sys/web/sites/host.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

{ config, lib, ... }:
with lib; let
  cfg = config.local.web.sites.host;

  inherit (config.local) domains users;
  inherit (config.local.net) hostname;

  hostDomain = domains.${hostDomainName};
  hostDomainName = "host-${hostname}";

  userCerts = flatten (flatten (mapAttrsToList
    (name: user: map
      (cert: {
        fprint = config.local.pki.byPath.${cert}.fingerprint.sha1-lower;
        inherit name;
      })
      user.mail.certs)
    users));
in
{
  options.local.web.sites.host = {
    enable = mkEnableOption "host site, restricted to per-user client certs";
  };

  config = mkIf cfg.enable {
    local.web = {
      enable = mkDefault true;
      ownedCerts = [ hostDomainName ];
    };

    services = {
      nginx = {
        appendHttpConfig = ''
          map $ssl_client_fingerprint $host_user_from_fprint {
            default "";
            ${concatMapStringsSep "\n  " (pair: "\"${escapeRegex pair.fprint}\" \"${pair.name}\";") userCerts}
          }
        '';

        virtualHosts = {
          ${hostDomain.main} = {
            forceSSL = true;
            useACMEHost = hostDomain.main;

            extraConfig = ''
              ssl_verify_depth 2;
              ssl_verify_client optional;
              ssl_client_certificate ${config.local.pki.ca.mail.fullchain};

              #if ($ssl_client_verify != "SUCCESS") {
                #return 403;
              #}
            '';

            locations = {
              "/".return = 403;
            } // concatMapAttrs
              (name: user:
                let
                  userLocation = config: {
                    extraConfig = ''
                      if ($host_user_from_fprint != "${name}") {
                        return 403;
                      }
                    '' + config;
                  };

                  userLocations = {
                    "/${name}" = ''
                      return 404;
                    '';
                  } // optionalAttrs user.mail.dav {
                    "/${name}/dav" = ''
                      proxy_pass http://unix:/run/host-www/${name}/dav.sock;
                    '';
                  };
                in
                mapAttrs (_: userLocation) userLocations)
              (filterAttrs (_: user: user.mail.certs != [ ]) users);
          };
        };
      };
    };

    systemd.tmpfiles.settings."10-run-host-www" =
      concatMapAttrs
        (name: _: {
          "/run/host-www/${name}".d = {
            mode = "0750";
            user = name;
            group = "nginx";
          };
        })
        users;
  };
}