1 files changed, 67 insertions, 0 deletions
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
new file mode 100644
index 00000000..a77252ff
--- /dev/null
+++ b/hosts/surtr/http/default.nix
@@ -0,0 +1,67 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ./webdav
+  ];
+  
+  config = {
+    services.nginx = {
+      enable = true;
+      # package = pkgs.nginxQuic;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      sslDhparam = config.security.dhparams.params.nginx.path;
+      commonHttpConfig = ''
+        ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
+        log_format main
+                '$remote_addr "$remote_user" '
+                '"$host" "$request" $status $bytes_sent '
+                '"$http_referer" "$http_user_agent" '
+                '$gzip_ratio';
+        access_log syslog:server=unix:/dev/log main;
+        error_log syslog:server=unix:/dev/log info;
+        client_body_temp_path /run/nginx-client-bodies;
+      '';
+      additionalModules = with pkgs.nginxModules; [ dav pam ];
+    };
+    systemd.services.nginx = {
+      preStart = lib.mkForce config.services.nginx.preStart;
+      serviceConfig = {
+        SupplementaryGroups = [ "shadow" ];
+        ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
+        RuntimeDirectoryMode = "0750";
+        NoNewPrivileges = lib.mkForce false;
+        PrivateDevices = lib.mkForce false;
+        ProtectHostname = lib.mkForce false;
+        ProtectKernelTunables = lib.mkForce false;
+        ProtectKernelModules = lib.mkForce false;
+        RestrictAddressFamilies = lib.mkForce [ ];
+        LockPersonality = lib.mkForce false;
+        MemoryDenyWriteExecute = lib.mkForce false;
+        RestrictRealtime = lib.mkForce false;
+        RestrictSUIDSGID = lib.mkForce false;
+        SystemCallArchitectures = lib.mkForce "";
+        ProtectClock = lib.mkForce false;
+        ProtectKernelLogs = lib.mkForce false;
+        RestrictNamespaces = lib.mkForce false;
+        SystemCallFilter = lib.mkForce "";
+        ReadWritePaths = [ "/srv/files" ];
+      };
+    };
+    services.uwsgi = {
+      enable = true;
+      plugins = ["python3"];
+      instance = {
+        type = "emperor";
+        vassals = {};
+      };
+    };
+  };
+}

diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix new file mode 100644 index 00000000..a77252ff --- /dev/null +++ b/hosts/surtr/http/default.nix
@@ -0,0 +1,67 @@
	1	{ config, lib, pkgs, ... }:
	2	{
	3	imports = [
	4	./webdav
	5	];
	6
	7	config = {
	8	services.nginx = {
	9	enable = true;
	10	# package = pkgs.nginxQuic;
	11	recommendedGzipSettings = true;
	12	recommendedProxySettings = true;
	13	recommendedTlsSettings = true;
	14	sslDhparam = config.security.dhparams.params.nginx.path;
	15	commonHttpConfig = ''
	16	ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
	17
	18	log_format main
	19	'$remote_addr "$remote_user" '
	20	'"$host" "$request" $status $bytes_sent '
	21	'"$http_referer" "$http_user_agent" '
	22	'$gzip_ratio';
	23
	24	access_log syslog:server=unix:/dev/log main;
	25	error_log syslog:server=unix:/dev/log info;
	26
	27	client_body_temp_path /run/nginx-client-bodies;
	28	'';
	29	additionalModules = with pkgs.nginxModules; [ dav pam ];
	30	};
	31	systemd.services.nginx = {
	32	preStart = lib.mkForce config.services.nginx.preStart;
	33	serviceConfig = {
	34	SupplementaryGroups = [ "shadow" ];
	35	ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
	36	RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
	37	RuntimeDirectoryMode = "0750";
	38
	39	NoNewPrivileges = lib.mkForce false;
	40	PrivateDevices = lib.mkForce false;
	41	ProtectHostname = lib.mkForce false;
	42	ProtectKernelTunables = lib.mkForce false;
	43	ProtectKernelModules = lib.mkForce false;
	44	RestrictAddressFamilies = lib.mkForce [ ];
	45	LockPersonality = lib.mkForce false;
	46	MemoryDenyWriteExecute = lib.mkForce false;
	47	RestrictRealtime = lib.mkForce false;
	48	RestrictSUIDSGID = lib.mkForce false;
	49	SystemCallArchitectures = lib.mkForce "";
	50	ProtectClock = lib.mkForce false;
	51	ProtectKernelLogs = lib.mkForce false;
	52	RestrictNamespaces = lib.mkForce false;
	53	SystemCallFilter = lib.mkForce "";
	54	ReadWritePaths = [ "/srv/files" ];
	55	};
	56	};
	57
	58	services.uwsgi = {
	59	enable = true;
	60	plugins = ["python3"];
	61	instance = {
	62	type = "emperor";
	63	vassals = {};
	64	};
	65	};
	66	};
	67	}