From b738f08c09898db5c7f038850e68a3463858dc30 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 16 Jun 2026 18:52:25 +0900
Subject: [PATCH] temmie/userweb: render path denylist into `Directory`/`Files`
 directives

---
 hosts/temmie/services/userweb/httpd.nix | 69 +++++++++++++++----------
 1 file changed, 42 insertions(+), 27 deletions(-)

diff --git a/hosts/temmie/services/userweb/httpd.nix b/hosts/temmie/services/userweb/httpd.nix
index 9b32cf2..f57998c 100644
--- a/hosts/temmie/services/userweb/httpd.nix
+++ b/hosts/temmie/services/userweb/httpd.nix
@@ -103,38 +103,53 @@ in
           Require all granted
         </Directory>
 
-        <DirectoryMatch "^/home/pvv/.*/web-docs/(${lib.concatStringsSep "|" [
-          "\\.git"
-          "\\.hg"
-          "\\.svn"
-          "\\.ssh"
-          "\\.env"
-          "\\.env\\..*"
-          "\\.envs"
-          "\\.envs\\..*"
-          "\\.envrc"
-          "\\.bzr"
-          "\\.venv"
+        ${lib.concatMapStringsSep "\n" (d: ''
+          <Directory "${d}">
+            Require all denied
+          </Directory>
+        '') [
+          ".git"
+          ".hg"
+          ".svn"
+          ".ssh"
+          ".bzr"
+          ".venv"
           "CVS"
           "RCS"
 
-          ".*\\.swp"
-          ".*~"
+          "*.bak"
+          "*.bak*"
+          "*.bkp"
+          "*.bkp*"
+          "*.backup"
+          "*.backup*"
+        ]}
 
-          ".*\\.bak"
-          ".*\\.bak.*"
-          ".*\\.bkp"
-          ".*\\.bkp.*"
-          ".*\\.backup"
-          ".*\\.backup.*"
-
-          ".*\\.lck"
-          ".*\\.lock"
-          "LCK\\.\\..*"
-        ]})(/|$)">
-            AllowOverride All
+        ${lib.concatMapStringsSep "\n" (d: ''
+          <Files "${d}">
             Require all denied
-        </DirectoryMatch>
+          </Files>
+        '') [
+          ".env"
+          ".env.*"
+          ".envs"
+          ".envs.*"
+          ".envrc"
+
+          "*.swp"
+          "*~"
+
+          "*.bak"
+          "*.bak*"
+          "*.bkp"
+          "*.bkp*"
+          "*.backup"
+          "*.backup*"
+
+          "*.lck"
+          "*.lock"
+          "LCK..*"
+        ]}
 
         <FilesMatch ".+\.ph(p[3457]?|t|tml)$">
             SetHandler application/x-httpd-php