From a338d6e2855e3048b6bc92ce24356e1ff248a47f Mon Sep 17 00:00:00 2001
From: rnhmjoj <rnhmjoj@inventati.org>
Date: Thu, 30 Sep 2021 02:24:39 +0200
Subject: [PATCH] bind mount static nginx directories

---
 configuration.nix        | 26 +++++++++++++++++++-------
 custom/modules/asjon.nix |  5 -----
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index b997c0f..4b164fe 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -375,7 +375,7 @@
       # Asjon code coverage reports
       locations."/asjon/report/" = {
         index = "index.html";
-        alias = "/var/lib/asjon/tree/report/";
+        alias = "/run/nginx/static/asjon/";
       };
 
       # Searx instance
@@ -394,11 +394,11 @@
 
       # User static files
       locations."/~rnhmjoj/" = {
-        alias = "/home/rnhmjoj/www/";
+        alias = "/run/nginx/static/rnhmjoj/";
         extraConfig = "charset UTF-8;";
       };
       locations."/~giu/" = {
-        alias = "/home/giu/www/";
+        alias = "/run/nginx/static/giu/";
         extraConfig = "charset UTF-8;";
       };
     };
@@ -418,14 +418,26 @@
 
     # The Cactalogue
     virtualHosts."cacta.bit" = {
-      root = "/home/giu/cactalogue/";
+      root = "/run/nginx/static/cactalogue";
       extraConfig = disableLog;
     };
   };
-  # Allow nginx to see home directories for static files
-  # (conditional on having proper group permissions).
-  systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
 
+  # Bind mount directories for Nginx
+  # This avoids giving nginx traversal permission
+  systemd.mounts =
+    let bindNginx = from: to:
+      { what  = from;
+        where = "/run/nginx/static/" + to;
+        type  = "none";
+        options = "bind";
+        wantedBy = [ "nginx.service" ];
+      };
+    in [ (bindNginx "/home/rnhmjoj/www"          "rnhmjoj")
+         (bindNginx "/home/giu/www"              "giu")
+         (bindNginx "/home/giu/cactalogue"       "cactalogue")
+         (bindNginx "/var/lib/asjon/tree/report" "asjon")
+       ];
 
   ### Misc. services
   services.ubino.enable = true;
diff --git a/custom/modules/asjon.nix b/custom/modules/asjon.nix
index 1130689..790e81a 100644
--- a/custom/modules/asjon.nix
+++ b/custom/modules/asjon.nix
@@ -97,11 +97,6 @@ in {
         git clone https://github.com/rnhmjoj/asjon.git ${cfg.dataDir}/tree
         cd ${cfg.dataDir}/tree
         yarn install
-
-        # give read/traverse permission to nginx
-        setfacl -m g:nginx:x ${cfg.dataDir}
-        setfacl -m g:nginx:x ${cfg.dataDir}/tree
-        setfacl -Rdm g:nginx:rx ${cfg.dataDir}/tree/report
       '';
     };