]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/sftp.nix
carotte: fix build
[sourcephile-nix.git] / hosts / losurdo / sftp.nix
1 { lib, hostName, ... }:
2 let
3 domain = "sourcephile.fr";
4 nginxRoot = "/var/lib/nginx/${domain}/sftp";
5 sftpRoot = "/var/lib/sftp";
6 sftpUsers = [
7 "julm"
8 "sevy"
9 ];
10 in
11 {
12 fileSystems.${sftpRoot} = {
13 device = "${hostName}/var/sftp";
14 fsType = "zfs";
15 };
16 services.sanoid.datasets."${hostName}/var/sftp" = {
17 use_template = [ "snap" ];
18 daily = 31;
19 };
20 /*
21 services.syncoid.commands = {
22 "${hostName}/var/sftp" = {
23 sendOptions = "raw";
24 target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/var/sftp";
25 };
26 };
27 */
28 services.nginx.virtualHosts =
29 let
30 indexConfig = ''
31 autoindex on;
32 fancyindex on;
33 fancyindex_exact_size off;
34 fancyindex_name_length 255;
35 open_file_cache off;
36 #open_file_cache_valid 1s;
37 '';
38 virtualHost = {
39 root = nginxRoot;
40 locations = lib.listToAttrs
41 (map
42 (user:
43 lib.nameValuePair "/${user}/" {
44 extraConfig = ''
45 location /${user}/public/ {
46 ${indexConfig}
47 }
48 location /${user}/perso/ {
49 ${indexConfig}
50 auth_basic secured;
51 auth_basic_user_file ${sftpRoot}/${user}/perso.htpasswd;
52 }
53 '';
54 }
55 )
56 sftpUsers) // {
57 "/".extraConfig = ''
58 return 403;
59 '';
60 };
61 };
62 in
63 {
64 "sftp.${hostName}.sp" = lib.mkMerge [
65 virtualHost
66 {
67 listenAddresses = [ "${hostName}.sp" ];
68 extraConfig = ''
69 access_log /var/log/nginx/wg-intra/${hostName}/sftp/access.json json buffer=32k;
70 error_log /var/log/nginx/wg-intra/${hostName}/sftp/error.log warn;
71 '';
72 }
73 ];
74 "sftp.${domain}" = lib.mkMerge [
75 virtualHost
76 {
77 forceSSL = true;
78 useACMEHost = domain;
79 extraConfig = ''
80 access_log /var/log/nginx/${domain}/${hostName}/sftp/access.json json buffer=32k;
81 error_log /var/log/nginx/${domain}/${hostName}/sftp/error.log warn;
82 '';
83 }
84 ];
85 };
86 systemd.services.nginx = {
87 serviceConfig = {
88 LogsDirectory = lib.mkForce [
89 "nginx/wg-intra/${hostName}/sftp"
90 "nginx/${domain}/${hostName}/sftp"
91 ];
92 BindReadOnlyPaths = lib.concatMap
93 (user: [
94 "${sftpRoot}/${user}/public:${nginxRoot}/${user}/public"
95 "${sftpRoot}/${user}/perso:${nginxRoot}/${user}/perso"
96 ])
97 sftpUsers;
98 };
99 };
100 fileSystems."${sftpRoot}/torrents" = {
101 device = "/var/lib/transmission/downloaded";
102 options = [ "bind" "ro" ];
103 };
104 fileSystems."${sftpRoot}/podcasts" = {
105 device = "/home/julm/dl";
106 options = [ "bind" "ro" ];
107 };
108 services.openssh.extraConfig = ''
109 Match User sevy
110 AllowAgentForwarding no
111 AllowTcpForwarding no
112 ChrootDirectory ${sftpRoot}
113 ForceCommand internal-sftp -u 0002
114 X11Forwarding no
115 '';
116 }