bind mount static nginx directories

2021-09-30 02:24:39 +02:00 · 2021-09-30 02:24:39 +02:00 · a338d6e285
commit a338d6e285
parent 8e62d129c0
2 changed files with 19 additions and 12 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -375,7 +375,7 @@
      # Asjon code coverage reports
      locations."/asjon/report/" = {
        index = "index.html";
-        alias = "/var/lib/asjon/tree/report/";
+        alias = "/run/nginx/static/asjon/";
      };

      # Searx instance
@ -394,11 +394,11 @@

      # User static files
      locations."/~rnhmjoj/" = {
-        alias = "/home/rnhmjoj/www/";
+        alias = "/run/nginx/static/rnhmjoj/";
        extraConfig = "charset UTF-8;";
      };
      locations."/~giu/" = {
-        alias = "/home/giu/www/";
+        alias = "/run/nginx/static/giu/";
        extraConfig = "charset UTF-8;";
      };
    };
@ -418,14 +418,26 @@

    # The Cactalogue
    virtualHosts."cacta.bit" = {
-      root = "/home/giu/cactalogue/";
+      root = "/run/nginx/static/cactalogue";
      extraConfig = disableLog;
    };
  };
-  # Allow nginx to see home directories for static files
-  # (conditional on having proper group permissions).
-  systemd.services.nginx.serviceConfig.ProtectHome = "read-only";

+  # Bind mount directories for Nginx
+  # This avoids giving nginx traversal permission
+  systemd.mounts =
+    let bindNginx = from: to:
+      { what  = from;
+        where = "/run/nginx/static/" + to;
+        type  = "none";
+        options = "bind";
+        wantedBy = [ "nginx.service" ];
+      };
+    in [ (bindNginx "/home/rnhmjoj/www"          "rnhmjoj")
+         (bindNginx "/home/giu/www"              "giu")
+         (bindNginx "/home/giu/cactalogue"       "cactalogue")
+         (bindNginx "/var/lib/asjon/tree/report" "asjon")
+       ];

  ### Misc. services
  services.ubino.enable = true;
--- a/custom/modules/asjon.nix
+++ b/custom/modules/asjon.nix
@ -97,11 +97,6 @@ in {
        git clone https://github.com/rnhmjoj/asjon.git ${cfg.dataDir}/tree
        cd ${cfg.dataDir}/tree
        yarn install
-
-        # give read/traverse permission to nginx
-        setfacl -m g:nginx:x ${cfg.dataDir}
-        setfacl -m g:nginx:x ${cfg.dataDir}/tree
-        setfacl -Rdm g:nginx:rx ${cfg.dataDir}/tree/report
      '';
    };