5 files changed, 97 insertions, 6 deletions
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index ffa79bea..be148b05 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
 {
  imports = with flake.nixosModules.systemProfiles; [
    qemu-guest openssh rebuild-machines zfs
-    ./zfs.nix ./dns ./tls.nix
+    ./zfs.nix ./dns ./tls.nix ./http.nix
  ];
  config = {
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
index 6f974439..6f319a1c 100644
--- a/hosts/surtr/dns/zones/li.141.soa
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
 $ORIGIN 141.li.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
-  2021053001 ; serial
+  2022013100 ; serial
  10800      ; refresh
  3600       ; retry
  604800     ; expire
@@ -27,6 +27,8 @@ surtr			IN	AAAA	2a03:4000:52:ada::
 surtr                   IN      MX      0 ymir.yggdrasil.li
 surtr                   IN      TXT     "v=spf1 redirect=ullr.yggdrasil.li"
+webdav                  IN      CNAME   surtr.yggdrasil.li.
 ymir                    IN      A       188.68.51.254
 ymir                    IN      AAAA    2a03:4000:6:d004::
 ymir                    IN      MX      0 ymir.yggdrasil.li
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
new file mode 100644
index 00000000..fae1e690
--- /dev/null
+++ b/hosts/surtr/http.nix
@@ -0,0 +1,64 @@
+{ config, ... }:
+{
+  config = {
+    services.webdav-server-rs = {
+      enable = true;
+      settings = {
+        server.listen = [ "/run/webdav-server-rs/webdav-server-rs.sock" ];
+        accounts = {
+          auth-type = "pam";
+          acct-type = "unix";
+        };
+        pam = {
+          service = "webdav-server-rs";
+        };
+        location = [
+          {
+            route = [ "/*path" ];
+            methods = [ "all" ];
+            auth = "true";
+            handler = "virtroot";
+            setuid = true;
+            directory = "/srv/files";
+          }
+        ];
+      };
+    };
+    systemd.services.webdav-server-rs = {
+      serviceConfig = {
+        RuntimeDirectory = "webdav-server-rs";
+        RuntimeDirectoryMode = "0755";
+      };
+    };
+    security.pam.services."webdav-server-rs".text = ''
+      auth requisite  pam_succeed_if.so user ingroup webdav
+      auth required   pam_unix.so audit likeauth nullok nodelay
+      account sufficient pam_unix.so
+    '';
+    users.groups."webdav" = {};
+    
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      commonHttpConfig = ''
+        ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
+      '';
+      upstreams.webdav = {
+        servers = { "unix:/run/webdav-server-rs/webdav-server-rs.sock" = {}; };
+      };
+      virtualHosts = {
+        "webdav.141.li" = {
+          forceSSL = true;
+          sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem";
+          sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem";
+          locations."/" = {
+            proxyPass = "http://webdav/";
+          };
+        };
+      };
+    };
+    security.acme.domains."webdav.141.li" = {};
+  };
+}
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
index 6a1d6f84..704941e2 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls.nix
@@ -3,6 +3,7 @@
 with lib;
 let
+  cfg = config.security.acme;
  knotCfg = config.services.knot;
  
  knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''
@@ -45,9 +46,27 @@ let
    commited=yes
  '';
  
-  domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"];
+  domainOptions = {
+    options = {
+      wildcard = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
+  };
 in {
+  options = {
+    security.acme = {
+      domains = mkOption {
+        type = types.attrsOf (types.submodule domainOptions);
+        default = {};
+      };
+    };
+  };
+  
  config = {
+    security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; });
+    
    fileSystems."/var/lib/acme" =
      { device = "surtr/safe/var-lib-acme";
        fsType = "zfs";
@@ -61,13 +80,13 @@ in {
        let
          domainAttrset = domain: {
            inherit domain;
-            extraDomainNames = [ "*.${domain}" ];
+            extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
            dnsProvider = "exec";
            credentialsFile = knotDNSCredentials domain;
            dnsResolver = "1.1.1.1:53";
            keyType = "rsa4096"; # we don't like NIST curves
          };
-        in genAttrs domains domainAttrset;
+        in genAttrs (attrNames cfg.domains) domainAttrset;
    };
    systemd.services =
@@ -81,6 +100,6 @@ in {
            RestrictAddressFamilies = ["AF_UNIX"];
          };
        };
-      in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs domains serviceAttrset);
+      in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
  };
 }
diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix
index 3cbd0cf0..88634867 100644
--- a/hosts/surtr/zfs.nix
+++ b/hosts/surtr/zfs.nix
@@ -61,6 +61,12 @@ in {
        { device = "surtr/safe/home";
          fsType = "zfs";
        };
+      "/srv" =
+        { device = "surtr/safe/srv";
+          fsType = "zfs";
+          options = [ "zfsutil" ];
+        };
    };
    systemd.services =

diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index ffa79bea..be148b05 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
2	{	2	{
3	imports = with flake.nixosModules.systemProfiles; [	3	imports = with flake.nixosModules.systemProfiles; [
4	qemu-guest openssh rebuild-machines zfs	4	qemu-guest openssh rebuild-machines zfs
5	./zfs.nix ./dns ./tls.nix	5	./zfs.nix ./dns ./tls.nix ./http.nix
6	];	6	];
7		7
8	config = {	8	config = {


diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 6f974439..6f319a1c 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa
@@ -1,7 +1,7 @@
1	$ORIGIN 141.li.	1	$ORIGIN 141.li.
2	$TTL 3600	2	$TTL 3600
3	@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (	3	@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
4	2021053001 ; serial	4	2022013100 ; serial
5	10800 ; refresh	5	10800 ; refresh
6	3600 ; retry	6	3600 ; retry
7	604800 ; expire	7	604800 ; expire
@@ -27,6 +27,8 @@ surtr IN AAAA 2a03:4000:52:ada::
27	surtr IN MX 0 ymir.yggdrasil.li	27	surtr IN MX 0 ymir.yggdrasil.li
28	surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li"	28	surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li"
29		29
		30	webdav IN CNAME surtr.yggdrasil.li.
		31
30	ymir IN A 188.68.51.254	32	ymir IN A 188.68.51.254
31	ymir IN AAAA 2a03:4000:6:d004::	33	ymir IN AAAA 2a03:4000:6:d004::
32	ymir IN MX 0 ymir.yggdrasil.li	34	ymir IN MX 0 ymir.yggdrasil.li


diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix new file mode 100644 index 00000000..fae1e690 --- /dev/null +++ b/hosts/surtr/http.nix
@@ -0,0 +1,64 @@
		1	{ config, ... }:
		2	{
		3	config = {
		4	services.webdav-server-rs = {
		5	enable = true;
		6	settings = {
		7	server.listen = [ "/run/webdav-server-rs/webdav-server-rs.sock" ];
		8	accounts = {
		9	auth-type = "pam";
		10	acct-type = "unix";
		11	};
		12	pam = {
		13	service = "webdav-server-rs";
		14	};
		15	location = [
		16	{
		17	route = [ "/*path" ];
		18	methods = [ "all" ];
		19	auth = "true";
		20	handler = "virtroot";
		21	setuid = true;
		22	directory = "/srv/files";
		23	}
		24	];
		25	};
		26	};
		27	systemd.services.webdav-server-rs = {
		28	serviceConfig = {
		29	RuntimeDirectory = "webdav-server-rs";
		30	RuntimeDirectoryMode = "0755";
		31	};
		32	};
		33	security.pam.services."webdav-server-rs".text = ''
		34	auth requisite pam_succeed_if.so user ingroup webdav
		35	auth required pam_unix.so audit likeauth nullok nodelay
		36	account sufficient pam_unix.so
		37	'';
		38	users.groups."webdav" = {};
		39
		40	services.nginx = {
		41	enable = true;
		42	recommendedGzipSettings = true;
		43	recommendedProxySettings = true;
		44	recommendedTlsSettings = true;
		45	commonHttpConfig = ''
		46	ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
		47	'';
		48	upstreams.webdav = {
		49	servers = { "unix:/run/webdav-server-rs/webdav-server-rs.sock" = {}; };
		50	};
		51	virtualHosts = {
		52	"webdav.141.li" = {
		53	forceSSL = true;
		54	sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem";
		55	sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem";
		56	locations."/" = {
		57	proxyPass = "http://webdav/";
		58	};
		59	};
		60	};
		61	};
		62	security.acme.domains."webdav.141.li" = {};
		63	};
		64	}


diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix index 6a1d6f84..704941e2 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls.nix
@@ -3,6 +3,7 @@
3	with lib;	3	with lib;
4		4
5	let	5	let
		6	cfg = config.security.acme;
6	knotCfg = config.services.knot;	7	knotCfg = config.services.knot;
7		8
8	knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''	9	knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''
@@ -45,9 +46,27 @@ let
45	commited=yes	46	commited=yes
46	'';	47	'';
47		48
48	domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"];	49	domainOptions = {
		50	options = {
		51	wildcard = mkOption {
		52	type = types.bool;
		53	default = false;
		54	};
		55	};
		56	};
49	in {	57	in {
		58	options = {
		59	security.acme = {
		60	domains = mkOption {
		61	type = types.attrsOf (types.submodule domainOptions);
		62	default = {};
		63	};
		64	};
		65	};
		66
50	config = {	67	config = {
		68	security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; });
		69
51	fileSystems."/var/lib/acme" =	70	fileSystems."/var/lib/acme" =
52	{ device = "surtr/safe/var-lib-acme";	71	{ device = "surtr/safe/var-lib-acme";
53	fsType = "zfs";	72	fsType = "zfs";
@@ -61,13 +80,13 @@ in {
61	let	80	let
62	domainAttrset = domain: {	81	domainAttrset = domain: {
63	inherit domain;	82	inherit domain;
64	extraDomainNames = [ "*.${domain}" ];	83	extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
65	dnsProvider = "exec";	84	dnsProvider = "exec";
66	credentialsFile = knotDNSCredentials domain;	85	credentialsFile = knotDNSCredentials domain;
67	dnsResolver = "1.1.1.1:53";	86	dnsResolver = "1.1.1.1:53";
68	keyType = "rsa4096"; # we don't like NIST curves	87	keyType = "rsa4096"; # we don't like NIST curves
69	};	88	};
70	in genAttrs domains domainAttrset;	89	in genAttrs (attrNames cfg.domains) domainAttrset;
71	};	90	};
72		91
73	systemd.services =	92	systemd.services =
@@ -81,6 +100,6 @@ in {
81	RestrictAddressFamilies = ["AF_UNIX"];	100	RestrictAddressFamilies = ["AF_UNIX"];
82	};	101	};
83	};	102	};
84	in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs domains serviceAttrset);	103	in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
85	};	104	};
86	}	105	}


diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix index 3cbd0cf0..88634867 100644 --- a/hosts/surtr/zfs.nix +++ b/hosts/surtr/zfs.nix
@@ -61,6 +61,12 @@ in {
61	{ device = "surtr/safe/home";	61	{ device = "surtr/safe/home";
62	fsType = "zfs";	62	fsType = "zfs";
63	};	63	};
		64
		65	"/srv" =
		66	{ device = "surtr/safe/srv";
		67	fsType = "zfs";
		68	options = [ "zfsutil" ];
		69	};
64	};	70	};
65		71
66	systemd.services =	72	systemd.services =