-{ inputs, pkgs, lib, config, hostName, ... }:
+{ lib, hostName, ... }:
let
domain = "sourcephile.fr";
nginxRoot = "/var/lib/nginx/${domain}/sftp";
sftpRoot = "/var/lib/sftp";
+ sftpUsers = [
+ "julm"
+ "sevy"
+ ];
in
{
-fileSystems.${sftpRoot} = {
- device = "${hostName}/var/sftp";
- fsType = "zfs";
-};
-services.sanoid.datasets."${hostName}/var/sftp" = {
- use_template = [ "snap" ];
- daily = 31;
-};
-services.nginx.virtualHosts = let
- virtualHost = {
- root = nginxRoot;
- locations."/".extraConfig = ''
- #autoindex on;
- return 444;
- '';
- locations."/sevy".extraConfig = ''
- autoindex on;
- fancyindex on;
- fancyindex_exact_size off;
- fancyindex_name_length 255;
- open_file_cache off;
- #open_file_cache_valid 1s;
- '';
+ fileSystems.${sftpRoot} = {
+ device = "${hostName}/var/sftp";
+ fsType = "zfs";
};
- in {
- "sftp.${hostName}.wg" = lib.mkMerge [ virtualHost {
- listenAddresses = [ "${hostName}.wg" ];
- extraConfig = ''
- access_log /var/log/nginx/wg-intra/${hostName}/sftp/access.json json buffer=32k;
- error_log /var/log/nginx/wg-intra/${hostName}/sftp/error.log warn;
- '';
- } ];
- "sftp.${domain}" = lib.mkMerge [ virtualHost {
- forceSSL = true;
- useACMEHost = domain;
- extraConfig = ''
- access_log /var/log/nginx/${domain}/${hostName}/sftp/access.json json buffer=32k;
- error_log /var/log/nginx/${domain}/${hostName}/sftp/error.log warn;
- '';
- } ];
-};
-systemd.services.nginx = {
- serviceConfig = {
- LogsDirectory = lib.mkForce [
- "nginx/wg-intra/${hostName}/sftp"
- "nginx/${domain}/${hostName}/sftp"
- ];
- BindReadOnlyPaths = [
- "${sftpRoot}/sevy/public:${nginxRoot}/sevy"
- ];
+ services.sanoid.datasets."${hostName}/var/sftp" = {
+ use_template = [ "snap" ];
+ daily = 31;
};
-};
-/*
-services.syncoid.commands = {
- "${hostName}/var/sftp" = {
+ /*
+ services.syncoid.commands = {
+ "${hostName}/var/sftp" = {
sendOptions = "raw";
target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/var/sftp";
+ };
+ };
+ */
+ services.nginx.virtualHosts =
+ let
+ indexConfig = ''
+ autoindex on;
+ fancyindex on;
+ fancyindex_exact_size off;
+ fancyindex_name_length 255;
+ open_file_cache off;
+ #open_file_cache_valid 1s;
+ '';
+ virtualHost = {
+ root = nginxRoot;
+ locations = lib.listToAttrs
+ (map
+ (user:
+ lib.nameValuePair "/${user}/" {
+ extraConfig = ''
+ location /${user}/public/ {
+ ${indexConfig}
+ }
+ location /${user}/perso/ {
+ ${indexConfig}
+ auth_basic secured;
+ auth_basic_user_file ${sftpRoot}/${user}/perso.htpasswd;
+ }
+ '';
+ }
+ )
+ sftpUsers) // {
+ "/".extraConfig = ''
+ return 403;
+ '';
+ };
+ };
+ in
+ {
+ "sftp.${hostName}.sp" = lib.mkMerge [
+ virtualHost
+ {
+ listenAddresses = [ "${hostName}.sp" ];
+ extraConfig = ''
+ access_log /var/log/nginx/wg-intra/${hostName}/sftp/access.json json buffer=32k;
+ error_log /var/log/nginx/wg-intra/${hostName}/sftp/error.log warn;
+ '';
+ }
+ ];
+ "sftp.${domain}" = lib.mkMerge [
+ virtualHost
+ {
+ forceSSL = true;
+ useACMEHost = domain;
+ extraConfig = ''
+ access_log /var/log/nginx/${domain}/${hostName}/sftp/access.json json buffer=32k;
+ error_log /var/log/nginx/${domain}/${hostName}/sftp/error.log warn;
+ '';
+ }
+ ];
+ };
+ systemd.services.nginx = {
+ serviceConfig = {
+ LogsDirectory = lib.mkForce [
+ "nginx/wg-intra/${hostName}/sftp"
+ "nginx/${domain}/${hostName}/sftp"
+ ];
+ BindReadOnlyPaths = lib.concatMap
+ (user: [
+ "${sftpRoot}/${user}/public:${nginxRoot}/${user}/public"
+ "${sftpRoot}/${user}/perso:${nginxRoot}/${user}/perso"
+ ])
+ sftpUsers;
+ };
};
-};
-*/
-fileSystems."${sftpRoot}/torrents" = {
- device = "/var/lib/transmission/downloaded";
- options = [ "bind" "ro" ];
-};
-fileSystems."${sftpRoot}/podcasts" = {
- device = "/home/julm/dl";
- options = [ "bind" "ro" ];
-};
-services.openssh.extraConfig = ''
- Match User sevy
- AllowAgentForwarding no
- AllowTcpForwarding no
- ChrootDirectory ${sftpRoot}
- ForceCommand internal-sftp
- X11Forwarding no
-'';
+ fileSystems."${sftpRoot}/torrents" = {
+ device = "/var/lib/transmission/downloaded";
+ options = [ "bind" "ro" ];
+ };
+ fileSystems."${sftpRoot}/podcasts" = {
+ device = "/home/julm/dl";
+ options = [ "bind" "ro" ];
+ };
+ services.openssh.extraConfig = ''
+ Match User sevy
+ AllowAgentForwarding no
+ AllowTcpForwarding no
+ ChrootDirectory ${sftpRoot}
+ ForceCommand internal-sftp -u 0002
+ X11Forwarding no
+ '';
}
sourcephile / git / sourcephile-nix.git / blobdiff