summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--custom/ymir-nginx.nix35
-rw-r--r--users/gkleen.nix2
-rw-r--r--ymir.nix41
3 files changed, 38 insertions, 40 deletions
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 00c83af8..a1de81c3 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -175,6 +175,8 @@ in {
175 listen [::]:443 ssl; 175 listen [::]:443 ssl;
176 server_name ~^(.*\.)?bragi\.(yggdrasil\.li|141\.li)$; 176 server_name ~^(.*\.)?bragi\.(yggdrasil\.li|141\.li)$;
177 177
178 include ${acme};
179
178 location / { 180 location / {
179 auth_basic "Reverse proxy to bragi"; 181 auth_basic "Reverse proxy to bragi";
180 auth_basic_user_file /srv/www/bragi/htpasswd; 182 auth_basic_user_file /srv/www/bragi/htpasswd;
@@ -182,39 +184,6 @@ in {
182 proxy_pass http://bragi.asgard.yggdrasil/; 184 proxy_pass http://bragi.asgard.yggdrasil/;
183 } 185 }
184 } 186 }
185
186 server {
187 listen *:80;
188 listen [::]:80;
189 server_name ~^webdav\.(yggdrasil\.li|141\.li|praseodym\.org)$;
190
191 include ${acme};
192
193 location / {
194 return 301 https://$host$request_uri;
195 }
196 }
197
198 server {
199 listen *:443 ssl;
200 listen [::]:443 ssl;
201
202 server_name ~^webdav\.(yggdrasil\.li|141\.li|praseodym\.org)$;
203
204 client_body_temp_path /tmp/webdav;
205
206 location ~ ^/(.+?)(/.*)?$ {
207 alias /srv/www/webdav/$1$2;
208 autoindex on;
209
210 auth_basic "WebDAV directory ‘$1’";
211 auth_basic_user_file /srv/www/webdav/$1.htpasswd;
212
213 dav_methods PUT DELETE MKCOL COPY MOVE;
214 create_full_put_path on;
215 dav_access user:rw group:r all:r;
216 }
217 }
218 ''; 187 '';
219 }; 188 };
220} 189}
diff --git a/users/gkleen.nix b/users/gkleen.nix
index a71a2905..1beaf1c3 100644
--- a/users/gkleen.nix
+++ b/users/gkleen.nix
@@ -1,7 +1,7 @@
1{ 1{
2 name = "gkleen"; 2 name = "gkleen";
3 description = "Gregor Kleen"; 3 description = "Gregor Kleen";
4 extraGroups = [ "wheel" "network" "lp" "dialout" "audio" "xmpp" "mail" "webdav" "ssh" "vboxusers" ]; 4 extraGroups = [ "wheel" "network" "lp" "dialout" "audio" "xmpp" "mail" "ftp" "ssh" "vboxusers" ];
5 group = "users"; 5 group = "users";
6 uid = 1000; 6 uid = 1000;
7 createHome = true; 7 createHome = true;
diff --git a/ymir.nix b/ymir.nix
index c38259b4..0d7de78d 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -14,10 +14,10 @@ let
14 }; 14 };
15 }; 15 };
16 myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" 16 myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org"
17 "webdav.141.li" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "bragi.141.li" 17 "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "bragi.141.li"
18 "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li" 18 "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li"
19 "webdav.yggdrasil.li" "files.yggdrasil.li" "f.yggdrasil.li" "ymir.yggdrasil.li" "git.yggdrasil.li" "www.yggdrasil.li" "yggdrasil.li" "lists.yggdrasil.li" "l.yggdrasil.li" "bragi.yggdrasil.li" 19 "files.yggdrasil.li" "f.yggdrasil.li" "ymir.yggdrasil.li" "git.yggdrasil.li" "www.yggdrasil.li" "yggdrasil.li" "lists.yggdrasil.li" "l.yggdrasil.li" "bragi.yggdrasil.li"
20 "webdav.praseodym.org" "files.praseodym.org" "f.praseodym.org" "ymir.praseodym.org" "praseodym.org" "www.praseodym.org" "lists.praseodym.org" "l.praseodym.org" 20 "files.praseodym.org" "f.praseodym.org" "ymir.praseodym.org" "praseodym.org" "www.praseodym.org" "lists.praseodym.org" "l.praseodym.org"
21 "git.rheperire.org" "api.rheperire.org" "www.rheperire.org" "rheperire.org" 21 "git.rheperire.org" "api.rheperire.org" "www.rheperire.org" "rheperire.org"
22 "ymir.kleen.li" "kleen.li" "www.kleen.li" 22 "ymir.kleen.li" "kleen.li" "www.kleen.li"
23 "ymir.nights.email" "nights.email" "www.nights.email" 23 "ymir.nights.email" "nights.email" "www.nights.email"
@@ -140,7 +140,8 @@ in rec {
140 firewall = { 140 firewall = {
141 enable = true; 141 enable = true;
142 allowPing = true; 142 allowPing = true;
143 allowedTCPPorts = [ 22 # ssh 143 allowedTCPPorts = [ 21 # ftp
144 22 # ssh
144 25 # smtp 145 25 # smtp
145 143 # imap 146 143 # imap
146 993 # imaps 147 993 # imaps
@@ -159,6 +160,8 @@ in rec {
159 allowedUDPPorts = [ 64738 # murmur 160 allowedUDPPorts = [ 64738 # murmur
160 53 # DNS 161 53 # DNS
161 ]; 162 ];
163 allowedTCPPortRanges = [ { from = 20000; to = 21000; } # ftp
164 ];
162 allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh 165 allowedUDPPortRanges = [ { from = 60000; to = 61000; } # mosh
163 ]; 166 ];
164 }; 167 };
@@ -961,7 +964,33 @@ in rec {
961 onFailure = [ "nixos-upgrade" "postfix" "dovecot2" "prosody" "opendkim" "nsd" "unbound" "tinc.yggdrasil" "postsrsd" ]; 964 onFailure = [ "nixos-upgrade" "postfix" "dovecot2" "prosody" "opendkim" "nsd" "unbound" "tinc.yggdrasil" "postsrsd" ];
962 }; 965 };
963 966
964 users.extraGroups."webdav" = { 967 services.vsftpd = {
965 members = [ "nginx" ]; 968 enable = true;
969 forceLocalLoginsSSL = true;
970 forceLocalDataSSL = true;
971 localUsers = true;
972 writeEnable = true;
973 chrootlocalUser = true;
974 rsaKeyFile = "/var/lib/acme/yggdrasil.li/key.pem";
975 rsaCertFile = "/var/lib/acme/yggdrasil.li/fullchain.pem";
976 extraConfig = ''
977 pam_service_name=vsftpd
978
979 port_enable=no
980
981 pasv_enable=yes
982 pasv_max_port=21000
983 pasv_min_port=20000
984
985 allow_writeable_chroot=yes
986 '';
966 }; 987 };
988
989 security.pam.services."vsftpd".text = ''
990 auth requisite pam_succeed_if.so user ingroup ftp
991
992 auth include ftp
993 account include ftp
994 session include ftp
995 '';
967} 996}
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-13 01:43:28 +0000