summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hosts/surtr/etebase/default.nix2
-rw-r--r--hosts/surtr/http/default.nix3
-rw-r--r--hosts/surtr/http/webdav/default.nix11
3 files changed, 3 insertions, 13 deletions
diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix
index 3b0bd9d3..ddcd01a1 100644
--- a/hosts/surtr/etebase/default.nix
+++ b/hosts/surtr/etebase/default.nix
@@ -97,7 +97,7 @@
97 97
98 systemd.services.nginx = { 98 systemd.services.nginx = {
99 serviceConfig = { 99 serviceConfig = {
100 ReadPaths = [ 100 ReadOnlyPaths = [
101 config.services.etebase-server.settings.global.static_root 101 config.services.etebase-server.settings.global.static_root
102 pkgs.etesync-web 102 pkgs.etesync-web
103 ]; 103 ];
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index c70eb8f8..f3a7154e 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -8,7 +8,7 @@
8 services.nginx = { 8 services.nginx = {
9 enable = true; 9 enable = true;
10 package = pkgs.nginxQuic; 10 package = pkgs.nginxQuic;
11 recommendedGzipSettings = true; 11 recommendedGzipSettings = false;
12 recommendedProxySettings = true; 12 recommendedProxySettings = true;
13 recommendedTlsSettings = true; 13 recommendedTlsSettings = true;
14 sslDhparam = config.security.dhparams.params.nginx.path; 14 sslDhparam = config.security.dhparams.params.nginx.path;
@@ -35,7 +35,6 @@
35 systemd.services.nginx = { 35 systemd.services.nginx = {
36 preStart = lib.mkForce config.services.nginx.preStart; 36 preStart = lib.mkForce config.services.nginx.preStart;
37 serviceConfig = { 37 serviceConfig = {
38 SupplementaryGroups = [ "shadow" ];
39 ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 38 ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
40 RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" "nginx-proxy-bodies" ]; 39 RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" "nginx-proxy-bodies" ];
41 RuntimeDirectoryMode = "0750"; 40 RuntimeDirectoryMode = "0750";
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
index f94935ee..24bc5866 100644
--- a/hosts/surtr/http/webdav/default.nix
+++ b/hosts/surtr/http/webdav/default.nix
@@ -20,13 +20,6 @@ let
20 }; 20 };
21in { 21in {
22 config = { 22 config = {
23 security.pam.services."webdav".text = ''
24 auth requisite pam_succeed_if.so user ingroup webdav quiet_success
25 auth required pam_unix.so likeauth nullok nodelay quiet
26 account sufficient pam_unix.so quiet
27 '';
28 users.groups."webdav" = {};
29
30 services.nginx = { 23 services.nginx = {
31 # upstreams."py-webdav" = { 24 # upstreams."py-webdav" = {
32 # servers = { 25 # servers = {
@@ -44,9 +37,6 @@ in {
44 locations = { 37 locations = {
45 "/".extraConfig = '' 38 "/".extraConfig = ''
46 root /srv/files/$remote_user; 39 root /srv/files/$remote_user;
47
48 auth_pam "WebDAV";
49 auth_pam_service_name "webdav";
50 ''; 40 '';
51 41
52 # "/py/".extraConfig = '' 42 # "/py/".extraConfig = ''
@@ -68,6 +58,7 @@ in {
68 58
69 add_header Strict-Transport-Security "max-age=63072000" always; 59 add_header Strict-Transport-Security "max-age=63072000" always;
70 ''; 60 '';
61 basicAuthFile = pkgs.writeText "htpasswd" (concatMapStringsSep "\n" (user: "${user}:${config.users.users.${user}.hashedPassword}") ["gkleen"]);
71 }; 62 };
72 }; 63 };
73 security.acme.rfc2136Domains."webdav.141.li" = { 64 security.acme.rfc2136Domains."webdav.141.li" = {