2023-09-17 20:14:32 +02:00
|
|
|
{ config, ... }:
|
2023-06-30 13:57:21 +02:00
|
|
|
let
|
2023-09-17 20:10:55 +02:00
|
|
|
domain = "users.${config.networking.domain}";
|
2023-06-30 13:57:21 +02:00
|
|
|
port = 8083;
|
|
|
|
apacheUser = config.services.httpd.user;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
# home directory setup
|
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
"d /etc/skel"
|
|
|
|
];
|
|
|
|
environment.extraInit = /*sh*/ ''
|
|
|
|
if [[ "$HOME" != "/" && "$UID" != 0 ]]; then
|
|
|
|
umask 002
|
|
|
|
|
|
|
|
# home dir: apache may traverse only, creation mode is rw(x)------
|
|
|
|
setfacl -m u:${apacheUser}:x,d:u::rwx,d:g::-,d:o::- $HOME
|
|
|
|
|
|
|
|
mkdir -p $HOME/public_html
|
|
|
|
# public_html dir: apache and $USER have rwx on everything inside
|
|
|
|
setfacl -m u:${apacheUser}:rwx,d:u:${apacheUser}:rwx,d:u:$USER:rwx $HOME/public_html
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
|
|
|
|
services.httpd = {
|
|
|
|
enable = true;
|
|
|
|
enablePHP = true;
|
|
|
|
|
|
|
|
virtualHosts.${domain} = {
|
|
|
|
enableUserDir = true;
|
|
|
|
extraConfig = ''
|
2023-09-17 14:28:13 +02:00
|
|
|
UserDir /home/users/*/public_html
|
2023-09-16 19:39:09 +02:00
|
|
|
<Directory "/home/users/*/public_html">
|
2023-09-17 14:28:13 +02:00
|
|
|
Options -Indexes +MultiViews +SymLinksIfOwnerMatch +IncludesNoExec
|
2023-06-30 13:57:21 +02:00
|
|
|
DirectoryIndex index.php index.html
|
|
|
|
AllowOverride FileInfo AuthConfig Limit Indexes Options=Indexes
|
2023-09-17 14:28:13 +02:00
|
|
|
<Limit GET POST OPTIONS>
|
|
|
|
Require all granted
|
|
|
|
</Limit>
|
|
|
|
<LimitExcept GET POST OPTIONS>
|
|
|
|
Require all denied
|
|
|
|
</LimitExcept>
|
2023-06-30 13:57:21 +02:00
|
|
|
</Directory>
|
|
|
|
'';
|
|
|
|
listen = [{
|
|
|
|
ip = "127.0.0.1";
|
|
|
|
inherit port;
|
|
|
|
}];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx.virtualHosts.${domain} = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://localhost:${toString port}";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|