nginx: port /var/www/sites data to private store

hosts/by-name/servo/services/export/default.nix

@@ -12,10 +12,6 @@
     device = "/var/media";
     options = [ "rbind" ];
   };
-  fileSystems."/var/export/pub" = {
-    device = "/var/www/sites/uninsane.org/share";
-    options = [ "rbind" ];
-  };
   # fileSystems."/var/export/playground" = {
   #   device = config.fileSystems."/mnt/persist/ext".device;
   #   fsType = "btrfs";
@@ -55,4 +51,11 @@
       - be a friendly troll
     '';
   };
+
+  sane.fs."/var/export/.public_for_test/test" = {
+    wantedBy = [ "nfs.service" "sftpgo.service" ];
+    file.text = ''
+      automated tests read this file to probe connectivity
+    '';
+  };
 }

hosts/by-name/servo/services/export/sftpgo/external_auth_hook

@@ -129,14 +129,14 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
     return mkAuthOk(username, permissions = {
       "/": PERM_RW,
       "/playground": PERM_RW,
-      "/pub": PERM_RO,
+      "/.public_for_test": PERM_RO,
     })
   if isWireguard(ip):
     # allow any user from wireguard
     return mkAuthOk(username, permissions = {
       "/": PERM_RW,
       "/playground": PERM_RW,
-      "/pub": PERM_RO,
+      "/.public_for_test": PERM_RO,
     })
   if isLan(ip):
     if username == "anonymous":
@@ -144,7 +144,7 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
       return mkAuthOk("anonymous", permissions = {
         "/": PERM_RO,
         "/playground": PERM_RW,
-        "/pub": PERM_RO,
+        "/.public_for_test": PERM_RO,
       })
   if username == "anonymous":
     # anonymous users from the www can have even more limited access.
@@ -154,7 +154,7 @@ def getAuthResponse(ip: str, username: str, password: str) -> dict:
       "/": PERM_LIST,  #< REQUIRED, even for lftp to list a subdir
       "/media": PERM_DENY,
       "/playground": PERM_DENY,
-      "/pub": PERM_RO,
+      "/.public_for_test": PERM_RO,
       # "/README.md": PERM_RO,  #< does not work
     })
 

hosts/by-name/servo/services/nginx.nix

@@ -99,6 +99,16 @@ in
         disable_symlinks on;
       '';
     };
+    locations."/share/Ubunchu/" = {
+      alias = "/var/media/Books/Visual/HiroshiSeo/Ubunchu/";
+      extraConfig = ''
+        # autoindex => render directory listings
+        autoindex on;
+        # don't follow any symlinks when serving files
+        # otherwise it allows a directory escape
+        disable_symlinks on;
+      '';
+    };
 
     # allow matrix users to discover that @user:uninsane.org is reachable via matrix.uninsane.org
     locations."= /.well-known/matrix/server".extraConfig =
@@ -180,6 +190,8 @@ in
 
   sane.persist.sys.byStore.plaintext = [
     { user = "acme"; group = "acme"; path = "/var/lib/acme"; method = "bind"; }
+  ];
+  sane.persist.sys.byStore.private = [
     { user = "colin"; group = "users"; path = "/var/www/sites"; method = "bind"; }
   ];
   sane.persist.sys.byStore.ephemeral = [

scripts/check-uninsane

@@ -96,8 +96,8 @@ check "servo-hn wireguard network" ping -c 1 -W 3 servo-hn
 
 check "git.uninsane.org" git ls-remote https://git.uninsane.org/colin/nix-files.git --quiet
 
-check "ftps://ftp.uninsane.org" curl --silent ftps://ftp.uninsane.org/pub/test
-check "[DOOF] ftps://ftp.uninsane.org" curl "--connect-to" "ftp.uninsane.org:80:$DOOF_IPV4:80" --silent ftps://ftp.uninsane.org/pub/test
+check "ftps://ftp.uninsane.org" curl --silent ftps://ftp.uninsane.org/.public_for_test/test
+check "[DOOF] ftps://ftp.uninsane.org" curl "--connect-to" "ftp.uninsane.org:80:$DOOF_IPV4:80" --silent ftps://ftp.uninsane.org/.public_for_test/test
 
 _zpoolStatus() {
   runOnHost servo zpool status | grep "errors: No known data errors"