summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-01-31 18:40:51 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2022-01-31 18:40:51 +0100
commit75b43f4af0e9aafae43d49aa99d0bb17e05082fd (patch)
tree84c452f07e77a84aa572a844cdb4a17c70a7d5ef
parente8ba7fa302c7f4c2a9dc7a5dc1e1b1a633bd7133 (diff)
downloadnixos-75b43f4af0e9aafae43d49aa99d0bb17e05082fd.tar
nixos-75b43f4af0e9aafae43d49aa99d0bb17e05082fd.tar.gz
nixos-75b43f4af0e9aafae43d49aa99d0bb17e05082fd.tar.bz2
nixos-75b43f4af0e9aafae43d49aa99d0bb17e05082fd.tar.xz
nixos-75b43f4af0e9aafae43d49aa99d0bb17e05082fd.zip
...
-rw-r--r--hosts/surtr/http.nix56
1 files changed, 21 insertions, 35 deletions
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
index e7648e80..b1af31b8 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http.nix
@@ -1,35 +1,7 @@
1{ config, lib, pkgs, ... }: 1{ config, lib, pkgs, ... }:
2{ 2{
3 config = { 3 config = {
4 services.webdav-server-rs = { 4 security.pam.services."webdav".text = ''
5 enable = true;
6 settings = {
7 server.listen = [ "127.0.0.1:4918" ];
8 accounts = {
9 auth-type = "pam";
10 acct-type = "unix";
11 };
12 pam = {
13 service = "webdav-server-rs";
14 };
15 location = [
16 {
17 route = [ "/*path" ];
18 auth = "true";
19 handler = "filesystem";
20 setuid = true;
21 directory = "/srv/files";
22 }
23 ];
24 };
25 };
26 systemd.services.webdav-server-rs = {
27 serviceConfig = {
28 RuntimeDirectory = "webdav-server-rs";
29 RuntimeDirectoryMode = "0755";
30 };
31 };
32 security.pam.services."webdav-server-rs".text = ''
33 auth requisite pam_succeed_if.so user ingroup webdav 5 auth requisite pam_succeed_if.so user ingroup webdav
34 auth required pam_unix.so audit likeauth nullok nodelay 6 auth required pam_unix.so audit likeauth nullok nodelay
35 account sufficient pam_unix.so 7 account sufficient pam_unix.so
@@ -44,20 +16,32 @@
44 commonHttpConfig = '' 16 commonHttpConfig = ''
45 ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; 17 ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
46 ''; 18 '';
47 upstreams.webdav = { 19 additionalModules = with pkgs.nginxModules; [ dav pam ];
48 servers = { "127.0.0.1:4918" = {}; };
49 };
50 virtualHosts = { 20 virtualHosts = {
51 "webdav.141.li" = { 21 "webdav.141.li" = {
52 forceSSL = true; 22 forceSSL = true;
53 sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; 23 sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
54 sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; 24 sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
55 locations."/" = { 25 locations."/".extraConfig = ''
56 proxyPass = "http://webdav/"; 26 root /srv/files/$remote_user;
57 }; 27
28 auth_pam "WebDAV";
29 auth_pam_service_name "webdav";
30 '';
31 extraConfig = ''
32 dav_methods PUT DELETE MKCOL COPY MOVE;
33 dav_ext_methods PROPFIND OPTIONS;
34 dav_access user:rw;
35 autoindex on;
36
37 client_body_temp_path /run/nginx/client-bodies;
38 client_max_body_size 0;
39 create_full_put_path on;
40 '';
58 }; 41 };
59 }; 42 };
60 }; 43 };
44 users.users."nginx".extraGroups = [ "shadow" ];
61 security.acme.domains."webdav.141.li" = { 45 security.acme.domains."webdav.141.li" = {
62 zone = "141.li"; 46 zone = "141.li";
63 certCfg = { 47 certCfg = {
@@ -74,6 +58,8 @@
74 "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" 58 "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
75 "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" 59 "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
76 ]; 60 ];
61 RuntimeDirectory = "nginx/client-bodies";
62 RuntimeDirectoryMode = "0700";
77 }; 63 };
78 }; 64 };
79 }; 65 };