losurdo: vnstat: enable service

[sourcephile-nix.git] / hosts / mermet / nginx / autogeree.net / www.nix

diff --git a/hosts/mermet/nginx/autogeree.net/www.nix b/hosts/mermet/nginx/autogeree.net/www.nix
index afdec9390bbbf532b5deaefbb86e8a5c8fc33a93..e644af7fd3b94f3e38a3a30e8a53ed6355ece383 100644 (file)
--- a/hosts/mermet/nginx/autogeree.net/www.nix
+++ b/hosts/mermet/nginx/autogeree.net/www.nix
@@ -1,64 +1,67 @@
 { domain, ... }:
-{ pkgs, lib, config, ... }:
+{ lib, config, inputs, hostName, ... }:
 let
-  inherit (config) networking;
-  inherit (config.security) gnupg;
   inherit (config.services) nginx;
   srv = "www";
   root = "/var/lib/nginx/${domain}";
 in
 {
-systemd.services.nginx.serviceConfig = {
-  BindPaths = [
-    "/home/julm/work/perso:${root}/julm"
-  ];
-  StateDirectory = [
-    "nginx/${domain}/julm"
-  ];
-  LogsDirectory = lib.mkForce [
-    "nginx/${domain}/${srv}"
-  ];
-};
-services.nginx = {
-  virtualHosts."${domain}.${srv}" = {
-    serverAliases = [ domain ];
-    forceSSL = true;
-    useACMEHost = domain;
-    root = "${root}/${srv}";
-    extraConfig = ''
-      access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
-      error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
-    '';
-    locations."/".extraConfig = ''
-      #autoindex on;
-      fancyindex on;
-      fancyindex_name_length 255;
-      fancyindex_exact_size off;
-    '';
-    locations."/julm/" = {
-      alias = "${root}/julm/";
+  systemd.services.nginx.serviceConfig = {
+    LogsDirectory = lib.mkForce [
+      "nginx/${domain}/${srv}"
+    ];
+    LoadCredentialEncrypted = [
+      "${domain}.${srv}.julm.PC.htpasswd:${./. + "/${srv}/julm/PC/htpasswd.cred"}"
+      "${domain}.${srv}.julm.perso.camera.htpasswd:${./. + "/${srv}/julm/perso/camera.htpasswd.cred"}"
+    ];
+  };
+  services.nginx = {
+    virtualHosts."${domain}.${srv}" = {
+      serverAliases = [ domain ];
+      forceSSL = true;
+      useACMEHost = domain;
+      root = "${root}/${srv}";
       extraConfig = ''
-        autoindex off;
+        access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
+        error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
       '';
-    };
-    locations."/julm/PC/" = {
-      alias = "${root}/julm/PC/";
-      basicAuthFile = gnupg.secrets."nginx/${domain}/${srv}/julm/PC/htpasswd".path;
-      extraConfig = ''
+      locations."/".extraConfig = ''
+        #autoindex on;
         fancyindex on;
         fancyindex_name_length 255;
         fancyindex_exact_size off;
       '';
+      locations."/julm/" = {
+        alias = "${root}/julm/";
+        extraConfig = ''
+          autoindex off;
+        '';
+      };
+      locations."/julm/PC/" = {
+        alias = "${root}/julm/PC/";
+        basicAuthFile = "/run/credentials/nginx.service/${domain}.${srv}.julm.PC.htpasswd";
+        extraConfig = ''
+          fancyindex on;
+          fancyindex_name_length 255;
+          fancyindex_exact_size off;
+        '';
+      };
+      locations."/julm/perso/camera/" = {
+        alias = "${root}/julm/perso/camera/";
+        basicAuthFile = "/run/credentials/nginx.service/${domain}.${srv}.julm.perso.camera.htpasswd";
+        extraConfig = ''
+          fancyindex on;
+          fancyindex_name_length 255;
+          fancyindex_exact_size off;
+        '';
+      };
+      # Disable basicAuthFile for by-uuid
+      locations."~ ^/julm/perso/camera/([0-9]+/[0-9][0-9]/by-uuid/[0-9a-f-]+/.+)$" = {
+        alias = "${root}/julm/perso/camera/$1";
+        extraConfig = ''
+          autoindex off;
+        '';
+      };
     };
   };
-};
-security.gnupg.secrets = {
-  "nginx/${domain}/${srv}/julm/PC/htpasswd" = {
-    # Generated with: echo "$user:$(openssl passwd -apr1)"
-    systemdConfig.before = [ "nginx.service" ];
-    systemdConfig.wantedBy = [ "nginx.service" ];
-    user = nginx.user;
-    group = nginx.group;
-  };
-};
 }