73 lines
1.9 KiB
Nix
73 lines
1.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
domain = "schulischer-schabernack.de";
|
|
in
|
|
{
|
|
services.nginx = {
|
|
commonHttpConfig = ''
|
|
# privacy-aware log format
|
|
log_format schabernack '$remote_addr_schabernack - - [$time_local] "$request" $status $body_bytes_sent "-" "$http_user_agent"';
|
|
|
|
# anonymise ip address
|
|
map $remote_addr $remote_addr_schabernack {
|
|
~(?P<ip>\d+\.\d+)\. $ip.0.0;
|
|
~(?P<ip>[^:]+:[^:]+): $ip::;
|
|
default 0.0.0.0;
|
|
}
|
|
'';
|
|
|
|
virtualHosts = {
|
|
${domain} = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
|
|
root = "/var/www/schabernack/production";
|
|
|
|
# only log page views, rss feed access, media file download and embed views
|
|
extraConfig = ''
|
|
location ~ index\.html|rss\.xml|\.(opus|m4a|ogg|mp3|\.podlove.json)$ {
|
|
access_log /var/log/nginx/schabernack.log schabernack;
|
|
}
|
|
'';
|
|
};
|
|
"www.${domain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
globalRedirect = domain;
|
|
|
|
extraConfig = ''
|
|
access_log off;
|
|
'';
|
|
};
|
|
"staging.${domain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
|
|
root = "/var/www/schabernack/staging";
|
|
|
|
extraConfig = ''
|
|
access_log off;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d /var/www/schabernack/production 0755 schabernack root -"
|
|
"d /var/www/schabernack/staging 0755 schabernack root -"
|
|
];
|
|
|
|
users = {
|
|
users.schabernack = {
|
|
isSystemUser = true;
|
|
group = "schabernack";
|
|
shell = "/bin/sh";
|
|
|
|
openssh.authorizedKeys.keys = map
|
|
(key: "command=\"${pkgs.rrsync}/bin/rrsync -wo /var/www/schabernack/\",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ${key}")
|
|
config.sbruder.pubkeys.trustedKeys;
|
|
};
|
|
groups.schabernack = { };
|
|
};
|
|
}
|