home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE
commit 3e2da551af8ffca4f155e3ca2c8b88f1dd8d24be
parent a5d3bb3b65e7a9308b37cbf2bc6ceba9e860d898
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Tue,  5 Oct 2021 18:43:58 +0200

git-annex in aomi

Diffstat:

Msystems/hosts/kerkouane.nix | 8+++++++-


Msystems/modules/profiles/ssh.nix | 6++++++


Musers/vincent/default.nix | 3++-


Mwww/vincent.demeester.fr/publish.el | 8+-------


4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/systems/hosts/kerkouane.nix b/systems/hosts/kerkouane.nix
@@ -7,6 +7,13 @@ let
   secretPath = ../../secrets/machines.nix;
   secretCondition = (builtins.pathExists secretPath);
 
+  isAuthorized = p: builtins.isAttrs p && p.authorized or false;
+  authorizedKeys = lists.optionals secretCondition (
+    attrsets.mapAttrsToList
+      (name: value: value.key)
+      (attrsets.filterAttrs (name: value: isAuthorized value) (import secretPath).ssh)
+  );
+
   wireguardIp = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
 
   nginxExtraConfig = ''
@@ -129,7 +136,6 @@ in
   };
   security.pam.enableSSHAgentAuth = true;
   #systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
-  systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false;
   services = {
     govanityurl = {
       enable = true;
diff --git a/systems/modules/profiles/ssh.nix b/systems/modules/profiles/ssh.nix
@@ -25,6 +25,12 @@ in
         forwardX11 = cfg.forwardX11;
         extraConfig = ''
           StreamLocalBindUnlink yes
+          Match User nginx
+            ChrootDirectory /var/www
+            ForceCommand interfal-sftp
+            AllowTcpForwarding no
+            PermitTunnel no
+            X11Forwarding no
         '';
       };
       sshguard.enable = true;
diff --git a/users/vincent/default.nix b/users/vincent/default.nix
@@ -26,7 +26,8 @@ in
       ++ optionals config.networking.networkmanager.enable [ "networkmanager" ]
       ++ optionals config.virtualisation.docker.enable [ "docker" ]
       ++ optionals config.virtualisation.buildkitd.enable [ "buildkit" ]
-      ++ optionals config.profiles.virtualization.enable [ "libvirtd" ];
+      ++ optionals config.profiles.virtualization.enable [ "libvirtd" ]
+      ++ optionals config.services.nginx.enable [ "nginx" ];
     shell = mkIf config.programs.zsh.enable pkgs.zsh;
     isNormalUser = true;
     openssh.authorizedKeys.keys = authorizedKeys;
diff --git a/www/vincent.demeester.fr/publish.el b/www/vincent.demeester.fr/publish.el
@@ -114,12 +114,6 @@
          :publishing-directory "./public/css"
          :publishing-function org-publish-attachment
          :recursive t)
-        ("images"
-         :base-directory "./images"
-         :base-extension ,site-attachments
-         :publishing-directory "./public/images"
-         :publishing-function org-publish-attachment
-         :recursive t)
         ("assets"
          :base-directory "./assets"
          :base-extension ,site-attachments
@@ -132,7 +126,7 @@
          :publishing-directory "./public/"
          :publishing-function org-publish-attachment
          :recursive t)
-        ("all" :components ("posts" "about" "index" "articles" "articles-assets" "css" "images" "assets" "legacy" "posts-rss"))))
+        ("all" :components ("posts" "about" "index" "articles" "articles-assets" "css"  "assets" "legacy" "posts-rss"))))
 
 (provide 'publish)
 ;;; publish.el ends here