diff options
-rw-r--r-- | hosts/surtr/etebase/default.nix | 2 | ||||
-rw-r--r-- | hosts/surtr/http/default.nix | 3 | ||||
-rw-r--r-- | hosts/surtr/http/webdav/default.nix | 11 |
3 files changed, 3 insertions, 13 deletions
diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix index 3b0bd9d3..ddcd01a1 100644 --- a/hosts/surtr/etebase/default.nix +++ b/hosts/surtr/etebase/default.nix | |||
@@ -97,7 +97,7 @@ | |||
97 | 97 | ||
98 | systemd.services.nginx = { | 98 | systemd.services.nginx = { |
99 | serviceConfig = { | 99 | serviceConfig = { |
100 | ReadPaths = [ | 100 | ReadOnlyPaths = [ |
101 | config.services.etebase-server.settings.global.static_root | 101 | config.services.etebase-server.settings.global.static_root |
102 | pkgs.etesync-web | 102 | pkgs.etesync-web |
103 | ]; | 103 | ]; |
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix index c70eb8f8..f3a7154e 100644 --- a/hosts/surtr/http/default.nix +++ b/hosts/surtr/http/default.nix | |||
@@ -8,7 +8,7 @@ | |||
8 | services.nginx = { | 8 | services.nginx = { |
9 | enable = true; | 9 | enable = true; |
10 | package = pkgs.nginxQuic; | 10 | package = pkgs.nginxQuic; |
11 | recommendedGzipSettings = true; | 11 | recommendedGzipSettings = false; |
12 | recommendedProxySettings = true; | 12 | recommendedProxySettings = true; |
13 | recommendedTlsSettings = true; | 13 | recommendedTlsSettings = true; |
14 | sslDhparam = config.security.dhparams.params.nginx.path; | 14 | sslDhparam = config.security.dhparams.params.nginx.path; |
@@ -35,7 +35,6 @@ | |||
35 | systemd.services.nginx = { | 35 | systemd.services.nginx = { |
36 | preStart = lib.mkForce config.services.nginx.preStart; | 36 | preStart = lib.mkForce config.services.nginx.preStart; |
37 | serviceConfig = { | 37 | serviceConfig = { |
38 | SupplementaryGroups = [ "shadow" ]; | ||
39 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; | 38 | ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; |
40 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" "nginx-proxy-bodies" ]; | 39 | RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" "nginx-proxy-bodies" ]; |
41 | RuntimeDirectoryMode = "0750"; | 40 | RuntimeDirectoryMode = "0750"; |
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix index f94935ee..24bc5866 100644 --- a/hosts/surtr/http/webdav/default.nix +++ b/hosts/surtr/http/webdav/default.nix | |||
@@ -20,13 +20,6 @@ let | |||
20 | }; | 20 | }; |
21 | in { | 21 | in { |
22 | config = { | 22 | config = { |
23 | security.pam.services."webdav".text = '' | ||
24 | auth requisite pam_succeed_if.so user ingroup webdav quiet_success | ||
25 | auth required pam_unix.so likeauth nullok nodelay quiet | ||
26 | account sufficient pam_unix.so quiet | ||
27 | ''; | ||
28 | users.groups."webdav" = {}; | ||
29 | |||
30 | services.nginx = { | 23 | services.nginx = { |
31 | # upstreams."py-webdav" = { | 24 | # upstreams."py-webdav" = { |
32 | # servers = { | 25 | # servers = { |
@@ -44,9 +37,6 @@ in { | |||
44 | locations = { | 37 | locations = { |
45 | "/".extraConfig = '' | 38 | "/".extraConfig = '' |
46 | root /srv/files/$remote_user; | 39 | root /srv/files/$remote_user; |
47 | |||
48 | auth_pam "WebDAV"; | ||
49 | auth_pam_service_name "webdav"; | ||
50 | ''; | 40 | ''; |
51 | 41 | ||
52 | # "/py/".extraConfig = '' | 42 | # "/py/".extraConfig = '' |
@@ -68,6 +58,7 @@ in { | |||
68 | 58 | ||
69 | add_header Strict-Transport-Security "max-age=63072000" always; | 59 | add_header Strict-Transport-Security "max-age=63072000" always; |
70 | ''; | 60 | ''; |
61 | basicAuthFile = pkgs.writeText "htpasswd" (concatMapStringsSep "\n" (user: "${user}:${config.users.users.${user}.hashedPassword}") ["gkleen"]); | ||
71 | }; | 62 | }; |
72 | }; | 63 | }; |
73 | security.acme.rfc2136Domains."webdav.141.li" = { | 64 | security.acme.rfc2136Domains."webdav.141.li" = { |