diff options
author | Nguyễn Gia Phong <mcsinyx@disroot.org> | 2023-06-22 04:44:58 +0900 |
---|---|---|
committer | Nguyễn Gia Phong <mcsinyx@disroot.org> | 2023-06-22 04:44:58 +0900 |
commit | 630fa2292c6a82425ffb945928c725a732aa9453 (patch) | |
tree | 2ee045ca16f1c5b7ea1639975ab1f43cb3a116c9 | |
parent | ceaaaaab95fc5e498c7685dd762fad6ac1a355e4 (diff) | |
download | nixos-conf-630fa2292c6a82425ffb945928c725a732aa9453.tar.gz |
Put Phylactery behind PAM authentication
-rw-r--r-- | static.nix | 34 |
1 files changed, 23 insertions, 11 deletions
diff --git a/static.nix b/static.nix index 2ce4124..21a2449 100644 --- a/static.nix +++ b/static.nix @@ -16,7 +16,7 @@ # You should have received a copy of the GNU Affero General Public License # along with loang configuration. If not, see <https://www.gnu.org/licenses/>. -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let inherit (config.networking) domain; bindUserDirs = sources: target: lib.mapAttrs' (user: dir: { @@ -38,9 +38,12 @@ in { 1965 # Gemini ]; - security.acme = { - acceptTerms = true; - defaults.email = "mcsinyx@disroot.org"; + security = { + acme = { + acceptTerms = true; + defaults.email = "mcsinyx@disroot.org"; + }; + pam.services.nginx.setEnvironment = false; }; services = { @@ -115,22 +118,31 @@ in { expires -1; ''; }; - root = "/var/lib/www/px.cnx.gdn"; - }) // (aliasOpenNIC "striproman.pirate" "cmx.cnx.gdn" (let + root = "/mnt/nas/www/px.cnx.gdn"; + }) // (aliasOpenNIC "striproman.pirate" "xem.${domain}" (let address = "http://${phylactery.host}:${toString phylactery.port}"; in { - locations."/".proxyPass = address; + locations."/" = { + proxyPass = address; + extraConfig = '' + auth_pam "Password Required"; + auth_pam_service_name "nginx"; + ''; + }; }))); }; phylactery = { enable = true; - library = "/mnt/nas/comix"; + library = "/mnt/nas/www/striproman.pirate"; port = 42069; }; }; - systemd.services.molly-brown.serviceConfig.SupplementaryGroups = [ - config.security.acme.certs.${domain}.group - ]; + systemd.services = { + molly-brown.serviceConfig.SupplementaryGroups = [ + config.security.acme.certs.${domain}.group + ]; + nginx.serviceConfig.SupplementaryGroups = [ "shadow" ]; + }; } |