1 files changed, 96 insertions, 0 deletions
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
new file mode 100644
index 00000000..f0aec1e9
--- /dev/null
+++ b/hosts/surtr/http/webdav/default.nix
@@ -0,0 +1,96 @@
+{ config, libs, pkgs, flakeInputs, ... }:
+let
+  webdavSocket = config.services.uwsgi.runDir + "/webdav.sock";
+  webdavApp = flakeInputs.mach-nix.lib.${config.nixpkgs.system}.buildPythonPackage {
+    ignoreDataOutdated = true;
+    pname = "py-webdav";
+    version = builtins.readFile ./py-webdav/VERSION;
+    src = ./py-webdav;
+    python = "python3";
+    requirements = ''
+      PyNaCl ==1.5.*
+      psycopg ==3.0.*
+      WsgiDAV ==4.0.*
+    '';
+  };
+in {
+  config = {
+    security.pam.services."webdav".text = ''
+      auth requisite  pam_succeed_if.so user ingroup webdav quiet_success
+      auth required   pam_unix.so likeauth nullok nodelay quiet
+      account sufficient pam_unix.so quiet
+    '';
+    users.groups."webdav" = {};
+    
+    services.nginx = {
+      upstreams."py-webdav" = {
+        servers = {
+          "unix://${webdavSocket}" = {};
+        };
+      };
+      
+      virtualHosts."webdav.141.li" = {
+        forceSSL = true;
+        sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
+        sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
+        sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
+        locations = {
+          "/".extraConfig = ''
+            root /srv/files/$remote_user;            
+            auth_pam "WebDAV";
+            auth_pam_service_name "webdav";
+          '';
+          "/py/".extraConfig = ''
+            rewrite ^/py(.*) $1 break;
+            include ${config.services.nginx.package}/conf/uwsgi_params;
+            uwsgi_param SCRIPT_NAME /py;
+            uwsgi_pass py-webdav;
+          '';
+        };
+        extraConfig = ''
+          dav_methods     PUT DELETE MKCOL COPY MOVE;
+          dav_ext_methods PROPFIND OPTIONS;
+          dav_access      user:rw;
+          autoindex on;
+          client_max_body_size    0;
+          create_full_put_path    on;
+          add_header Strict-Transport-Security "max-age=63072000" always;
+        '';
+      };
+    };
+    security.acme.domains."webdav.141.li" = {
+      certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+    };
+    systemd.services.nginx.serviceConfig.LoadCredential = [
+      "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
+      "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
+      "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
+    ];
+    services.uwsgi.instance.vassals.webdav = {
+      type = "normal";
+      socket = webdavSocket;
+      listen = 1024;
+      master = true;
+      vacuum = true;
+      chown-socket = "${config.services.nginx.user}:${config.services.uwsgi.group}";
+      
+      plugins = ["python3"];
+      pythonPackages = self: [webdavApp];
+      module = "webdav";
+      callable = "app";
+    };
+  };
+}

diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix new file mode 100644 index 00000000..f0aec1e9 --- /dev/null +++ b/hosts/surtr/http/webdav/default.nix
@@ -0,0 +1,96 @@
	1	{ config, libs, pkgs, flakeInputs, ... }:
	2	let
	3	webdavSocket = config.services.uwsgi.runDir + "/webdav.sock";
	4
	5	webdavApp = flakeInputs.mach-nix.lib.${config.nixpkgs.system}.buildPythonPackage {
	6	ignoreDataOutdated = true;
	7	pname = "py-webdav";
	8	version = builtins.readFile ./py-webdav/VERSION;
	9	src = ./py-webdav;
	10	python = "python3";
	11	requirements = ''
	12	PyNaCl ==1.5.*
	13	psycopg ==3.0.*
	14	WsgiDAV ==4.0.*
	15	'';
	16	};
	17	in {
	18	config = {
	19	security.pam.services."webdav".text = ''
	20	auth requisite pam_succeed_if.so user ingroup webdav quiet_success
	21	auth required pam_unix.so likeauth nullok nodelay quiet
	22	account sufficient pam_unix.so quiet
	23	'';
	24	users.groups."webdav" = {};
	25
	26	services.nginx = {
	27	upstreams."py-webdav" = {
	28	servers = {
	29	"unix://${webdavSocket}" = {};
	30	};
	31	};
	32
	33	virtualHosts."webdav.141.li" = {
	34	forceSSL = true;
	35	sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
	36	sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
	37	sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
	38	locations = {
	39	"/".extraConfig = ''
	40	root /srv/files/$remote_user;
	41
	42	auth_pam "WebDAV";
	43	auth_pam_service_name "webdav";
	44	'';
	45
	46	"/py/".extraConfig = ''
	47	rewrite ^/py(.*) $1 break;
	48
	49	include ${config.services.nginx.package}/conf/uwsgi_params;
	50	uwsgi_param SCRIPT_NAME /py;
	51	uwsgi_pass py-webdav;
	52	'';
	53	};
	54	extraConfig = ''
	55	dav_methods PUT DELETE MKCOL COPY MOVE;
	56	dav_ext_methods PROPFIND OPTIONS;
	57	dav_access user:rw;
	58	autoindex on;
	59
	60	client_max_body_size 0;
	61	create_full_put_path on;
	62
	63	add_header Strict-Transport-Security "max-age=63072000" always;
	64	'';
	65	};
	66	};
	67	security.acme.domains."webdav.141.li" = {
	68	certCfg = {
	69	postRun = ''
	70	${pkgs.systemd}/bin/systemctl try-restart nginx.service
	71	'';
	72	};
	73	};
	74
	75	systemd.services.nginx.serviceConfig.LoadCredential = [
	76	"webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
	77	"webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
	78	"webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
	79	];
	80
	81
	82	services.uwsgi.instance.vassals.webdav = {
	83	type = "normal";
	84	socket = webdavSocket;
	85	listen = 1024;
	86	master = true;
	87	vacuum = true;
	88	chown-socket = "${config.services.nginx.user}:${config.services.uwsgi.group}";
	89
	90	plugins = ["python3"];
	91	pythonPackages = self: [webdavApp];
	92	module = "webdav";
	93	callable = "app";
	94	};
	95	};
	96	}