From d02524bb8fa79ef13e7e1f403b64c04a7a848322 Mon Sep 17 00:00:00 2001
From: Inex Code <inex.code@selfprivacy.org>
Date: Tue, 31 Oct 2023 17:22:15 +0300
Subject: [PATCH 1/2] refactor(ssh): Disable password auth by default

---
 variables-module.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/variables-module.nix b/variables-module.nix
index a328b8c..1627467 100644
--- a/variables-module.nix
+++ b/variables-module.nix
@@ -187,7 +187,7 @@ in
         description = ''
           Password authentication for SSH
         '';
-        default = true;
+        default = false;
         type = types.nullOr types.bool;
       };
     };

From 1464d7f3bda349d7eea01f1bff68748164ad53d9 Mon Sep 17 00:00:00 2001
From: Inex Code <inex.code@selfprivacy.org>
Date: Tue, 31 Oct 2023 17:27:46 +0300
Subject: [PATCH 2/2] feat(nginx): Allow serving static files at root domain

---
 files.nix           | 1 +
 webserver/nginx.nix | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/files.nix b/files.nix
index 6a43ed1..6e25cae 100644
--- a/files.nix
+++ b/files.nix
@@ -25,6 +25,7 @@ in
       "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
       (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
       "d /var/sieve 0770 virtualMail virtualMail - -"
+      "d /var/www/root 0750 nginx nginx - -"
     ];
   system.activationScripts =
     let
diff --git a/webserver/nginx.nix b/webserver/nginx.nix
index eacc916..c04efc8 100644
--- a/webserver/nginx.nix
+++ b/webserver/nginx.nix
@@ -32,6 +32,11 @@ in
           proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
           expires 10m;
         '';
+        locations = {
+          "/" = {
+            root = "/var/www/root";
+          };
+        };
       };
       "vpn.${domain}" = {
         sslCertificate = "/var/lib/acme/wildcard-${domain}/fullchain.pem";