rnhmjoj/maxwell
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bind mount static nginx directories

Browse Source
This commit is contained in:
Michele Guerini Rocco 2021-09-30 02:24:39 +02:00
parent 8e62d129c0
commit a338d6e285
Signed by: rnhmjoj
GPG Key ID: BFBAF4C975F76450
2 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
configuration.nix
View File

@ -375,7 +375,7 @@
# Asjon code coverage reports # Asjon code coverage reports
locations."/asjon/report/" = { locations."/asjon/report/" = {
index = "index.html"; index = "index.html";
alias = "/var/lib/asjon/tree/report/"; alias = "/run/nginx/static/asjon/";
}; };
# Searx instance # Searx instance
@ -394,11 +394,11 @@
# User static files # User static files
locations."/~rnhmjoj/" = { locations."/~rnhmjoj/" = {
alias = "/home/rnhmjoj/www/"; alias = "/run/nginx/static/rnhmjoj/";
extraConfig = "charset UTF-8;"; extraConfig = "charset UTF-8;";
}; };
locations."/~giu/" = { locations."/~giu/" = {
alias = "/home/giu/www/"; alias = "/run/nginx/static/giu/";
extraConfig = "charset UTF-8;"; extraConfig = "charset UTF-8;";
}; };
}; };
@ -418,14 +418,26 @@
# The Cactalogue # The Cactalogue
virtualHosts."cacta.bit" = { virtualHosts."cacta.bit" = {
root = "/home/giu/cactalogue/"; root = "/run/nginx/static/cactalogue";
extraConfig = disableLog; extraConfig = disableLog;
}; };
}; };
# Allow nginx to see home directories for static files
# (conditional on having proper group permissions).
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
# Bind mount directories for Nginx
# This avoids giving nginx traversal permission
systemd.mounts =
let bindNginx = from: to:
{ what = from;
where = "/run/nginx/static/" + to;
type = "none";
options = "bind";
wantedBy = [ "nginx.service" ];
};
in [ (bindNginx "/home/rnhmjoj/www" "rnhmjoj")
(bindNginx "/home/giu/www" "giu")
(bindNginx "/home/giu/cactalogue" "cactalogue")
(bindNginx "/var/lib/asjon/tree/report" "asjon")
];
### Misc. services ### Misc. services
services.ubino.enable = true; services.ubino.enable = true;

5
custom/modules/asjon.nix
View File

@ -97,11 +97,6 @@ in {
git clone https://github.com/rnhmjoj/asjon.git ${cfg.dataDir}/tree git clone https://github.com/rnhmjoj/asjon.git ${cfg.dataDir}/tree
cd ${cfg.dataDir}/tree cd ${cfg.dataDir}/tree
yarn install yarn install
# give read/traverse permission to nginx
setfacl -m g:nginx:x ${cfg.dataDir}
setfacl -m g:nginx:x ${cfg.dataDir}/tree
setfacl -Rdm g:nginx:rx ${cfg.dataDir}/tree/report
''; '';
}; };