Commit `3e2da551af8f`

Vincent Demeester <vincent@sbr.pm>

2021-10-05 18:43:58

git-annex in aomi

main

1 parent a5d3bb3

Changed files (4)

systems

hosts

kerkouane.nix

modules

profiles

ssh.nix

users

vincent

default.nix

www

vincent.demeester.fr

publish.el

@@ -7,6 +7,13 @@ let
   secretPath = ../../secrets/machines.nix;
   secretCondition = (builtins.pathExists secretPath);
 
+  isAuthorized = p: builtins.isAttrs p && p.authorized or false;
+  authorizedKeys = lists.optionals secretCondition (
+    attrsets.mapAttrsToList
+      (name: value: value.key)
+      (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh)
+  );
+
   wireguardIp = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
 
   nginxExtraConfig = ''
@@ -129,7 +136,6 @@ in
   };
   security.pam.enableSSHAgentAuth = true;
   #systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
-  systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false;
   services = {
     govanityurl = {
       enable = true;

@@ -25,6 +25,12 @@ in
         forwardX11 = cfg.forwardX11;
         extraConfig = ''
           StreamLocalBindUnlink yes
+          Match User nginx
+            ChrootDirectory /var/www
+            ForceCommand interfal-sftp
+            AllowTcpForwarding no
+            PermitTunnel no
+            X11Forwarding no
         '';
       };
       sshguard.enable = true;

@@ -26,7 +26,8 @@ in
       ++ optionals config.networking.networkmanager.enable [ "networkmanager" ]
       ++ optionals config.virtualisation.docker.enable [ "docker" ]
       ++ optionals config.virtualisation.buildkitd.enable [ "buildkit" ]
-      ++ optionals config.profiles.virtualization.enable [ "libvirtd" ];
+      ++ optionals config.profiles.virtualization.enable [ "libvirtd" ]
+      ++ optionals config.services.nginx.enable [ "nginx" ];
     shell = mkIf config.programs.zsh.enable pkgs.zsh;
     isNormalUser = true;
     openssh.authorizedKeys.keys = authorizedKeys;

@@ -114,12 +114,6 @@
          :publishing-directory "./public/css"
          :publishing-function org-publish-attachment
          :recursive t)
-        ("images"
-         :base-directory "./images"
-         :base-extension ,site-attachments
-         :publishing-directory "./public/images"
-         :publishing-function org-publish-attachment
-         :recursive t)
         ("assets"
          :base-directory "./assets"
          :base-extension ,site-attachments
@@ -132,7 +126,7 @@
          :publishing-directory "./public/"
          :publishing-function org-publish-attachment
          :recursive t)
-        ("all" :components ("posts" "about" "index" "articles" "articles-assets" "css" "images" "assets" "legacy" "posts-rss"))))
+        ("all" :components ("posts" "about" "index" "articles" "articles-assets" "css"  "assets" "legacy" "posts-rss"))))
 
 (provide 'publish)
 ;;; publish.el ends here

Commit 3e2da551af8f

Commit `3e2da551af8f`