3 files changed, 82 insertions, 0 deletions
diff --git a/sys/web/nginx.nix b/sys/web/nginx.nix
index fc24afe..b6e7414 100644
--- a/sys/web/nginx.nix
+++ b/sys/web/nginx.nix
@@ -50,6 +50,8 @@ in
         sslDhparam = config.security.dhparams.params.nginx.path;
         clientMaxBodySize = "42M";
 
+        mapHashBucketSize = 128;
+
         virtualHosts.default = {
           default = true;
 
diff --git a/sys/web/sites/default.nix b/sys/web/sites/default.nix
index a131aaf..ba2835c 100644
--- a/sys/web/sites/default.nix
+++ b/sys/web/sites/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./home.nix
+    ./host.nix
     ./portal.nix
   ];
 }
diff --git a/sys/web/sites/host.nix b/sys/web/sites/host.nix
new file mode 100644
index 0000000..62abe1a
--- /dev/null
+++ b/sys/web/sites/host.nix
@@ -0,0 +1,79 @@
+{ config, lib, ... }:
+with lib; let
+  cfg = config.local.web.sites.host;
+
+  inherit (config.local) domains users;
+  inherit (config.local.net) hostname;
+
+  hostDomain = domains.${hostDomainName};
+  hostDomainName = "host-${hostname}";
+
+  userCerts = flatten (flatten (mapAttrsToList
+    (name: user: map
+      (cert: {
+        fprint = config.local.pki.byPath.${cert}.fingerprint.sha1-lower;
+        inherit name;
+      })
+      user.mail.certs)
+    users));
+in
+{
+  options.local.web.sites.host = {
+    enable = mkEnableOption "host site, restricted to per-user client certs";
+  };
+
+  config = mkIf cfg.enable {
+    local.web = {
+      enable = mkDefault true;
+      ownedCerts = [ hostDomainName ];
+    };
+
+    services = {
+      nginx = {
+        appendHttpConfig = ''
+          map $ssl_client_fingerprint $host_user_from_fprint {
+            default "";
+            ${concatMapStringsSep "\n  " (pair: "\"${escapeRegex pair.fprint}\" \"${pair.name}\";") userCerts}
+          }
+        '';
+
+        virtualHosts = {
+          ${hostDomain.main} = {
+            forceSSL = true;
+            useACMEHost = hostDomain.main;
+
+            extraConfig = ''
+              ssl_verify_depth 2;
+              ssl_verify_client optional;
+              ssl_client_certificate ${config.local.pki.ca.mail.fullchain};
+
+              #if ($ssl_client_verify != "SUCCESS") {
+                #return 403;
+              #}
+            '';
+
+            locations = {
+              "/".return = 403;
+            } // concatMapAttrs
+              (name: user:
+                let
+                  userLocation = config: {
+                    extraConfig = ''
+                      if ($host_user_from_fprint != "${name}") {
+                        return 403;
+                      }
+                    '' + config;
+                  };
+                in
+                mapAttrs (_: userLocation) {
+                  "/${name}" = ''
+                    return 404;
+                  '';
+                })
+              (filterAttrs (_: user: user.mail.certs != [ ]) users);
+          };
+        };
+      };
+    };
+  };
+}