{ config, lib, pkgs, ... }: let domain = "schulischer-schabernack.de"; in { services.nginx = { commonHttpConfig = '' # privacy-aware log format log_format schabernack '$remote_addr_schabernack - - [$time_local] "$request" $status $body_bytes_sent "-" "$http_user_agent"'; # anonymise ip address map $remote_addr $remote_addr_schabernack { ~(?P\d+\.\d+)\. $ip.0.0; ~(?P[^:]+:[^:]+): $ip::; default 0.0.0.0; } ''; virtualHosts = { ${domain} = { forceSSL = true; enableACME = true; root = "/var/www/schabernack/production"; # only log page views, rss feed access, media file download and embed views extraConfig = '' location ~ index\.html|rss\.xml|\.(opus|m4a|ogg|mp3|\.podlove.json)$ { access_log /var/log/nginx/schabernack.log schabernack; } ''; }; "www.${domain}" = { forceSSL = true; enableACME = true; globalRedirect = domain; extraConfig = '' access_log off; ''; }; }; }; systemd.tmpfiles.rules = [ "d /var/www/schabernack/production 0755 schabernack root -" ]; users = { users.schabernack = { isSystemUser = true; group = "schabernack"; shell = "/bin/sh"; openssh.authorizedKeys.keys = map (key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/schabernack/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}") config.sbruder.pubkeys.trustedKeys; }; groups.schabernack = { }; }; }