...

1 files changed, 0 insertions, 99 deletions

diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
deleted file mode 100644
index af27f178..00000000
--- a/hosts/surtr/http.nix
+++ /dev/null
@@ -1,99 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  config = {
-    security.pam.services."webdav".text = ''
-      auth requisite  pam_succeed_if.so user ingroup webdav quiet_success
-      auth required   pam_unix.so likeauth nullok nodelay quiet
-      account sufficient pam_unix.so quiet
-    '';
-    users.groups."webdav" = {};
-    
-    services.nginx = {
-      enable = true;
-      # package = pkgs.nginxQuic;
-      recommendedGzipSettings = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      sslDhparam = config.security.dhparams.params.nginx.path;
-      commonHttpConfig = ''
-        ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
-
-        log_format main
-                '$remote_addr "$remote_user" '
-                '"$host" "$request" $status $bytes_sent '
-                '"$http_referer" "$http_user_agent" '
-                '$gzip_ratio';
-
-        access_log syslog:server=unix:/dev/log main;
-        error_log syslog:server=unix:/dev/log info;
-
-        client_body_temp_path /run/nginx-client-bodies;
-      '';
-      additionalModules = with pkgs.nginxModules; [ dav pam ];
-      virtualHosts = {
-        "webdav.141.li" = {
-          forceSSL = true;
-          sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
-          sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
-          sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
-          locations."/".extraConfig = ''
-            root /srv/files/$remote_user;            
-
-            auth_pam "WebDAV";
-            auth_pam_service_name "webdav";
-          '';
-          extraConfig = ''
-            dav_methods     PUT DELETE MKCOL COPY MOVE;
-            dav_ext_methods PROPFIND OPTIONS;
-            dav_access      user:rw;
-            autoindex on;
-
-            client_max_body_size    0;
-            create_full_put_path    on;
-
-            add_header Strict-Transport-Security "max-age=63072000" always;
-          '';
-        };
-      };
-    };
-    security.acme.domains."webdav.141.li" = {
-      zone = "141.li";
-      certCfg = {
-        postRun = ''
-          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
-        '';
-      };
-    };
-    systemd.services.nginx = {
-      preStart = lib.mkForce config.services.nginx.preStart;
-      serviceConfig = {
-        SupplementaryGroups = [ "shadow" ];
-        ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-        LoadCredential = [
-          "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
-          "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
-          "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
-        ];
-        RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
-        RuntimeDirectoryMode = "0750";
-
-        NoNewPrivileges = lib.mkForce false;
-        PrivateDevices = lib.mkForce false;
-        ProtectHostname = lib.mkForce false;
-        ProtectKernelTunables = lib.mkForce false;
-        ProtectKernelModules = lib.mkForce false;
-        RestrictAddressFamilies = lib.mkForce [ ];
-        LockPersonality = lib.mkForce false;
-        MemoryDenyWriteExecute = lib.mkForce false;
-        RestrictRealtime = lib.mkForce false;
-        RestrictSUIDSGID = lib.mkForce false;
-        SystemCallArchitectures = lib.mkForce "";
-        ProtectClock = lib.mkForce false;
-        ProtectKernelLogs = lib.mkForce false;
-        RestrictNamespaces = lib.mkForce false;
-        SystemCallFilter = lib.mkForce "";
-        ReadWritePaths = [ "/srv/files" ];
-      };
-    };
-  };
-}