From 0f4bd1da4ce2990e95ff77ff872c98b06b039323 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 31 Jan 2022 16:44:57 +0100 Subject: surtr: webdav --- accounts/mherold@surtr.nix | 7 ++++- hosts/surtr/default.nix | 2 +- hosts/surtr/dns/zones/li.141.soa | 4 ++- hosts/surtr/http.nix | 64 ++++++++++++++++++++++++++++++++++++++++ hosts/surtr/tls.nix | 27 ++++++++++++++--- hosts/surtr/zfs.nix | 6 ++++ users/gkleen/default.nix | 2 +- 7 files changed, 104 insertions(+), 8 deletions(-) create mode 100644 hosts/surtr/http.nix diff --git a/accounts/mherold@surtr.nix b/accounts/mherold@surtr.nix index 64629674..ba41d65f 100644 --- a/accounts/mherold@surtr.nix +++ b/accounts/mherold@surtr.nix @@ -1 +1,6 @@ -{...}: {} +{ userName, ... }: +{ + users.users.${userName} = { + extraGroups = ["webdav"]; + }; +} diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index ffa79bea..be148b05 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -2,7 +2,7 @@ { imports = with flake.nixosModules.systemProfiles; [ qemu-guest openssh rebuild-machines zfs - ./zfs.nix ./dns ./tls.nix + ./zfs.nix ./dns ./tls.nix ./http.nix ]; config = { diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa index 6f974439..6f319a1c 100644 --- a/hosts/surtr/dns/zones/li.141.soa +++ b/hosts/surtr/dns/zones/li.141.soa @@ -1,7 +1,7 @@ $ORIGIN 141.li. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2021053001 ; serial + 2022013100 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -27,6 +27,8 @@ surtr IN AAAA 2a03:4000:52:ada:: surtr IN MX 0 ymir.yggdrasil.li surtr IN TXT "v=spf1 redirect=ullr.yggdrasil.li" +webdav IN CNAME surtr.yggdrasil.li. + ymir IN A 188.68.51.254 ymir IN AAAA 2a03:4000:6:d004:: ymir IN MX 0 ymir.yggdrasil.li diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix new file mode 100644 index 00000000..fae1e690 --- /dev/null +++ b/hosts/surtr/http.nix @@ -0,0 +1,64 @@ +{ config, ... }: +{ + config = { + services.webdav-server-rs = { + enable = true; + settings = { + server.listen = [ "/run/webdav-server-rs/webdav-server-rs.sock" ]; + accounts = { + auth-type = "pam"; + acct-type = "unix"; + }; + pam = { + service = "webdav-server-rs"; + }; + location = [ + { + route = [ "/*path" ]; + methods = [ "all" ]; + auth = "true"; + handler = "virtroot"; + setuid = true; + directory = "/srv/files"; + } + ]; + }; + }; + systemd.services.webdav-server-rs = { + serviceConfig = { + RuntimeDirectory = "webdav-server-rs"; + RuntimeDirectoryMode = "0755"; + }; + }; + security.pam.services."webdav-server-rs".text = '' + auth requisite pam_succeed_if.so user ingroup webdav + auth required pam_unix.so audit likeauth nullok nodelay + account sufficient pam_unix.so + ''; + users.groups."webdav" = {}; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + commonHttpConfig = '' + ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; + ''; + upstreams.webdav = { + servers = { "unix:/run/webdav-server-rs/webdav-server-rs.sock" = {}; }; + }; + virtualHosts = { + "webdav.141.li" = { + forceSSL = true; + sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"; + sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem"; + locations."/" = { + proxyPass = "http://webdav/"; + }; + }; + }; + }; + security.acme.domains."webdav.141.li" = {}; + }; +} diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix index 6a1d6f84..704941e2 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls.nix @@ -3,6 +3,7 @@ with lib; let + cfg = config.security.acme; knotCfg = config.services.knot; knotDNSCredentials = zone: pkgs.writeText "lego-credentials" '' @@ -45,9 +46,27 @@ let commited=yes ''; - domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"]; + domainOptions = { + options = { + wildcard = mkOption { + type = types.bool; + default = false; + }; + }; + }; in { + options = { + security.acme = { + domains = mkOption { + type = types.attrsOf (types.submodule domainOptions); + default = {}; + }; + }; + }; + config = { + security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; }); + fileSystems."/var/lib/acme" = { device = "surtr/safe/var-lib-acme"; fsType = "zfs"; @@ -61,13 +80,13 @@ in { let domainAttrset = domain: { inherit domain; - extraDomainNames = [ "*.${domain}" ]; + extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; dnsProvider = "exec"; credentialsFile = knotDNSCredentials domain; dnsResolver = "1.1.1.1:53"; keyType = "rsa4096"; # we don't like NIST curves }; - in genAttrs domains domainAttrset; + in genAttrs (attrNames cfg.domains) domainAttrset; }; systemd.services = @@ -81,6 +100,6 @@ in { RestrictAddressFamilies = ["AF_UNIX"]; }; }; - in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs domains serviceAttrset); + in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); }; } diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix index 3cbd0cf0..88634867 100644 --- a/hosts/surtr/zfs.nix +++ b/hosts/surtr/zfs.nix @@ -61,6 +61,12 @@ in { { device = "surtr/safe/home"; fsType = "zfs"; }; + + "/srv" = + { device = "surtr/safe/srv"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; }; systemd.services = diff --git a/users/gkleen/default.nix b/users/gkleen/default.nix index 7cf00b89..9ae2c1d0 100644 --- a/users/gkleen/default.nix +++ b/users/gkleen/default.nix @@ -6,7 +6,7 @@ users.users.${userName} = { description = "Gregor Kleen"; - extraGroups = [ "wheel" "networkmanager" "lp" "dialout" "audio" "video" "xmpp" "mail" "ssh" "vboxusers" "libvirtd" "wireshark" "games"]; + extraGroups = [ "wheel" "networkmanager" "lp" "dialout" "audio" "video" "xmpp" "mail" "ssh" "vboxusers" "libvirtd" "wireshark" "games" "webdav"]; createHome = true; home = "/home/${userName}"; shell = "${pkgs.zsh}/bin/zsh"; -- cgit v1.2.3