Put Phylactery behind PAM authentication

1 files changed, 23 insertions, 11 deletions

diff --git a/static.nix b/static.nix
index 2ce4124..21a2449 100644
--- a/static.nix
+++ b/static.nix
@@ -16,7 +16,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.
 
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   inherit (config.networking) domain;
   bindUserDirs = sources: target: lib.mapAttrs' (user: dir: {
@@ -38,9 +38,12 @@ in {
     1965 # Gemini
   ];
 
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "mcsinyx@disroot.org";
+  security = {
+    acme = {
+      acceptTerms = true;
+      defaults.email = "mcsinyx@disroot.org";
+    };
+    pam.services.nginx.setEnvironment = false;
   };
 
   services = {
@@ -115,22 +118,31 @@ in {
             expires -1;
           '';
         };
-        root = "/var/lib/www/px.cnx.gdn";
-      }) // (aliasOpenNIC "striproman.pirate" "cmx.cnx.gdn" (let
+        root = "/mnt/nas/www/px.cnx.gdn";
+      }) // (aliasOpenNIC "striproman.pirate" "xem.${domain}" (let
         address = "http://${phylactery.host}:${toString phylactery.port}";
       in {
-        locations."/".proxyPass = address;
+        locations."/" = {
+          proxyPass = address;
+          extraConfig = ''
+            auth_pam "Password Required";
+            auth_pam_service_name "nginx";
+          '';
+        };
       })));
     };
 
     phylactery = {
       enable = true;
-      library = "/mnt/nas/comix";
+      library = "/mnt/nas/www/striproman.pirate";
       port = 42069;
     };
   };
 
-  systemd.services.molly-brown.serviceConfig.SupplementaryGroups = [
-    config.security.acme.certs.${domain}.group
-  ];
+  systemd.services = {
+    molly-brown.serviceConfig.SupplementaryGroups = [
+      config.security.acme.certs.${domain}.group
+    ];
+    nginx.serviceConfig.SupplementaryGroups = [ "shadow" ];
+  };
 }