{ config, lib, ... }: with lib; let cfg = config.local.web.sites.host; inherit (config.local) domains; inherit (config.local.net) hostname; users = filterAttrs (_: user: user.install) config.local.users; hostDomain = domains.${hostDomainName}; hostDomainName = "host-${hostname}"; userCerts = flatten (flatten (mapAttrsToList (name: user: map (cert: { fprint = config.local.pki.byPath.${cert}.fingerprint.sha1-lower; inherit name; }) user.mail.certs) users)); in { options.local.web.sites.host = { enable = mkEnableOption "host site, restricted to per-user client certs"; }; config = mkIf cfg.enable { local.web = { enable = mkDefault true; ownedCerts = [hostDomainName]; }; services = { nginx = { appendHttpConfig = '' map $ssl_client_fingerprint $host_user_from_fprint { default ""; ${concatMapStringsSep "\n " (pair: "\"${escapeRegex pair.fprint}\" \"${pair.name}\";") userCerts} } ''; virtualHosts = { ${hostDomain.main} = { forceSSL = true; useACMEHost = hostDomain.main; extraConfig = '' ssl_verify_depth 2; ssl_verify_client optional; ssl_client_certificate ${config.local.pki.ca.mail.fullchain}; #if ($ssl_client_verify != "SUCCESS") { #return 403; #} ''; locations = { "/".return = 403; } // concatMapAttrs (name: user: let userLocation = config: { extraConfig = '' if ($host_user_from_fprint != "${name}") { return 403; } '' + config; }; userLocations = { "/${name}" = '' return 404; ''; } // optionalAttrs user.mail.dav { "/${name}/dav" = '' proxy_pass http://unix:/run/host-www/${name}/dav.sock; ''; }; in mapAttrs (_: userLocation) userLocations) (filterAttrs (_: user: user.mail.certs != []) users); }; }; }; }; systemd.tmpfiles.settings."10-run-host-www" = concatMapAttrs (name: _: { "/run/host-www/${name}".d = { mode = "0750"; user = name; group = "nginx"; }; }) users; }; }