nixos-config/machines/yuzuru/services/schabernack.nix

73 lines
1.9 KiB
Nix

{ config, lib, pkgs, ... }:
let
domain = "schulischer-schabernack.de";
in
{
services.nginx = {
commonHttpConfig = ''
# privacy-aware log format
log_format schabernack '$remote_addr_schabernack - - [$time_local] "$request" $status $body_bytes_sent "-" "$http_user_agent"';
# anonymise ip address
map $remote_addr $remote_addr_schabernack {
~(?P<ip>\d+\.\d+)\. $ip.0.0;
~(?P<ip>[^:]+:[^:]+): $ip::;
default 0.0.0.0;
}
'';
virtualHosts = {
${domain} = {
forceSSL = true;
enableACME = true;
root = "/var/www/schabernack/production";
# only log page views, rss feed access, media file download and embed views
extraConfig = ''
location ~ index\.html|rss\.xml|\.(opus|m4a|ogg|mp3|\.podlove.json)$ {
access_log /var/log/nginx/schabernack.log schabernack;
}
'';
};
"www.${domain}" = {
forceSSL = true;
enableACME = true;
globalRedirect = domain;
extraConfig = ''
access_log off;
'';
};
"staging.${domain}" = {
forceSSL = true;
enableACME = true;
root = "/var/www/schabernack/staging";
extraConfig = ''
access_log off;
'';
};
};
};
systemd.tmpfiles.rules = [
"d /var/www/schabernack/production 0755 schabernack root -"
"d /var/www/schabernack/staging 0755 schabernack root -"
];
users = {
users.schabernack = {
isSystemUser = true;
group = "schabernack";
shell = "/bin/sh";
openssh.authorizedKeys.keys = map
(key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/schabernack/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}")
config.sbruder.pubkeys.trustedKeys;
};
groups.schabernack = { };
};
}