1 files changed, 64 insertions, 0 deletions
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
new file mode 100644
index 00000000..fae1e690
--- /dev/null
+++ b/hosts/surtr/http.nix
@@ -0,0 +1,64 @@
+{ config, ... }:
+{
+  config = {
+    services.webdav-server-rs = {
+      enable = true;
+      settings = {
+        server.listen = [ "/run/webdav-server-rs/webdav-server-rs.sock" ];
+        accounts = {
+          auth-type = "pam";
+          acct-type = "unix";
+        };
+        pam = {
+          service = "webdav-server-rs";
+        };
+        location = [
+          {
+            route = [ "/*path" ];
+            methods = [ "all" ];
+            auth = "true";
+            handler = "virtroot";
+            setuid = true;
+            directory = "/srv/files";
+          }
+        ];
+      };
+    };
+    systemd.services.webdav-server-rs = {
+      serviceConfig = {
+        RuntimeDirectory = "webdav-server-rs";
+        RuntimeDirectoryMode = "0755";
+      };
+    };
+    security.pam.services."webdav-server-rs".text = ''
+      auth requisite  pam_succeed_if.so user ingroup webdav
+      auth required   pam_unix.so audit likeauth nullok nodelay
+      account sufficient pam_unix.so
+    '';
+    users.groups."webdav" = {};
+    
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      commonHttpConfig = ''
+        ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
+      '';
+      upstreams.webdav = {
+        servers = { "unix:/run/webdav-server-rs/webdav-server-rs.sock" = {}; };
+      };
+      virtualHosts = {
+        "webdav.141.li" = {
+          forceSSL = true;
+          sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem";
+          sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem";
+          locations."/" = {
+            proxyPass = "http://webdav/";
+          };
+        };
+      };
+    };
+    security.acme.domains."webdav.141.li" = {};
+  };
+}

diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix new file mode 100644 index 00000000..fae1e690 --- /dev/null +++ b/hosts/surtr/http.nix
@@ -0,0 +1,64 @@
	1	{ config, ... }:
	2	{
	3	config = {
	4	services.webdav-server-rs = {
	5	enable = true;
	6	settings = {
	7	server.listen = [ "/run/webdav-server-rs/webdav-server-rs.sock" ];
	8	accounts = {
	9	auth-type = "pam";
	10	acct-type = "unix";
	11	};
	12	pam = {
	13	service = "webdav-server-rs";
	14	};
	15	location = [
	16	{
	17	route = [ "/*path" ];
	18	methods = [ "all" ];
	19	auth = "true";
	20	handler = "virtroot";
	21	setuid = true;
	22	directory = "/srv/files";
	23	}
	24	];
	25	};
	26	};
	27	systemd.services.webdav-server-rs = {
	28	serviceConfig = {
	29	RuntimeDirectory = "webdav-server-rs";
	30	RuntimeDirectoryMode = "0755";
	31	};
	32	};
	33	security.pam.services."webdav-server-rs".text = ''
	34	auth requisite pam_succeed_if.so user ingroup webdav
	35	auth required pam_unix.so audit likeauth nullok nodelay
	36	account sufficient pam_unix.so
	37	'';
	38	users.groups."webdav" = {};
	39
	40	services.nginx = {
	41	enable = true;
	42	recommendedGzipSettings = true;
	43	recommendedProxySettings = true;
	44	recommendedTlsSettings = true;
	45	commonHttpConfig = ''
	46	ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
	47	'';
	48	upstreams.webdav = {
	49	servers = { "unix:/run/webdav-server-rs/webdav-server-rs.sock" = {}; };
	50	};
	51	virtualHosts = {
	52	"webdav.141.li" = {
	53	forceSSL = true;
	54	sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem";
	55	sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem";
	56	locations."/" = {
	57	proxyPass = "http://webdav/";
	58	};
	59	};
	60	};
	61	};
	62	security.acme.domains."webdav.141.li" = {};
	63	};
	64	}