Currently bind mount is used to let nginx user see inside others' home:
bindUserDirs = sources: target: lib.mapAttrs' (user: dir: {
name = target + user;
value = {
device = "${config.users.users.${user}.home}/${dir}";
options = [ "bind" ];
};
}) sources;
This works fine for just WWW, e.g.
fileSystems = bindUserDirs {
cnx = "www";
} "${config.services.nginx.virtualHosts.${domain}.root}/~";
however if the same is done for Gemini
fileSystems = (bindUserDirs {
cnx = "gemini";
} "${config.services.molly-brown.docBase}/users") // bindUserDirs {
cnx = "www";
} "${config.services.nginx.virtualHosts.${domain}.root}/~";
we hit a nix bug (?):
# nixos-rebuild switch
building Nix...
building the system configuration...
error: infinite recursion encountered
at /nix/var/nix/profiles/per-user/root/channels/nixos/lib/modules.nix:746:9:
745| in warnDeprecation opt //
746| { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;
| ^
747| inherit (res.defsFinal') highestPrio;
(use '--show-trace' to show detailed location information)
Alternatively we can just require user homes to be 755 like Debian since I can see everything anyway.
Members was granted /var/lib/{www,gemini}/loang.net some time ago. Documentation is missing though: https://todo.sr.ht/~cnx/loang/10