...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-07-10 11:51:34 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-07-10 11:51:34 +0200
commit: ffac1727b92167ca6847b7ae3adc71f091d8048f (patch)
tree: 7ff9c375782d347d6ef3da3a3d02b7e39aad3c44 /hosts/surtr/http
parent: 20e7a2a2544afd682f487327aa42d1899784db98 (diff)
download: nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar
nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar.gz
nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar.bz2
nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar.xz
nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.zip
7 files changed, 188 insertions, 0 deletions
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
new file mode 100644
index 00000000..a77252ff
--- /dev/null
+++ b/hosts/surtr/http/default.nix
@@ -0,0 +1,67 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ./webdav
+  ];
+  
+  config = {
+    services.nginx = {
+      enable = true;
+      # package = pkgs.nginxQuic;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      sslDhparam = config.security.dhparams.params.nginx.path;
+      commonHttpConfig = ''
+        ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
+        log_format main
+                '$remote_addr "$remote_user" '
+                '"$host" "$request" $status $bytes_sent '
+                '"$http_referer" "$http_user_agent" '
+                '$gzip_ratio';
+        access_log syslog:server=unix:/dev/log main;
+        error_log syslog:server=unix:/dev/log info;
+        client_body_temp_path /run/nginx-client-bodies;
+      '';
+      additionalModules = with pkgs.nginxModules; [ dav pam ];
+    };
+    systemd.services.nginx = {
+      preStart = lib.mkForce config.services.nginx.preStart;
+      serviceConfig = {
+        SupplementaryGroups = [ "shadow" ];
+        ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
+        RuntimeDirectoryMode = "0750";
+        NoNewPrivileges = lib.mkForce false;
+        PrivateDevices = lib.mkForce false;
+        ProtectHostname = lib.mkForce false;
+        ProtectKernelTunables = lib.mkForce false;
+        ProtectKernelModules = lib.mkForce false;
+        RestrictAddressFamilies = lib.mkForce [ ];
+        LockPersonality = lib.mkForce false;
+        MemoryDenyWriteExecute = lib.mkForce false;
+        RestrictRealtime = lib.mkForce false;
+        RestrictSUIDSGID = lib.mkForce false;
+        SystemCallArchitectures = lib.mkForce "";
+        ProtectClock = lib.mkForce false;
+        ProtectKernelLogs = lib.mkForce false;
+        RestrictNamespaces = lib.mkForce false;
+        SystemCallFilter = lib.mkForce "";
+        ReadWritePaths = [ "/srv/files" ];
+      };
+    };
+    services.uwsgi = {
+      enable = true;
+      plugins = ["python3"];
+      instance = {
+        type = "emperor";
+        vassals = {};
+      };
+    };
+  };
+}
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
new file mode 100644
index 00000000..f0aec1e9
--- /dev/null
+++ b/hosts/surtr/http/webdav/default.nix
@@ -0,0 +1,96 @@
+{ config, libs, pkgs, flakeInputs, ... }:
+let
+  webdavSocket = config.services.uwsgi.runDir + "/webdav.sock";
+  webdavApp = flakeInputs.mach-nix.lib.${config.nixpkgs.system}.buildPythonPackage {
+    ignoreDataOutdated = true;
+    pname = "py-webdav";
+    version = builtins.readFile ./py-webdav/VERSION;
+    src = ./py-webdav;
+    python = "python3";
+    requirements = ''
+      PyNaCl ==1.5.*
+      psycopg ==3.0.*
+      WsgiDAV ==4.0.*
+    '';
+  };
+in {
+  config = {
+    security.pam.services."webdav".text = ''
+      auth requisite  pam_succeed_if.so user ingroup webdav quiet_success
+      auth required   pam_unix.so likeauth nullok nodelay quiet
+      account sufficient pam_unix.so quiet
+    '';
+    users.groups."webdav" = {};
+    
+    services.nginx = {
+      upstreams."py-webdav" = {
+        servers = {
+          "unix://${webdavSocket}" = {};
+        };
+      };
+      
+      virtualHosts."webdav.141.li" = {
+        forceSSL = true;
+        sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
+        sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
+        sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
+        locations = {
+          "/".extraConfig = ''
+            root /srv/files/$remote_user;            
+            auth_pam "WebDAV";
+            auth_pam_service_name "webdav";
+          '';
+          "/py/".extraConfig = ''
+            rewrite ^/py(.*) $1 break;
+            include ${config.services.nginx.package}/conf/uwsgi_params;
+            uwsgi_param SCRIPT_NAME /py;
+            uwsgi_pass py-webdav;
+          '';
+        };
+        extraConfig = ''
+          dav_methods     PUT DELETE MKCOL COPY MOVE;
+          dav_ext_methods PROPFIND OPTIONS;
+          dav_access      user:rw;
+          autoindex on;
+          client_max_body_size    0;
+          create_full_put_path    on;
+          add_header Strict-Transport-Security "max-age=63072000" always;
+        '';
+      };
+    };
+    security.acme.domains."webdav.141.li" = {
+      certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+    };
+    systemd.services.nginx.serviceConfig.LoadCredential = [
+      "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
+      "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
+      "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
+    ];
+    services.uwsgi.instance.vassals.webdav = {
+      type = "normal";
+      socket = webdavSocket;
+      listen = 1024;
+      master = true;
+      vacuum = true;
+      chown-socket = "${config.services.nginx.user}:${config.services.uwsgi.group}";
+      
+      plugins = ["python3"];
+      pythonPackages = self: [webdavApp];
+      module = "webdav";
+      callable = "app";
+    };
+  };
+}
diff --git a/hosts/surtr/http/webdav/py-webdav/.gitignore b/hosts/surtr/http/webdav/py-webdav/.gitignore
new file mode 100644
index 00000000..ed8ebf58
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/.gitignore
@@ -0,0 +1 @@
+__pycache__
+\ No newline at end of file
diff --git a/hosts/surtr/http/webdav/py-webdav/VERSION b/hosts/surtr/http/webdav/py-webdav/VERSION
new file mode 100644
index 00000000..6e8bf73a
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/VERSION
@@ -0,0 +1 @@
+0.1.0
diff --git a/hosts/surtr/http/webdav/py-webdav/setup.py b/hosts/surtr/http/webdav/py-webdav/setup.py
new file mode 100644
index 00000000..dbe345c1
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/setup.py
@@ -0,0 +1,17 @@
+import setuptools
+with open('VERSION', 'r', encoding='utf-8') as version_file:
+    version = version_file.read().strip()
+setuptools.setup(
+    name="py-webdav",
+    version=version,
+    package_dir={"": "."},
+    packages=setuptools.find_packages(),
+    python_requires=">=3.8",
+    install_requires=[
+        "PyNaCl ==1.5.*",
+        "psycopg ==3.0.*",
+        "WsgiDAV ==4.0.*",
+    ],
+)
diff --git a/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py b/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py
new file mode 100644
index 00000000..398378e2
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py
@@ -0,0 +1 @@
+from .webdav import app
diff --git a/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py b/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py
new file mode 100644
index 00000000..783f5d82
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py
@@ -0,0 +1,5 @@
+def app(env, start_response):
+    start_response('200 Success', [('Content-Type', 'text/plain; charset=utf-8')])
+    return [ bytes(f'{key}: {value}\n', 'utf8')
+             for key, value in env.items()
+           ]
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-07-10 11:51:34 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-07-10 11:51:34 +0200
commit	ffac1727b92167ca6847b7ae3adc71f091d8048f (patch)
tree	7ff9c375782d347d6ef3da3a3d02b7e39aad3c44 /hosts/surtr/http
parent	20e7a2a2544afd682f487327aa42d1899784db98 (diff)
download	nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar.gz nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar.bz2 nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar.xz nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.zip

diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix new file mode 100644 index 00000000..a77252ff --- /dev/null +++ b/hosts/surtr/http/default.nix
@@ -0,0 +1,67 @@
	1	{ config, lib, pkgs, ... }:
	2	{
	3	imports = [
	4	./webdav
	5	];
	6
	7	config = {
	8	services.nginx = {
	9	enable = true;
	10	# package = pkgs.nginxQuic;
	11	recommendedGzipSettings = true;
	12	recommendedProxySettings = true;
	13	recommendedTlsSettings = true;
	14	sslDhparam = config.security.dhparams.params.nginx.path;
	15	commonHttpConfig = ''
	16	ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
	17
	18	log_format main
	19	'$remote_addr "$remote_user" '
	20	'"$host" "$request" $status $bytes_sent '
	21	'"$http_referer" "$http_user_agent" '
	22	'$gzip_ratio';
	23
	24	access_log syslog:server=unix:/dev/log main;
	25	error_log syslog:server=unix:/dev/log info;
	26
	27	client_body_temp_path /run/nginx-client-bodies;
	28	'';
	29	additionalModules = with pkgs.nginxModules; [ dav pam ];
	30	};
	31	systemd.services.nginx = {
	32	preStart = lib.mkForce config.services.nginx.preStart;
	33	serviceConfig = {
	34	SupplementaryGroups = [ "shadow" ];
	35	ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
	36	RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
	37	RuntimeDirectoryMode = "0750";
	38
	39	NoNewPrivileges = lib.mkForce false;
	40	PrivateDevices = lib.mkForce false;
	41	ProtectHostname = lib.mkForce false;
	42	ProtectKernelTunables = lib.mkForce false;
	43	ProtectKernelModules = lib.mkForce false;
	44	RestrictAddressFamilies = lib.mkForce [ ];
	45	LockPersonality = lib.mkForce false;
	46	MemoryDenyWriteExecute = lib.mkForce false;
	47	RestrictRealtime = lib.mkForce false;
	48	RestrictSUIDSGID = lib.mkForce false;
	49	SystemCallArchitectures = lib.mkForce "";
	50	ProtectClock = lib.mkForce false;
	51	ProtectKernelLogs = lib.mkForce false;
	52	RestrictNamespaces = lib.mkForce false;
	53	SystemCallFilter = lib.mkForce "";
	54	ReadWritePaths = [ "/srv/files" ];
	55	};
	56	};
	57
	58	services.uwsgi = {
	59	enable = true;
	60	plugins = ["python3"];
	61	instance = {
	62	type = "emperor";
	63	vassals = {};
	64	};
	65	};
	66	};
	67	}


diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix new file mode 100644 index 00000000..f0aec1e9 --- /dev/null +++ b/hosts/surtr/http/webdav/default.nix
@@ -0,0 +1,96 @@
	1	{ config, libs, pkgs, flakeInputs, ... }:
	2	let
	3	webdavSocket = config.services.uwsgi.runDir + "/webdav.sock";
	4
	5	webdavApp = flakeInputs.mach-nix.lib.${config.nixpkgs.system}.buildPythonPackage {
	6	ignoreDataOutdated = true;
	7	pname = "py-webdav";
	8	version = builtins.readFile ./py-webdav/VERSION;
	9	src = ./py-webdav;
	10	python = "python3";
	11	requirements = ''
	12	PyNaCl ==1.5.*
	13	psycopg ==3.0.*
	14	WsgiDAV ==4.0.*
	15	'';
	16	};
	17	in {
	18	config = {
	19	security.pam.services."webdav".text = ''
	20	auth requisite pam_succeed_if.so user ingroup webdav quiet_success
	21	auth required pam_unix.so likeauth nullok nodelay quiet
	22	account sufficient pam_unix.so quiet
	23	'';
	24	users.groups."webdav" = {};
	25
	26	services.nginx = {
	27	upstreams."py-webdav" = {
	28	servers = {
	29	"unix://${webdavSocket}" = {};
	30	};
	31	};
	32
	33	virtualHosts."webdav.141.li" = {
	34	forceSSL = true;
	35	sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
	36	sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
	37	sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
	38	locations = {
	39	"/".extraConfig = ''
	40	root /srv/files/$remote_user;
	41
	42	auth_pam "WebDAV";
	43	auth_pam_service_name "webdav";
	44	'';
	45
	46	"/py/".extraConfig = ''
	47	rewrite ^/py(.*) $1 break;
	48
	49	include ${config.services.nginx.package}/conf/uwsgi_params;
	50	uwsgi_param SCRIPT_NAME /py;
	51	uwsgi_pass py-webdav;
	52	'';
	53	};
	54	extraConfig = ''
	55	dav_methods PUT DELETE MKCOL COPY MOVE;
	56	dav_ext_methods PROPFIND OPTIONS;
	57	dav_access user:rw;
	58	autoindex on;
	59
	60	client_max_body_size 0;
	61	create_full_put_path on;
	62
	63	add_header Strict-Transport-Security "max-age=63072000" always;
	64	'';
	65	};
	66	};
	67	security.acme.domains."webdav.141.li" = {
	68	certCfg = {
	69	postRun = ''
	70	${pkgs.systemd}/bin/systemctl try-restart nginx.service
	71	'';
	72	};
	73	};
	74
	75	systemd.services.nginx.serviceConfig.LoadCredential = [
	76	"webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
	77	"webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
	78	"webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
	79	];
	80
	81
	82	services.uwsgi.instance.vassals.webdav = {
	83	type = "normal";
	84	socket = webdavSocket;
	85	listen = 1024;
	86	master = true;
	87	vacuum = true;
	88	chown-socket = "${config.services.nginx.user}:${config.services.uwsgi.group}";
	89
	90	plugins = ["python3"];
	91	pythonPackages = self: [webdavApp];
	92	module = "webdav";
	93	callable = "app";
	94	};
	95	};
	96	}


