home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit 3e2da551af8ffca4f155e3ca2c8b88f1dd8d24be
parent a5d3bb3b65e7a9308b37cbf2bc6ceba9e860d898
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Tue,  5 Oct 2021 18:43:58 +0200

git-annex in aomi

Diffstat:
Msystems/hosts/kerkouane.nix | 8+++++++-
Msystems/modules/profiles/ssh.nix | 6++++++
Musers/vincent/default.nix | 3++-
Mwww/vincent.demeester.fr/publish.el | 8+-------
4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/systems/hosts/kerkouane.nix b/systems/hosts/kerkouane.nix @@ -7,6 +7,13 @@ let secretPath = ../../secrets/machines.nix; secretCondition = (builtins.pathExists secretPath); + isAuthorized = p: builtins.isAttrs p && p.authorized or false; + authorizedKeys = lists.optionals secretCondition ( + attrsets.mapAttrsToList + (name: value: value.key) + (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh) + ); + wireguardIp = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; nginxExtraConfig = '' @@ -129,7 +136,6 @@ in }; security.pam.enableSSHAgentAuth = true; #systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; - systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false; services = { govanityurl = { enable = true; diff --git a/systems/modules/profiles/ssh.nix b/systems/modules/profiles/ssh.nix @@ -25,6 +25,12 @@ in forwardX11 = cfg.forwardX11; extraConfig = '' StreamLocalBindUnlink yes + Match User nginx + ChrootDirectory /var/www + ForceCommand interfal-sftp + AllowTcpForwarding no + PermitTunnel no + X11Forwarding no ''; }; sshguard.enable = true; diff --git a/users/vincent/default.nix b/users/vincent/default.nix @@ -26,7 +26,8 @@ in ++ optionals config.networking.networkmanager.enable [ "networkmanager" ] ++ optionals config.virtualisation.docker.enable [ "docker" ] ++ optionals config.virtualisation.buildkitd.enable [ "buildkit" ] - ++ optionals config.profiles.virtualization.enable [ "libvirtd" ]; + ++ optionals config.profiles.virtualization.enable [ "libvirtd" ] + ++ optionals config.services.nginx.enable [ "nginx" ]; shell = mkIf config.programs.zsh.enable pkgs.zsh; isNormalUser = true; openssh.authorizedKeys.keys = authorizedKeys; diff --git a/www/vincent.demeester.fr/publish.el b/www/vincent.demeester.fr/publish.el @@ -114,12 +114,6 @@ :publishing-directory "./public/css" :publishing-function org-publish-attachment :recursive t) - ("images" - :base-directory "./images" - :base-extension ,site-attachments - :publishing-directory "./public/images" - :publishing-function org-publish-attachment - :recursive t) ("assets" :base-directory "./assets" :base-extension ,site-attachments @@ -132,7 +126,7 @@ :publishing-directory "./public/" :publishing-function org-publish-attachment :recursive t) - ("all" :components ("posts" "about" "index" "articles" "articles-assets" "css" "images" "assets" "legacy" "posts-rss")))) + ("all" :components ("posts" "about" "index" "articles" "articles-assets" "css" "assets" "legacy" "posts-rss")))) (provide 'publish) ;;; publish.el ends here