summaryrefslogtreecommitdiff
path: root/hosts/surtr/http.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr/http.nix')
-rw-r--r--hosts/surtr/http.nix99
1 files changed, 0 insertions, 99 deletions
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
deleted file mode 100644
index af27f178..00000000
--- a/hosts/surtr/http.nix
+++ /dev/null
@@ -1,99 +0,0 @@
1{ config, lib, pkgs, ... }:
2{
3 config = {
4 security.pam.services."webdav".text = ''
5 auth requisite pam_succeed_if.so user ingroup webdav quiet_success
6 auth required pam_unix.so likeauth nullok nodelay quiet
7 account sufficient pam_unix.so quiet
8 '';
9 users.groups."webdav" = {};
10
11 services.nginx = {
12 enable = true;
13 # package = pkgs.nginxQuic;
14 recommendedGzipSettings = true;
15 recommendedProxySettings = true;
16 recommendedTlsSettings = true;
17 sslDhparam = config.security.dhparams.params.nginx.path;
18 commonHttpConfig = ''
19 ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
20
21 log_format main
22 '$remote_addr "$remote_user" '
23 '"$host" "$request" $status $bytes_sent '
24 '"$http_referer" "$http_user_agent" '
25 '$gzip_ratio';
26
27 access_log syslog:server=unix:/dev/log main;
28 error_log syslog:server=unix:/dev/log info;
29
30 client_body_temp_path /run/nginx-client-bodies;
31 '';
32 additionalModules = with pkgs.nginxModules; [ dav pam ];
33 virtualHosts = {
34 "webdav.141.li" = {
35 forceSSL = true;
36 sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
37 sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
38 sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
39 locations."/".extraConfig = ''
40 root /srv/files/$remote_user;
41
42 auth_pam "WebDAV";
43 auth_pam_service_name "webdav";
44 '';
45 extraConfig = ''
46 dav_methods PUT DELETE MKCOL COPY MOVE;
47 dav_ext_methods PROPFIND OPTIONS;
48 dav_access user:rw;
49 autoindex on;
50
51 client_max_body_size 0;
52 create_full_put_path on;
53
54 add_header Strict-Transport-Security "max-age=63072000" always;
55 '';
56 };
57 };
58 };
59 security.acme.domains."webdav.141.li" = {
60 zone = "141.li";
61 certCfg = {
62 postRun = ''
63 ${pkgs.systemd}/bin/systemctl try-restart nginx.service
64 '';
65 };
66 };
67 systemd.services.nginx = {
68 preStart = lib.mkForce config.services.nginx.preStart;
69 serviceConfig = {
70 SupplementaryGroups = [ "shadow" ];
71 ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
72 LoadCredential = [
73 "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
74 "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
75 "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
76 ];
77 RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
78 RuntimeDirectoryMode = "0750";
79
80 NoNewPrivileges = lib.mkForce false;
81 PrivateDevices = lib.mkForce false;
82 ProtectHostname = lib.mkForce false;
83 ProtectKernelTunables = lib.mkForce false;
84 ProtectKernelModules = lib.mkForce false;
85 RestrictAddressFamilies = lib.mkForce [ ];
86 LockPersonality = lib.mkForce false;
87 MemoryDenyWriteExecute = lib.mkForce false;
88 RestrictRealtime = lib.mkForce false;
89 RestrictSUIDSGID = lib.mkForce false;
90 SystemCallArchitectures = lib.mkForce "";
91 ProtectClock = lib.mkForce false;
92 ProtectKernelLogs = lib.mkForce false;
93 RestrictNamespaces = lib.mkForce false;
94 SystemCallFilter = lib.mkForce "";
95 ReadWritePaths = [ "/srv/files" ];
96 };
97 };
98 };
99}