inherit (config.security) gnupg;
inherit (config.services) nginx;
srv = "losurdo";
+ root = "/var/lib/nginx";
onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
in
{
security.gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key" = {};
security.gnupg.secrets."tor/auth/julm" = {};
services.nginx = {
- virtualHosts."${srv}" = {
- serverName = "${srv}.${domain}";
+ virtualHosts."${srv}.${domain}" = {
serverAliases = [ domain "${onion}.onion" ];
- listen = [
- { addr="127.0.0.1"; port = 80; ssl = false; }
- { addr="[::1]"; port = 80; ssl = false; }
- { addr="0.0.0.0"; port = 8443; ssl = true; }
- { addr="[::]"; port = 8443; ssl = true; }
- ];
#onlySSL = true;
- #forceSSL = true;
- addSSL = true;
+ #addSSL = true;
+ forceSSL = true;
useACMEHost = domain;
- root = "/var/lib/nginx";
+ root = root;
extraConfig = ''
access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
error_log /var/log/nginx/${domain}/${srv}/error.log warn;
'';
locations."/".extraConfig = ''
- autoindex off;
+ #autoindex on;
+ return 444;
'';
locations."/julm".extraConfig = ''
autoindex on;
fancyindex on;
fancyindex_exact_size off;
fancyindex_name_length 255;
+ open_file_cache off;
+ #open_file_cache_valid 1s;
'';
locations."/sevy".extraConfig = ''
auth_basic "sevy's area";
};
};
systemd.services.nginx = {
- serviceConfig.LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
+ serviceConfig = {
+ LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
+ BindReadOnlyPaths = [
+ "/home/julm/work/sourcephile/web:${root}/julm"
+ "/home/julm/dl:${root}/dl"
+ "/home/julm/work/sourcephile/haskell:${root}/haskell"
+ ];
+ };
wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
};