public-inbox: rewrite the module
[sourcephile-nix.git] / machines / losurdo / nginx / sourcephile.fr / losurdo.nix
index 83f9ca3389d180904dad3236d01a7f7944f7ae55..48849cbfdcaa9e4bab23bff7be19306c14250d83 100644 (file)
@@ -5,6 +5,7 @@ let
   inherit (config.security) gnupg;
   inherit (config.services) nginx;
   srv = "losurdo";
+  root = "/var/lib/nginx";
   onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
 in
 {
@@ -28,32 +29,28 @@ services.tor = {
 security.gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key" = {};
 security.gnupg.secrets."tor/auth/julm" = {};
 services.nginx = {
-  virtualHosts."${srv}" = {
-    serverName = "${srv}.${domain}";
+  virtualHosts."${srv}.${domain}" = {
     serverAliases = [ domain "${onion}.onion" ];
-    listen = [
-      { addr="127.0.0.1"; port = 80; ssl = false; }
-      { addr="[::1]"; port = 80; ssl = false; }
-      { addr="0.0.0.0"; port = 8443; ssl = true; }
-      { addr="[::]"; port = 8443; ssl = true; }
-    ];
     #onlySSL = true;
-    #forceSSL = true;
-    addSSL = true;
+    #addSSL = true;
+    forceSSL = true;
     useACMEHost = domain;
-    root = "/var/lib/nginx";
+    root = root;
     extraConfig = ''
       access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
       error_log  /var/log/nginx/${domain}/${srv}/error.log warn;
     '';
     locations."/".extraConfig = ''
-      autoindex off;
+      #autoindex on;
+      return 444;
     '';
     locations."/julm".extraConfig = ''
       autoindex on;
       fancyindex on;
       fancyindex_exact_size off;
       fancyindex_name_length 255;
+      open_file_cache off;
+      #open_file_cache_valid 1s;
     '';
     locations."/sevy".extraConfig = ''
       auth_basic "sevy's area";
@@ -63,7 +60,14 @@ services.nginx = {
   };
 };
 systemd.services.nginx = {
-  serviceConfig.LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
+  serviceConfig = {
+    LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
+    BindReadOnlyPaths = [
+      "/home/julm/work/sourcephile/web:${root}/julm"
+      "/home/julm/dl:${root}/dl"
+      "/home/julm/work/sourcephile/haskell:${root}/haskell"
+    ];
+  };
   wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
   after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
 };