1 files changed, 21 insertions, 35 deletions
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
index e7648e80..b1af31b8 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http.nix
@@ -1,35 +1,7 @@
 { config, lib, pkgs, ... }:
 {
  config = {
-    services.webdav-server-rs = {
+    security.pam.services."webdav".text = ''
-      enable = true;
-      settings = {
-        server.listen = [ "127.0.0.1:4918" ];
-        accounts = {
-          auth-type = "pam";
-          acct-type = "unix";
-        };
-        pam = {
-          service = "webdav-server-rs";
-        };
-        location = [
-          {
-            route = [ "/*path" ];
-            auth = "true";
-            handler = "filesystem";
-            setuid = true;
-            directory = "/srv/files";
-          }
-        ];
-      };
-    };
-    systemd.services.webdav-server-rs = {
-      serviceConfig = {
-        RuntimeDirectory = "webdav-server-rs";
-        RuntimeDirectoryMode = "0755";
-      };
-    };
-    security.pam.services."webdav-server-rs".text = ''
      auth requisite  pam_succeed_if.so user ingroup webdav
      auth required   pam_unix.so audit likeauth nullok nodelay
      account sufficient pam_unix.so
@@ -44,20 +16,32 @@
      commonHttpConfig = ''
        ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
      '';
-      upstreams.webdav = {
+      additionalModules = with pkgs.nginxModules; [ dav pam ];
-        servers = { "127.0.0.1:4918" = {}; };
-      };
      virtualHosts = {
        "webdav.141.li" = {
          forceSSL = true;
          sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
          sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
-          locations."/" = {
+          locations."/".extraConfig = ''
-            proxyPass = "http://webdav/";
+            root /srv/files/$remote_user;            
-          };
+            auth_pam "WebDAV";
+            auth_pam_service_name "webdav";
+          '';
+          extraConfig = ''
+            dav_methods     PUT DELETE MKCOL COPY MOVE;
+            dav_ext_methods PROPFIND OPTIONS;
+            dav_access      user:rw;
+            autoindex on;
+            client_body_temp_path   /run/nginx/client-bodies;
+            client_max_body_size    0;
+            create_full_put_path    on;
+          '';
        };
      };
    };
+    users.users."nginx".extraGroups = [ "shadow" ];
    security.acme.domains."webdav.141.li" = {
      zone = "141.li";
      certCfg = {
@@ -74,6 +58,8 @@
          "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
          "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
        ];
+        RuntimeDirectory = "nginx/client-bodies";
+        RuntimeDirectoryMode = "0700";
      };
    };
  };

diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix index e7648e80..b1af31b8 100644 --- a/hosts/surtr/http.nix +++ b/hosts/surtr/http.nix
@@ -1,35 +1,7 @@
1	{ config, lib, pkgs, ... }:	1	{ config, lib, pkgs, ... }:
2	{	2	{
3	config = {	3	config = {
4	services.webdav-server-rs = {	4	security.pam.services."webdav".text = ''
5	enable = true;
6	settings = {
7	server.listen = [ "127.0.0.1:4918" ];
8	accounts = {
9	auth-type = "pam";
10	acct-type = "unix";
11	};
12	pam = {
13	service = "webdav-server-rs";
14	};
15	location = [
16	{
17	route = [ "/*path" ];
18	auth = "true";
19	handler = "filesystem";
20	setuid = true;
21	directory = "/srv/files";
22	}
23	];
24	};
25	};
26	systemd.services.webdav-server-rs = {
27	serviceConfig = {
28	RuntimeDirectory = "webdav-server-rs";
29	RuntimeDirectoryMode = "0755";
30	};
31	};
32	security.pam.services."webdav-server-rs".text = ''
33	auth requisite pam_succeed_if.so user ingroup webdav	5	auth requisite pam_succeed_if.so user ingroup webdav
34	auth required pam_unix.so audit likeauth nullok nodelay	6	auth required pam_unix.so audit likeauth nullok nodelay
35	account sufficient pam_unix.so	7	account sufficient pam_unix.so
@@ -44,20 +16,32 @@
44	commonHttpConfig = ''	16	commonHttpConfig = ''
45	ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;	17	ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
46	'';	18	'';
47	upstreams.webdav = {	19	additionalModules = with pkgs.nginxModules; [ dav pam ];
48	servers = { "127.0.0.1:4918" = {}; };
49	};
50	virtualHosts = {	20	virtualHosts = {
51	"webdav.141.li" = {	21	"webdav.141.li" = {
52	forceSSL = true;	22	forceSSL = true;
53	sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";	23	sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
54	sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";	24	sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
55	locations."/" = {	25	locations."/".extraConfig = ''
56	proxyPass = "http://webdav/";	26	root /srv/files/$remote_user;
57	};	27
		28	auth_pam "WebDAV";
		29	auth_pam_service_name "webdav";
		30	'';
		31	extraConfig = ''
		32	dav_methods PUT DELETE MKCOL COPY MOVE;
		33	dav_ext_methods PROPFIND OPTIONS;
		34	dav_access user:rw;
		35	autoindex on;
		36
		37	client_body_temp_path /run/nginx/client-bodies;
		38	client_max_body_size 0;
		39	create_full_put_path on;
		40	'';
58	};	41	};
59	};	42	};
60	};	43	};
		44	users.users."nginx".extraGroups = [ "shadow" ];
61	security.acme.domains."webdav.141.li" = {	45	security.acme.domains."webdav.141.li" = {
62	zone = "141.li";	46	zone = "141.li";
63	certCfg = {	47	certCfg = {
@@ -74,6 +58,8 @@
74	"webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"	58	"webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
75	"webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"	59	"webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
76	];	60	];
		61	RuntimeDirectory = "nginx/client-bodies";
		62	RuntimeDirectoryMode = "0700";
77	};	63	};
78	};	64	};
79	};	65	};