diff --git a/hosts/surtr/http/webdav/py-webdav/.gitignore b/hosts/surtr/http/webdav/py-webdav/.gitignore new file mode 100644 index 00000000..ed8ebf58 --- /dev/null +++ b/hosts/surtr/http/webdav/py-webdav/.gitignore
@@ -0,0 +1 @@
		__pycache__ \ No newline at end of file


diff --git a/hosts/surtr/http/webdav/py-webdav/VERSION b/hosts/surtr/http/webdav/py-webdav/VERSION new file mode 100644 index 00000000..6e8bf73a --- /dev/null +++ b/hosts/surtr/http/webdav/py-webdav/VERSION
@@ -0,0 +1 @@
		0.1.0


diff --git a/hosts/surtr/http/webdav/py-webdav/setup.py b/hosts/surtr/http/webdav/py-webdav/setup.py new file mode 100644 index 00000000..dbe345c1 --- /dev/null +++ b/hosts/surtr/http/webdav/py-webdav/setup.py
@@ -0,0 +1,17 @@
	1	import setuptools
	2
	3	with open('VERSION', 'r', encoding='utf-8') as version_file:
	4	version = version_file.read().strip()
	5
	6	setuptools.setup(
	7	name="py-webdav",
	8	version=version,
	9	package_dir={"": "."},
	10	packages=setuptools.find_packages(),
	11	python_requires=">=3.8",
	12	install_requires=[
	13	"PyNaCl ==1.5.*",
	14	"psycopg ==3.0.*",
	15	"WsgiDAV ==4.0.*",
	16	],
	17	)


diff --git a/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py b/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py new file mode 100644 index 00000000..398378e2 --- /dev/null +++ b/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py
@@ -0,0 +1 @@
		from .webdav import app


diff --git a/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py b/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py new file mode 100644 index 00000000..783f5d82 --- /dev/null +++ b/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py
@@ -0,0 +1,5 @@
	1	def app(env, start_response):
	2	start_response('200 Success', [('Content-Type', 'text/plain; charset=utf-8')])
	3	return [ bytes(f'{key}: {value}\n', 'utf8')
	4	for key, value in env.items()
	5	]