nix: update input julm-nix

[sourcephile-nix.git] / hosts / losurdo / sftp.nix

{ inputs, pkgs, lib, config, hostName, ... }:
let
  domain = "sourcephile.fr";
  nginxRoot = "/var/lib/nginx/${domain}/sftp";
  sftpRoot = "/var/lib/sftp";
  sftpUsers = [
    "julm"
    "sevy"
  ];
in
{
fileSystems.${sftpRoot} = {
  device = "${hostName}/var/sftp";
  fsType = "zfs";
};
services.sanoid.datasets."${hostName}/var/sftp" = {
  use_template = [ "snap" ];
  daily = 31;
};
/*
services.syncoid.commands = {
  "${hostName}/var/sftp" = {
    sendOptions = "raw";
    target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/var/sftp";
  };
};
*/
services.nginx.virtualHosts = let
  indexConfig = ''
    autoindex on;
    fancyindex on;
    fancyindex_exact_size off;
    fancyindex_name_length 255;
    open_file_cache off;
    #open_file_cache_valid 1s;
  '';
  virtualHost = {
    root = nginxRoot;
    locations = lib.listToAttrs (map (user:
      lib.nameValuePair "/${user}/" {
          extraConfig = ''
            location /${user}/public/ {
              ${indexConfig}
            }
            location /${user}/perso/ {
              ${indexConfig}
              auth_basic secured;
              auth_basic_user_file ${sftpRoot}/${user}/perso.htpasswd;
            }
          '';
        }
      ) sftpUsers) // {
      "/".extraConfig = ''
          return 403;
        '';
      };
  };
  in {
  "sftp.${hostName}.wg" = lib.mkMerge [ virtualHost {
    listenAddresses = [ "${hostName}.wg" ];
    extraConfig = ''
      access_log /var/log/nginx/wg-intra/${hostName}/sftp/access.json json buffer=32k;
      error_log  /var/log/nginx/wg-intra/${hostName}/sftp/error.log warn;
    '';
  } ];
  "sftp.${domain}" = lib.mkMerge [ virtualHost {
    forceSSL = true;
    useACMEHost = domain;
    extraConfig = ''
      access_log /var/log/nginx/${domain}/${hostName}/sftp/access.json json buffer=32k;
      error_log  /var/log/nginx/${domain}/${hostName}/sftp/error.log warn;
    '';
  } ];
};
systemd.services.nginx = {
  serviceConfig = {
    LogsDirectory = lib.mkForce [
      "nginx/wg-intra/${hostName}/sftp"
      "nginx/${domain}/${hostName}/sftp"
    ];
    BindReadOnlyPaths = lib.concatMap (user: [
      "${sftpRoot}/${user}/public:${nginxRoot}/${user}/public"
      "${sftpRoot}/${user}/perso:${nginxRoot}/${user}/perso"
    ]) sftpUsers;
  };
};
fileSystems."${sftpRoot}/torrents" = {
  device = "/var/lib/transmission/downloaded";
  options = [ "bind" "ro" ];
};
fileSystems."${sftpRoot}/podcasts" = {
  device = "/home/julm/dl";
  options = [ "bind" "ro" ];
};
services.openssh.extraConfig = ''
  Match User sevy
    AllowAgentForwarding no
    AllowTcpForwarding no
    ChrootDirectory ${sftpRoot}
    ForceCommand internal-sftp -u 0002
    X11Forwarding no
'';
}