infra/pastila/srv.nix

{ config, lib, pkgs, ... }:

let
  up_dir = "/srv/up";
  isomorphisme_dir = "/srv/isomorphis.me";
in
{
  services.nginx.enable = true;

  # nginx runs under ProtectHome=true which disallows reading anywhere
  # in /home. So we need to use a different location.
  users.users."up" = {
    isNormalUser = true;
    home = up_dir;
    # group = config.services.nginx.group;
    group = "nginx";
    # Unsure why this is broken, but couldn't make things work without
    # creating the directory by hand.
    # TODO: this might have been because I used up_dir = /srv/up before;
    # maybe this would work now?
    # createHome = true;
    # homeMode = "750";
  };

  services.nginx.virtualHosts."srv.isomorphis.me" = {
    forceSSL = true;
    enableACME = true;
    root = up_dir;
    locations = {
      "/" = {
        extraConfig = "autoindex on;";
      };
      "/.ssh" = {
        return = "403";
      };
      "/i/" = {
        extraConfig = "autoindex off;";
      };
    };
  };

  services.nginx.virtualHosts."isomorphis.me" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      root = isomorphisme_dir;
    };
  };

  system.activationScripts."srv-permissions" = ''
    chown -R up:nginx /srv/up
    chown -R nginx:nginx /srv/isomorphis.me
  '';
}
pastila: srv 2024-06-01 10:53:00 +00:00			`{ config, lib, pkgs, ... }:`

bleh 2024-06-01 17:19:37 +00:00			`let`
pastila: fix srv: do not import data into the store 2024-06-16 09:04:59 +00:00			`up_dir = "/srv/up";`
			`isomorphisme_dir = "/srv/isomorphis.me";`
bleh 2024-06-01 17:19:37 +00:00			`in`
pastila: srv 2024-06-01 10:53:00 +00:00			`{`
			`services.nginx.enable = true;`

tweak srv 2024-06-01 16:45:55 +00:00			`# nginx runs under ProtectHome=true which disallows reading anywhere`
			`# in /home. So we need to use a different location.`
pastila: srv 2024-06-01 10:53:00 +00:00			`users.users."up" = {`
			`isNormalUser = true;`
bleh 2024-06-01 17:19:37 +00:00			`home = up_dir;`
pastila: weechat-relay 2024-06-01 17:34:21 +00:00			`# group = config.services.nginx.group;`
			`group = "nginx";`
bleh 2024-06-01 17:19:37 +00:00			`# Unsure why this is broken, but couldn't make things work without`
			`# creating the directory by hand.`
pastila: fix srv: do not import data into the store 2024-06-16 09:04:59 +00:00			`# TODO: this might have been because I used up_dir = /srv/up before;`
			`# maybe this would work now?`
bleh 2024-06-01 17:19:37 +00:00			`# createHome = true;`
			`# homeMode = "750";`
pastila: srv 2024-06-01 10:53:00 +00:00			`};`

			`services.nginx.virtualHosts."srv.isomorphis.me" = {`
			`forceSSL = true;`
			`enableACME = true;`
bleh 2024-06-01 17:19:37 +00:00			`root = up_dir;`
pastila: nginx: isomorphis.me 2024-06-01 18:22:49 +00:00			`locations = {`
bleh 2024-06-01 17:19:37 +00:00			`"/" = {`
			`extraConfig = "autoindex on;";`
			`};`
			`"/.ssh" = {`
			`return = "403";`
			`};`
			`"/i/" = {`
			`extraConfig = "autoindex off;";`
			`};`
pastila: srv 2024-06-01 10:53:00 +00:00			`};`
			`};`
pastila: nginx: isomorphis.me 2024-06-01 18:22:49 +00:00
			`services.nginx.virtualHosts."isomorphis.me" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`root = isomorphisme_dir;`
			`};`
			`};`

			`system.activationScripts."srv-permissions" = ''`
			`chown -R up:nginx /srv/up`
			`chown -R nginx:nginx /srv/isomorphis.me`
			`'';`
pastila: srv 2024-06-01 10:53:00 +00:00			`}`