasswd".path};
57 autoindex off;
58 '';
59 };
60 };
61 systemd.services.nginx = {
62 serviceConfig.LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
63 wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
64 after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
65 };
66 security.gnupg.secrets."nginx/sevy/htpasswd" = {
67 # Generated with: echo "$user:$(openssl passwd -apr1)"
68 user = nginx.user;
69 group = nginx.group;
70 };
71 }
NixOS configurations for Sourcephile's infrastructure