summaryrefslogtreecommitdiff
path: root/hosts/surtr/http
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2022-07-10 11:51:34 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2022-07-10 11:51:34 +0200
commitffac1727b92167ca6847b7ae3adc71f091d8048f (patch)
tree7ff9c375782d347d6ef3da3a3d02b7e39aad3c44 /hosts/surtr/http
parent20e7a2a2544afd682f487327aa42d1899784db98 (diff)
downloadnixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar
nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar.gz
nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar.bz2
nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.tar.xz
nixos-ffac1727b92167ca6847b7ae3adc71f091d8048f.zip
...
Diffstat (limited to 'hosts/surtr/http')
-rw-r--r--hosts/surtr/http/default.nix67
-rw-r--r--hosts/surtr/http/webdav/default.nix96
-rw-r--r--hosts/surtr/http/webdav/py-webdav/.gitignore1
-rw-r--r--hosts/surtr/http/webdav/py-webdav/VERSION1
-rw-r--r--hosts/surtr/http/webdav/py-webdav/setup.py17
-rw-r--r--hosts/surtr/http/webdav/py-webdav/webdav/__init__.py1
-rw-r--r--hosts/surtr/http/webdav/py-webdav/webdav/webdav.py5
7 files changed, 188 insertions, 0 deletions
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
new file mode 100644
index 00000000..a77252ff
--- /dev/null
+++ b/hosts/surtr/http/default.nix
@@ -0,0 +1,67 @@
1{ config, lib, pkgs, ... }:
2{
3 imports = [
4 ./webdav
5 ];
6
7 config = {
8 services.nginx = {
9 enable = true;
10 # package = pkgs.nginxQuic;
11 recommendedGzipSettings = true;
12 recommendedProxySettings = true;
13 recommendedTlsSettings = true;
14 sslDhparam = config.security.dhparams.params.nginx.path;
15 commonHttpConfig = ''
16 ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
17
18 log_format main
19 '$remote_addr "$remote_user" '
20 '"$host" "$request" $status $bytes_sent '
21 '"$http_referer" "$http_user_agent" '
22 '$gzip_ratio';
23
24 access_log syslog:server=unix:/dev/log main;
25 error_log syslog:server=unix:/dev/log info;
26
27 client_body_temp_path /run/nginx-client-bodies;
28 '';
29 additionalModules = with pkgs.nginxModules; [ dav pam ];
30 };
31 systemd.services.nginx = {
32 preStart = lib.mkForce config.services.nginx.preStart;
33 serviceConfig = {
34 SupplementaryGroups = [ "shadow" ];
35 ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
36 RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
37 RuntimeDirectoryMode = "0750";
38
39 NoNewPrivileges = lib.mkForce false;
40 PrivateDevices = lib.mkForce false;
41 ProtectHostname = lib.mkForce false;
42 ProtectKernelTunables = lib.mkForce false;
43 ProtectKernelModules = lib.mkForce false;
44 RestrictAddressFamilies = lib.mkForce [ ];
45 LockPersonality = lib.mkForce false;
46 MemoryDenyWriteExecute = lib.mkForce false;
47 RestrictRealtime = lib.mkForce false;
48 RestrictSUIDSGID = lib.mkForce false;
49 SystemCallArchitectures = lib.mkForce "";
50 ProtectClock = lib.mkForce false;
51 ProtectKernelLogs = lib.mkForce false;
52 RestrictNamespaces = lib.mkForce false;
53 SystemCallFilter = lib.mkForce "";
54 ReadWritePaths = [ "/srv/files" ];
55 };
56 };
57
58 services.uwsgi = {
59 enable = true;
60 plugins = ["python3"];
61 instance = {
62 type = "emperor";
63 vassals = {};
64 };
65 };
66 };
67}
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
new file mode 100644
index 00000000..f0aec1e9
--- /dev/null
+++ b/hosts/surtr/http/webdav/default.nix
@@ -0,0 +1,96 @@
1{ config, libs, pkgs, flakeInputs, ... }:
2let
3 webdavSocket = config.services.uwsgi.runDir + "/webdav.sock";
4
5 webdavApp = flakeInputs.mach-nix.lib.${config.nixpkgs.system}.buildPythonPackage {
6 ignoreDataOutdated = true;
7 pname = "py-webdav";
8 version = builtins.readFile ./py-webdav/VERSION;
9 src = ./py-webdav;
10 python = "python3";
11 requirements = ''
12 PyNaCl ==1.5.*
13 psycopg ==3.0.*
14 WsgiDAV ==4.0.*
