diff options
author | makefu <github@syntax-fehler.de> | 2023-07-28 22:24:15 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2023-07-28 22:24:15 +0200 |
commit | 060a8f28fa1fc648bdf66afb31a5d1efac868837 (patch) | |
tree | 2b354eacc7897365ee45244fe7a51720e0d0333f /makefu/2configs/bgt/download.binaergewitter.de.nix | |
parent | cbfcc890e3b76d942b927809bf981a5fa7289e6a (diff) |
makefu: move out to own repo, add vacation-note
Diffstat (limited to 'makefu/2configs/bgt/download.binaergewitter.de.nix')
-rw-r--r-- | makefu/2configs/bgt/download.binaergewitter.de.nix | 86 |
1 files changed, 0 insertions, 86 deletions
diff --git a/makefu/2configs/bgt/download.binaergewitter.de.nix b/makefu/2configs/bgt/download.binaergewitter.de.nix deleted file mode 100644 index 31da31a7..00000000 --- a/makefu/2configs/bgt/download.binaergewitter.de.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; -let - ident = (builtins.readFile ./auphonic.pub); - bgtaccess = "/var/spool/nginx/logs/binaergewitter.access.log"; - bgterror = "/var/spool/nginx/logs/binaergewitter.error.log"; - - # TODO: only when the data is stored somewhere else - wwwdir = "/var/www/binaergewitter"; - storedir = "/media/cloud/www/binaergewitter"; -in { - fileSystems."${wwwdir}" = { - device = storedir; - options = [ "bind" ]; - }; - - services.openssh = { - allowSFTP = true; - sftpFlags = [ "-l VERBOSE" ]; - extraConfig = '' - HostkeyAlgorithms +ssh-rsa - - Match User auphonic - ForceCommand internal-sftp - AllowTcpForwarding no - X11Forwarding no - PasswordAuthentication no - PubkeyAcceptedAlgorithms +ssh-rsa - - ''; - }; - - users.users.auphonic = { - uid = genid "auphonic"; - group = "nginx"; - # for storedir - extraGroups = [ "download" ]; - useDefaultShell = true; - isSystemUser = true; - openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ]; - }; - - services.logrotate = { - enable = true; - settings.bgt = { - files = [ bgtaccess bgterror ]; - rotate = 5; - frequency = "weekly"; - create = "600 nginx nginx"; - postrotate = "${pkgs.systemd}/bin/systemctl reload nginx"; - }; - }; - - # 20.09 unharden nginx to write logs - systemd.services.nginx.serviceConfig.ReadWritePaths = [ - "/var/spool/nginx/logs/" - ]; - security.acme.certs."download.binaergewitter.de" = { - dnsProvider = "cloudflare"; - credentialsFile = toString <secrets/lego-binaergewitter>; - webroot = lib.mkForce null; - }; - - services.nginx = { - appendHttpConfig = '' - types { - audio/ogg oga ogg opus; - } - ''; - enable = lib.mkDefault true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - virtualHosts."download.binaergewitter.de" = { - addSSL = true; - enableACME = true; - serverAliases = [ "dl2.binaergewitter.de" ]; - root = "/var/www/binaergewitter"; - extraConfig = '' - access_log ${bgtaccess} combined; - error_log ${bgterror} error; - autoindex on; - ''; - }; - }; -} |