yuzuru/schabernack: Init

This commit is contained in:
Simon Bruder 2021-12-11 20:28:44 +01:00
parent 398ca91aa5
commit 2fabf49a06
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
2 changed files with 73 additions and 0 deletions

View file

@ -9,6 +9,7 @@
./services/libreddit.nix ./services/libreddit.nix
./services/nitter.nix ./services/nitter.nix
./services/sbruder.xyz ./services/sbruder.xyz
./services/schabernack.nix
]; ];
sbruder = { sbruder = {

View file

@ -0,0 +1,72 @@
{ config, lib, pkgs, ... }:
let
domain = "schulischer-schabernack.de";
in
{
services.nginx = {
commonHttpConfig = ''
# privacy-aware log format
log_format schabernack '$remote_addr_schabernack - - [$time_local] "$request" $status $body_bytes_sent "-" "$http_user_agent"';
# anonymise ip address
map $remote_addr $remote_addr_schabernack {
~(?P<ip>\d+\.\d+)\. $ip.0.0;
~(?P<ip>[^:]+:[^:]+): $ip::;
default 0.0.0.0;
}
'';
virtualHosts = {
${domain} = {
forceSSL = true;
enableACME = true;
root = "/var/www/schabernack/production";
# only log page views, rss feed access, media file download and embed views
extraConfig = ''
location ~ index\.html|rss\.xml|\.(opus|m4a|ogg|mp3|\.podlove.json)$ {
access_log /var/log/nginx/schabernack.log schabernack;
}
'';
};
"www.${domain}" = {
forceSSL = true;
enableACME = true;
globalRedirect = domain;
extraConfig = ''
access_log off;
'';
};
"staging.${domain}" = {
forceSSL = true;
enableACME = true;
root = "/var/www/schabernack/staging";
extraConfig = ''
access_log off;
'';
};
};
};
systemd.tmpfiles.rules = [
"d /var/www/schabernack/production 0755 schabernack root -"
"d /var/www/schabernack/staging 0755 schabernack root -"
];
users = {
users.schabernack = {
isSystemUser = true;
group = "schabernack";
shell = "/bin/sh";
openssh.authorizedKeys.keys = map
(key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/schabernack/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}")
config.sbruder.pubkeys.trustedKeys;
};
groups.schabernack = { };
};
}