15 '';
16 };
17in {
18 config = {
19 security.pam.services."webdav".text = ''
20 auth requisite pam_succeed_if.so user ingroup webdav quiet_success
21 auth required pam_unix.so likeauth nullok nodelay quiet
22 account sufficient pam_unix.so quiet
23 '';
24 users.groups."webdav" = {};
25
26 services.nginx = {
27 upstreams."py-webdav" = {
28 servers = {
29 "unix://${webdavSocket}" = {};
30 };
31 };
32
33 virtualHosts."webdav.141.li" = {
34 forceSSL = true;
35 sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
36 sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
37 sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
38 locations = {
39 "/".extraConfig = ''
40 root /srv/files/$remote_user;
41
42 auth_pam "WebDAV";
43 auth_pam_service_name "webdav";
44 '';
45
46 "/py/".extraConfig = ''
47 rewrite ^/py(.*) $1 break;
48
49 include ${config.services.nginx.package}/conf/uwsgi_params;
50 uwsgi_param SCRIPT_NAME /py;
51 uwsgi_pass py-webdav;
52 '';
53 };
54 extraConfig = ''
55 dav_methods PUT DELETE MKCOL COPY MOVE;
56 dav_ext_methods PROPFIND OPTIONS;
57 dav_access user:rw;
58 autoindex on;
59
60 client_max_body_size 0;
61 create_full_put_path on;
62
63 add_header Strict-Transport-Security "max-age=63072000" always;
64 '';
65 };
66 };
67 security.acme.domains."webdav.141.li" = {
68 certCfg = {
69 postRun = ''
70 ${pkgs.systemd}/bin/systemctl try-restart nginx.service
71 '';
72 };
73 };
74
75 systemd.services.nginx.serviceConfig.LoadCredential = [
76 "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
77 "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
78 "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
79 ];
80
81
82 services.uwsgi.instance.vassals.webdav = {
83 type = "normal";
84 socket = webdavSocket;
85 listen = 1024;
86 master = true;
87 vacuum = true;
88 chown-socket = "${config.services.nginx.user}:${config.services.uwsgi.group}";
89
90 plugins = ["python3"];
91 pythonPackages = self: [webdavApp];
92 module = "webdav";
93 callable = "app";
94 };
95 };
96}
diff --git a/hosts/surtr/http/webdav/py-webdav/.gitignore b/hosts/surtr/http/webdav/py-webdav/.gitignore
new file mode 100644
index 00000000..ed8ebf58
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/.gitignore
@@ -0,0 +1 @@
__pycache__ \ No newline at end of file
diff --git a/hosts/surtr/http/webdav/py-webdav/VERSION b/hosts/surtr/http/webdav/py-webdav/VERSION
new file mode 100644
index 00000000..6e8bf73a
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/VERSION
@@ -0,0 +1 @@
0.1.0
diff --git a/hosts/surtr/http/webdav/py-webdav/setup.py b/hosts/surtr/http/webdav/py-webdav/setup.py
new file mode 100644
index 00000000..dbe345c1
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/setup.py
@@ -0,0 +1,17 @@
1import setuptools
2
3with open('VERSION', 'r', encoding='utf-8') as version_file:
4 version = version_file.read().strip()
5
6setuptools.setup(
7 name="py-webdav",
8 version=version,
9 package_dir={"": "."},
10 packages=setuptools.find_packages(),
11 python_requires=">=3.8",
12 install_requires=[
13 "PyNaCl ==1.5.*",
14 "psycopg ==3.0.*",
15 "WsgiDAV ==4.0.*",
16 ],
17)
diff --git a/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py b/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py
new file mode 100644
index 00000000..398378e2
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py
@@ -0,0 +1 @@
from .webdav import app
diff --git a/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py b/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py
new file mode 100644
index 00000000..783f5d82
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py
@@ -0,0 +1,5 @@
1def app(env, start_response):
2 start_response('200 Success', [('Content-Type', 'text/plain; charset=utf-8')])
3 return [ bytes(f'{key}: {value}\n', 'utf8')
4 for key, value in env.items()
5 ]