{ domain, ... }: { pkgs, lib, config, ... }: let inherit (config) networking; inherit (config.security) gnupg; inherit (config.services) nginx; srv = "www"; root = "/var/lib/nginx/${domain}"; in { systemd.services.nginx.serviceConfig = { BindPaths = [ "/home/julm/work/perso:${root}/julm" ]; StateDirectory = [ "nginx/${domain}/julm" ]; LogsDirectory = lib.mkForce [ "nginx/${domain}/${srv}" ]; }; services.nginx = { virtualHosts."${domain}.${srv}" = { serverAliases = [ domain ]; forceSSL = true; useACMEHost = domain; root = "${root}/${srv}"; extraConfig = '' access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k; error_log /var/log/nginx/${domain}/${srv}/error.log warn; ''; locations."/".extraConfig = '' #autoindex on; fancyindex on; fancyindex_name_length 255; fancyindex_exact_size off; ''; locations."/julm/" = { alias = "${root}/julm/"; extraConfig = '' autoindex off; ''; }; locations."/julm/PC/" = { alias = "${root}/julm/PC/"; extraConfig = '' auth_basic "restricted area"; auth_basic_user_file ${gnupg.secrets."nginx/${domain}/${srv}/julm/PC/htpasswd".path}; fancyindex on; fancyindex_name_length 255; fancyindex_exact_size off; ''; }; }; }; security.gnupg.secrets = { "nginx/${domain}/${srv}/julm/PC/htpasswd" = { # Generated with: echo "$user:$(openssl passwd -apr1)" systemdConfig.before = [ "nginx.service" ]; systemdConfig.wantedBy = [ "nginx.service" ]; user = nginx.user; group = nginx.group; }; }; }