{ domain, ... }:
-{ pkgs, lib, config, ... }:
+{ lib, config, hostName, ... }:
let
- inherit (config) networking;
inherit (config.security) gnupg;
inherit (config.services) nginx;
- srv = "losurdo";
root = "/var/lib/nginx";
onion = "dfc66yn2fundui5yvq2ndx4nmcmbxpho4ji32tlc4cncrjvs2b5yu4id";
in
{
-services.tor = {
- relay.onionServices."nginx/${domain}/${srv}" = {
- secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path;
- map = [
- 80
- #{ port = 443; target = { port = 8443; }; }
- ];
- authorizedClients = [
+ services.tor = {
+ relay.onionServices."nginx/${domain}/${hostName}" = {
+ secretKey = gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key".path;
+ map = [
+ 80
+ #{ port = 443; target = { port = 8443; }; }
+ ];
+ /*
+ authorizedClients = [
"descriptor:x25519:2EZQ3AOZXERDVSN6WO5LNSCOIIPL2AT2A7KOS4ZIYNVQDR5EFM2Q" # julm
- ];
- };
- client.onionServices.${onion} = {
- clientAuthorizations = [
+ ];
+ */
+ };
+ /*
+ client.onionServices.${onion} = {
+ clientAuthorizations = [
gnupg.secrets."tor/auth/julm".path
- ];
+ ];
+ };
+ */
+ };
+ security.gnupg.secrets = lib.genAttrs [
+ "tor/onion/${onion}/hs_ed25519_secret_key"
+ "tor/auth/julm"
+ ]
+ (_secret: {
+ systemdConfig.before = [ "tor.service" ];
+ systemdConfig.wantedBy = [ "tor.service" ];
+ }) // {
+ "nginx/perso/htpasswd" = {
+ # Generated with: for i in $PASSWORD_STORE_DIR/hosts/losurdo/nginx/perso/htpasswd/*.gpg; do i="${i#$PASSWORD_STORE_DIR/}"; i=${i%.gpg}; printf %s: "${i##*/}"; pass $i | openssl passwd -apr1 -stdin; done | pass insert -m hosts/losurdo/nginx/perso/htpasswd
+ # Then: nix flake lock --update-input pass
+ systemdConfig.before = [ "nginx.service" ];
+ systemdConfig.wantedBy = [ "nginx.service" ];
+ user = nginx.user;
+ group = nginx.group;
+ };
};
-};
-security.gnupg.secrets."tor/onion/${onion}/hs_ed25519_secret_key" = {
- systemdConfig.before = [ "tor.service" ];
- systemdConfig.wantedBy = [ "tor.service" ];
-};
-security.gnupg.secrets."tor/auth/julm" = {
- systemdConfig.before = [ "tor.service" ];
- systemdConfig.wantedBy = [ "tor.service" ];
-};
-services.nginx = {
- virtualHosts."${srv}.${domain}" = {
- serverAliases = [ domain "${onion}.onion" ];
- #onlySSL = true;
- #addSSL = true;
- forceSSL = true;
- useACMEHost = domain;
- root = root;
- extraConfig = ''
- access_log /var/log/nginx/${domain}/${srv}/access.log json buffer=32k;
- error_log /var/log/nginx/${domain}/${srv}/error.log warn;
- '';
- locations."/".extraConfig = ''
- #autoindex on;
- return 444;
- '';
- locations."/julm".extraConfig = ''
- autoindex on;
- fancyindex on;
- fancyindex_exact_size off;
- fancyindex_name_length 255;
- open_file_cache off;
- #open_file_cache_valid 1s;
- '';
- locations."/haskell".extraConfig = ''
- autoindex on;
- fancyindex on;
- fancyindex_exact_size off;
- fancyindex_name_length 255;
- open_file_cache off;
- #open_file_cache_valid 1s;
- '';
- locations."/sevy".extraConfig = ''
- auth_basic "sevy's area";
- auth_basic_user_file ${gnupg.secrets."nginx/sevy/htpasswd".path};
- autoindex off;
- '';
+ services.nginx = {
+ virtualHosts."${onion}.onion" = {
+ root = root + "/dl";
+ extraConfig = ''
+ access_log /var/log/nginx/${domain}/${hostName}/access.json json buffer=32k;
+ error_log /var/log/nginx/${domain}/${hostName}/error.log warn;
+ '';
+ locations."/".extraConfig = ''
+ autoindex on;
+ fancyindex on;
+ fancyindex_exact_size off;
+ fancyindex_name_length 255;
+ open_file_cache off;
+ #open_file_cache_valid 1s;
+ '';
+ };
+ virtualHosts."${hostName}.${domain}" = {
+ serverAliases = [ domain ];
+ #onlySSL = true;
+ #addSSL = true;
+ forceSSL = true;
+ useACMEHost = domain;
+ root = root;
+ extraConfig = ''
+ access_log /var/log/nginx/${domain}/${hostName}/access.json json buffer=32k;
+ error_log /var/log/nginx/${domain}/${hostName}/error.log warn;
+ '';
+ locations."/".extraConfig = ''
+ #autoindex on;
+ return 444;
+ '';
+ locations."/dl".extraConfig = ''
+ autoindex on;
+ fancyindex on;
+ fancyindex_exact_size off;
+ fancyindex_name_length 255;
+ open_file_cache off;
+ #open_file_cache_valid 1s;
+ '';
+ locations."/julm".extraConfig = ''
+ autoindex on;
+ fancyindex on;
+ fancyindex_exact_size off;
+ fancyindex_name_length 255;
+ open_file_cache off;
+ #open_file_cache_valid 1s;
+ '';
+ locations."/haskell".extraConfig = ''
+ autoindex on;
+ fancyindex on;
+ fancyindex_exact_size off;
+ fancyindex_name_length 255;
+ open_file_cache off;
+ #open_file_cache_valid 1s;
+ '';
+ locations."/perso" = {
+ basicAuthFile = gnupg.secrets."nginx/perso/htpasswd".path;
+ extraConfig = ''
+ autoindex on;
+ '';
+ };
+ };
};
-};
-systemd.services.nginx = {
- serviceConfig = {
- LogsDirectory = lib.mkForce ["nginx/${domain}/${srv}"];
- BindReadOnlyPaths = [
- "/home/julm/work/sourcephile/web:${root}/julm"
- "/home/julm/dl:${root}/dl"
- "/home/julm/work/sourcephile/haskell:${root}/haskell"
- ];
+ systemd.services.nginx = {
+ serviceConfig = {
+ LogsDirectory = lib.mkForce [
+ "nginx/${domain}/${hostName}"
+ "nginx/wg-intra/${hostName}"
+ ];
+ BindReadOnlyPaths = [
+ "/home/julm/work/sourcephile/web:${root}/julm"
+ "/home/julm/dl:${root}/dl"
+ "/home/julm/work/sourcephile/haskell:${root}/haskell"
+ "/home/julm/perso:${root}/perso"
+ ];
+ };
};
- wants = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
- after = [ gnupg.secrets."nginx/sevy/htpasswd".service ];
-};
-security.gnupg.secrets."nginx/sevy/htpasswd" = {
- # Generated with: echo "$user:$(openssl passwd -apr1)"
- user = nginx.user;
- group = nginx.group;
-};
}
sourcephile / git / sourcephile-nix.git / blobdiff