{ domain, ... }: { pkgs, lib, config, ... }: let inherit (config) networking; inherit (config.security) gnupg; inherit (config.services) nginx; srv = "losurdo"; onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id"; in { services.tor = { relay.onionServices."nginx/${domain}/${srv}" = { secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path; map = [ 80 #{ port = 443; target = { port = 8443; }; } ]; authorizedClients = [ "descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm ]; }; client.onionServices.${onion} = { clientAuthorizations = [ gnupg.secrets."tor/auth/julm".path ]; }; }; security.gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key" = {}; security.gnupg.secrets."tor/auth/julm" = {}; services.nginx = { virtualHosts."${srv}.${domain}" = { serverAliases = [ domain "${onion}.onion" ]; listen = [ { addr="127.0.0.1"; port = 80; ssl = false; } { addr="[::1]"; port = 80; ssl = false; } { addr="0.0.0.0"; port = 8443; ssl = true; } { addr="[::]"; port = 8443; ssl = true; } ]; #onlySSL = true; #forceSSL = true; addSSL = true; useACMEHost = domain; root = "/var/lib/nginx"; extraConfig = '' access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k; error_log /var/log/nginx/${domain}/${srv}/error.log warn; ''; locations."/".extraConfig = '' autoindex off; ''; locations."/julm".extraConfig = '' autoindex on; fancyindex on; fancyindex_exact_size off; fancyindex_name_length 255; open_file_cache_valid 1s; ''; locations."/sevy".extraConfig = '' auth_basic "sevy's area"; auth_basic_user_file ${gnupg.secrets."nginx/sevy/htpasswd".path}; autoindex off; ''; }; }; systemd.services.nginx = { serviceConfig = { LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"]; BindReadOnlyPaths = [ "/home/julm/dl:/var/lib/nginx/julm/dl" "/home/julm/haskell:/var/lib/nginx/julm/haskell" ]; }; wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ]; after = [ gnupg.secrets."nginx/sevy/htpasswd".service ]; }; security.gnupg.secrets."nginx/sevy/htpasswd" = { # Generated with: echo "$user:$(openssl passwd -apr1)" user = nginx.user; group = nginx.group; }; }