dotfiles/nixos/services/pub.nix

{ config, pkgs, lib, ... }:
let cfg = config.services.yorick.public;
in {
  options.services.yorick.public = {
    enable = lib.mkEnableOption "public hosting";
    vhost = lib.mkOption { type = lib.types.str; };
  };
  #imports = [../modules/nginx.nix];
  config = lib.mkIf cfg.enable {
    systemd.services.nginx.serviceConfig = {
      ProtectHome = "tmpfs";
      UMask = lib.mkForce "0022";
      BindReadOnlyPaths = [ "/home/public/public" ];
    };
    users.users.public = {
      home = "/home/public";
      group = "public";
      useDefaultShell = true;
      isSystemUser = true;
      openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [ public ];
      createHome = false; # sets wrong permissions
    };
    users.groups.public = {};
    services.nginx.virtualHosts.${cfg.vhost} = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        root = "/home/public/public";
        index = "index.html";
      };
    };
  };
}
change all the things 2016-01-28 02:59:31 +01:00			`{ config, pkgs, lib, ... }:`
nixfmt 2021-05-29 18:05:31 +02:00			`let cfg = config.services.yorick.public;`
			`in {`
update for 18.03 2018-03-11 18:28:25 +01:00			`options.services.yorick.public = {`
			`enable = lib.mkEnableOption "public hosting";`
initial commit 2020-05-21 17:39:38 +02:00			`vhost = lib.mkOption { type = lib.types.str; };`
update for 18.03 2018-03-11 18:28:25 +01:00			`};`
update frumar 2016-12-25 00:14:47 +01:00			`#imports = [../modules/nginx.nix];`
update for 18.03 2018-03-11 18:28:25 +01:00			`config = lib.mkIf cfg.enable {`
update 2021-05-23 17:19:28 +02:00			`systemd.services.nginx.serviceConfig = {`
			`ProtectHome = "tmpfs";`
frumar: fix /home/public permissions 2021-06-07 00:07:29 +02:00			`UMask = lib.mkForce "0022";`
update 2021-05-23 17:19:28 +02:00			`BindReadOnlyPaths = [ "/home/public/public" ];`
			`};`
update 2021-10-18 14:42:53 +02:00			`users.users.public = {`
change all the things 2016-01-28 02:59:31 +01:00			`home = "/home/public";`
update 2021-10-18 14:42:53 +02:00			`group = "public";`
change all the things 2016-01-28 02:59:31 +01:00			`useDefaultShell = true;`
pennyworth: update 2021-06-06 19:34:30 +02:00			`isSystemUser = true;`
nixfmt 2021-05-29 18:05:31 +02:00			`openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [ public ];`
frumar: fix /home/public permissions 2021-06-07 00:07:29 +02:00			`createHome = false; # sets wrong permissions`
change all the things 2016-01-28 02:59:31 +01:00			`};`
update 2021-10-18 14:42:53 +02:00			`users.groups.public = {};`
update for 18.03 2018-03-11 18:28:25 +01:00			`services.nginx.virtualHosts.${cfg.vhost} = {`
update frumar 2016-12-25 00:14:47 +01:00			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`root = "/home/public/public";`
			`index = "index.html";`
encrypt pub 2016-07-29 19:04:28 +02:00			`};`
update frumar 2016-12-25 00:14:47 +01:00			`};`
change all the things 2016-01-28 02:59:31 +01:00			`};`
			`}`