shell: fix nixos-enter

[sourcephile-nix.git] / hosts / losurdo / sftp.nix

diff --git a/hosts/losurdo/sftp.nix b/hosts/losurdo/sftp.nix
index 1fbb3dc044e32f6496597b1b6461bc05d3207ab0..1b6b070cfd939b0ebefaa256e173fcf2ddb7f912 100644 (file)
--- a/hosts/losurdo/sftp.nix
+++ b/hosts/losurdo/sftp.nix
@@ -1,4 +1,4 @@
-{ inputs, pkgs, lib, config, hostName, ... }:
+{ lib, hostName, ... }:
 let
   domain = "sourcephile.fr";
   nginxRoot = "/var/lib/nginx/${domain}/sftp";
@@ -9,95 +9,108 @@ let
   ];
 in
 {
-fileSystems.${sftpRoot} = {
-  device = "${hostName}/var/sftp";
-  fsType = "zfs";
-};
-services.sanoid.datasets."${hostName}/var/sftp" = {
-  use_template = [ "snap" ];
-  daily = 31;
-};
-/*
-services.syncoid.commands = {
-  "${hostName}/var/sftp" = {
+  fileSystems.${sftpRoot} = {
+    device = "${hostName}/var/sftp";
+    fsType = "zfs";
+  };
+  services.sanoid.datasets."${hostName}/var/sftp" = {
+    use_template = [ "snap" ];
+    daily = 31;
+  };
+  /*
+    services.syncoid.commands = {
+    "${hostName}/var/sftp" = {
     sendOptions = "raw";
     target = "backup@mermet.${networking.domain}:rpool/backup/${hostName}/var/sftp";
-  };
-};
-*/
-services.nginx.virtualHosts = let
-  indexConfig = ''
-    autoindex on;
-    fancyindex on;
-    fancyindex_exact_size off;
-    fancyindex_name_length 255;
-    open_file_cache off;
-    #open_file_cache_valid 1s;
-  '';
-  virtualHost = {
-    root = nginxRoot;
-    locations = lib.listToAttrs (map (user:
-      lib.nameValuePair "/${user}/" {
+    };
+    };
+  */
+  services.nginx.virtualHosts =
+    let
+      indexConfig = ''
+        autoindex on;
+        fancyindex on;
+        fancyindex_exact_size off;
+        fancyindex_name_length 255;
+        open_file_cache off;
+        #open_file_cache_valid 1s;
+      '';
+      virtualHost = {
+        root = nginxRoot;
+        locations = lib.listToAttrs
+          (map
+            (user:
+              lib.nameValuePair "/${user}/" {
+                extraConfig = ''
+                  location /${user}/public/ {
+                    ${indexConfig}
+                  }
+                  location /${user}/perso/ {
+                    ${indexConfig}
+                    auth_basic secured;
+                    auth_basic_user_file ${sftpRoot}/${user}/perso.htpasswd;
+                  }
+                '';
+              }
+            )
+            sftpUsers) // {
+          "/".extraConfig = ''
+            return 403;
+          '';
+        };
+      };
+    in
+    {
+      "sftp.${hostName}.sp" = lib.mkMerge [
+        virtualHost
+        {
+          listenAddresses = [ "${hostName}.sp" ];
           extraConfig = ''
-            location /${user}/public/ {
-              ${indexConfig}
-            }
-            location /${user}/perso/ {
-              ${indexConfig}
-              auth_basic secured;
-              auth_basic_user_file ${sftpRoot}/${user}/perso.htpasswd;
-            }
+            access_log /var/log/nginx/wg-intra/${hostName}/sftp/access.json json buffer=32k;
+            error_log  /var/log/nginx/wg-intra/${hostName}/sftp/error.log warn;
           '';
         }
-      ) sftpUsers) // {
-      "/".extraConfig = ''
-          return 403;
-        '';
-      };
+      ];
+      "sftp.${domain}" = lib.mkMerge [
+        virtualHost
+        {
+          forceSSL = true;
+          useACMEHost = domain;
+          extraConfig = ''
+            access_log /var/log/nginx/${domain}/${hostName}/sftp/access.json json buffer=32k;
+            error_log  /var/log/nginx/${domain}/${hostName}/sftp/error.log warn;
+          '';
+        }
+      ];
+    };
+  systemd.services.nginx = {
+    serviceConfig = {
+      LogsDirectory = lib.mkForce [
+        "nginx/wg-intra/${hostName}/sftp"
+        "nginx/${domain}/${hostName}/sftp"
+      ];
+      BindReadOnlyPaths = lib.concatMap
+        (user: [
+          "${sftpRoot}/${user}/public:${nginxRoot}/${user}/public"
+          "${sftpRoot}/${user}/perso:${nginxRoot}/${user}/perso"
+        ])
+        sftpUsers;
+    };
+  };
+  fileSystems."${sftpRoot}/torrents" = {
+    device = "/var/lib/transmission/downloaded";
+    options = [ "bind" "ro" ];
   };
-  in {
-  "sftp.${hostName}.wg" = lib.mkMerge [ virtualHost {
-    listenAddresses = [ "${hostName}.wg" ];
-    extraConfig = ''
-      access_log /var/log/nginx/wg-intra/${hostName}/sftp/access.json json buffer=32k;
-      error_log  /var/log/nginx/wg-intra/${hostName}/sftp/error.log warn;
-    '';
-  } ];
-  "sftp.${domain}" = lib.mkMerge [ virtualHost {
-    forceSSL = true;
-    useACMEHost = domain;
-    extraConfig = ''
-      access_log /var/log/nginx/${domain}/${hostName}/sftp/access.json json buffer=32k;
-      error_log  /var/log/nginx/${domain}/${hostName}/sftp/error.log warn;
-    '';
-  } ];
-};
-systemd.services.nginx = {
-  serviceConfig = {
-    LogsDirectory = lib.mkForce [
-      "nginx/wg-intra/${hostName}/sftp"
-      "nginx/${domain}/${hostName}/sftp"
-    ];
-    BindReadOnlyPaths = lib.concatMap (user: [
-      "${sftpRoot}/${user}/public:${nginxRoot}/${user}/public"
-      "${sftpRoot}/${user}/perso:${nginxRoot}/${user}/perso"
-    ]) sftpUsers;
+  fileSystems."${sftpRoot}/podcasts" = {
+    device = "/home/julm/dl";
+    options = [ "bind" "ro" ];
   };
-};
-fileSystems."${sftpRoot}/torrents" = {
-  device = "/var/lib/transmission/downloaded";
-  options = [ "bind" "ro" ];
-};
-fileSystems."${sftpRoot}/podcasts" = {
-  device = "/home/julm/dl";
-  options = [ "bind" "ro" ];
-};
-services.openssh.extraConfig = ''
-  Match User sevy
-    AllowAgentForwarding no
-    AllowTcpForwarding no
-    ChrootDirectory ${sftpRoot}
-    ForceCommand internal-sftp
-    X11Forwarding no
-'';
+  services.openssh.extraConfig = ''
+    Match User sevy
+      AllowAgentForwarding no
+      AllowTcpForwarding no
+      ChrootDirectory ${sftpRoot}
+      ForceCommand internal-sftp -u 0002
+      X11Forwarding no
+  '';
 }