From 75b43f4af0e9aafae43d49aa99d0bb17e05082fd Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 31 Jan 2022 18:40:51 +0100
Subject: ...

---
 hosts/surtr/http.nix | 56 ++++++++++++++++++++--------------------------------
 1 file changed, 21 insertions(+), 35 deletions(-)

diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
index e7648e80..b1af31b8 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http.nix
@@ -1,35 +1,7 @@
 { config, lib, pkgs, ... }:
 {
   config = {
-    services.webdav-server-rs = {
-      enable = true;
-      settings = {
-        server.listen = [ "127.0.0.1:4918" ];
-        accounts = {
-          auth-type = "pam";
-          acct-type = "unix";
-        };
-        pam = {
-          service = "webdav-server-rs";
-        };
-        location = [
-          {
-            route = [ "/*path" ];
-            auth = "true";
-            handler = "filesystem";
-            setuid = true;
-            directory = "/srv/files";
-          }
-        ];
-      };
-    };
-    systemd.services.webdav-server-rs = {
-      serviceConfig = {
-        RuntimeDirectory = "webdav-server-rs";
-        RuntimeDirectoryMode = "0755";
-      };
-    };
-    security.pam.services."webdav-server-rs".text = ''
+    security.pam.services."webdav".text = ''
       auth requisite  pam_succeed_if.so user ingroup webdav
       auth required   pam_unix.so audit likeauth nullok nodelay
       account sufficient pam_unix.so
@@ -44,20 +16,32 @@
       commonHttpConfig = ''
         ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
       '';
-      upstreams.webdav = {
-        servers = { "127.0.0.1:4918" = {}; };
-      };
+      additionalModules = with pkgs.nginxModules; [ dav pam ];
       virtualHosts = {
         "webdav.141.li" = {
           forceSSL = true;
           sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
           sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
-          locations."/" = {
-            proxyPass = "http://webdav/";
-          };
+          locations."/".extraConfig = ''
+            root /srv/files/$remote_user;            
+
+            auth_pam "WebDAV";
+            auth_pam_service_name "webdav";
+          '';
+          extraConfig = ''
+            dav_methods     PUT DELETE MKCOL COPY MOVE;
+            dav_ext_methods PROPFIND OPTIONS;
+            dav_access      user:rw;
+            autoindex on;
+
+            client_body_temp_path   /run/nginx/client-bodies;
+            client_max_body_size    0;
+            create_full_put_path    on;
+          '';
         };
       };
     };
+    users.users."nginx".extraGroups = [ "shadow" ];
     security.acme.domains."webdav.141.li" = {
       zone = "141.li";
       certCfg = {
@@ -74,6 +58,8 @@
           "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
           "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
         ];
+        RuntimeDirectory = "nginx/client-bodies";
+        RuntimeDirectoryMode = "0700";
       };
     };
   };
-- 
cgit v1.2.3