From abcf6977ccdd9c5b3bf0482413da5d08508997c3 Mon Sep 17 00:00:00 2001 From: korenstin Date: Sat, 28 Jun 2025 09:54:55 +0200 Subject: [PATCH] Correction des permissions --- hosts/vm/reverseproxy/default.nix | 1 + modules/services/reverseproxy.nix | 37 +++++++++++++++++-------------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/hosts/vm/reverseproxy/default.nix b/hosts/vm/reverseproxy/default.nix index 4ab3dca..4dd7c56 100644 --- a/hosts/vm/reverseproxy/default.nix +++ b/hosts/vm/reverseproxy/default.nix @@ -140,6 +140,7 @@ in { boot.loader.grub.devices = [ "/dev/sda" ]; users.users."nginx".home = "/var/lib/nginx"; + users.users."anubis".extraGroups = [ "nginx" ]; crans = { enable = true; diff --git a/modules/services/reverseproxy.nix b/modules/services/reverseproxy.nix index 75ac606..b8e45fd 100644 --- a/modules/services/reverseproxy.nix +++ b/modules/services/reverseproxy.nix @@ -95,23 +95,26 @@ in }; config.services = mkIf cfg.enable { - anubis.instances = mapAttrs ( - vhostName: vhostConfig: { - enable = true; - settings = { - BIND = "/run/anubis/anubis-${vhostName}.sock"; - BIND_NETWORK = "unix"; - TARGET = "unix:///run/nginx/nginx-${vhostName}.sock"; - COOKIE_DOMAIN = "crans.org"; - REDIRECT_DOMAINS = "${vhostName}.crans.org"; - SOCKET_MODE = "0666"; - POLICY_FNAME = - if (vhostConfig.anubisConfig == "") - then allowAll - else vhostConfig.anubisConfig; - }; - } - ) cfg.virtualHosts; + anubis = { + defaultOptions.group = "nginx"; + instances = mapAttrs ( + vhostName: vhostConfig: { + enable = true; + settings = { + BIND = "/run/anubis/anubis-${vhostName}.sock"; + BIND_NETWORK = "unix"; + TARGET = "unix:///run/nginx/nginx-${vhostName}.sock"; + COOKIE_DOMAIN = "crans.org"; + REDIRECT_DOMAINS = "${vhostName}.crans.org"; + SOCKET_MODE = "0660"; + POLICY_FNAME = + if (vhostConfig.anubisConfig == "") + then allowAll + else vhostConfig.anubisConfig; + }; + } + ) cfg.virtualHosts; + }; nginx = let