From 630fa2292c6a82425ffb945928c725a732aa9453 Mon Sep 17 00:00:00 2001 From: Nguyễn Gia Phong Date: Thu, 22 Jun 2023 04:44:58 +0900 Subject: Put Phylactery behind PAM authentication --- static.nix | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/static.nix b/static.nix index 2ce4124..21a2449 100644 --- a/static.nix +++ b/static.nix @@ -16,7 +16,7 @@ # You should have received a copy of the GNU Affero General Public License # along with loang configuration. If not, see . -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let inherit (config.networking) domain; bindUserDirs = sources: target: lib.mapAttrs' (user: dir: { @@ -38,9 +38,12 @@ in { 1965 # Gemini ]; - security.acme = { - acceptTerms = true; - defaults.email = "mcsinyx@disroot.org"; + security = { + acme = { + acceptTerms = true; + defaults.email = "mcsinyx@disroot.org"; + }; + pam.services.nginx.setEnvironment = false; }; services = { @@ -115,22 +118,31 @@ in { expires -1; ''; }; - root = "/var/lib/www/px.cnx.gdn"; - }) // (aliasOpenNIC "striproman.pirate" "cmx.cnx.gdn" (let + root = "/mnt/nas/www/px.cnx.gdn"; + }) // (aliasOpenNIC "striproman.pirate" "xem.${domain}" (let address = "http://${phylactery.host}:${toString phylactery.port}"; in { - locations."/".proxyPass = address; + locations."/" = { + proxyPass = address; + extraConfig = '' + auth_pam "Password Required"; + auth_pam_service_name "nginx"; + ''; + }; }))); }; phylactery = { enable = true; - library = "/mnt/nas/comix"; + library = "/mnt/nas/www/striproman.pirate"; port = 42069; }; }; - systemd.services.molly-brown.serviceConfig.SupplementaryGroups = [ - config.security.acme.certs.${domain}.group - ]; + systemd.services = { + molly-brown.serviceConfig.SupplementaryGroups = [ + config.security.acme.certs.${domain}.group + ]; + nginx.serviceConfig.SupplementaryGroups = [ "shadow" ]; + }; } -- cgit 1.4.1