{ domain, ... }:
{ pkgs, lib, config, ... }:
let
inherit (config) networking;
inherit (config.security) gnupg;
inherit (config.services) nginx;
srv = "losurdo";
root = "/var/lib/nginx";
onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
in
{
services.tor = {
relay.onionServices."nginx/${domain}/${srv}" = {
secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path;
map = [
80
#{ port = 443; target = { port = 8443; }; }
];
authorizedClients = [
"descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
];
};
client.onionServices.${onion} = {
clientAuthorizations = [
gnupg.secrets."tor/auth/julm".path
];
};
};
security.gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key" = {};
security.gnupg.secrets."tor/auth/julm" = {};
services.nginx = {
virtualHosts."${srv}.${domain}" = {
serverAliases = [ domain "${onion}.onion" ];
#onlySSL = true;
#addSSL = true;
forceSSL = true;
useACMEHost = domain;
root = root;
extraConfig = ''
access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
error_log /var/log/nginx/${domain}/${srv}/error.log warn;
'';
locations."/".extraConfig = ''
#autoindex on;
return 444;
'';
locations."/julm".extraConfig = ''
autoindex on;
fancyindex on;
fancyindex_exact_size off;
fancyindex_name_length 255;
open_file_cache off;
#open_file_cache_valid 1s;
'';
locations."/sevy".extraConfig = ''
auth_basic "sevy's area";
auth_basic_user_file ${gnupg.secrets."nginx/sevy/htpasswd".path};
autoindex off;
'';
};
};
systemd.services.nginx = {
serviceConfig = {
LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
BindReadOnlyPaths = [
"/home/julm/work/sourcephile/web:${root}/julm"
"/home/julm/dl:${root}/dl"
"/home/julm/work/sourcephile/haskell:${root}/haskell"
];
};
wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
};
security.gnupg.secrets."nginx/sevy/htpasswd" = {
# Generated with: echo "$user:$(openssl passwd -apr1)"
user = nginx.user;
group = nginx.group;
};
}