From 0f4bd1da4ce2990e95ff77ff872c98b06b039323 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 31 Jan 2022 16:44:57 +0100 Subject: surtr: webdav --- hosts/surtr/http.nix | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 hosts/surtr/http.nix (limited to 'hosts/surtr/http.nix') diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix new file mode 100644 index 00000000..fae1e690 --- /dev/null +++ b/hosts/surtr/http.nix @@ -0,0 +1,64 @@ +{ config, ... }: +{ + config = { + services.webdav-server-rs = { + enable = true; + settings = { + server.listen = [ "/run/webdav-server-rs/webdav-server-rs.sock" ]; + accounts = { + auth-type = "pam"; + acct-type = "unix"; + }; + pam = { + service = "webdav-server-rs"; + }; + location = [ + { + route = [ "/*path" ]; + methods = [ "all" ]; + auth = "true"; + handler = "virtroot"; + setuid = true; + directory = "/srv/files"; + } + ]; + }; + }; + systemd.services.webdav-server-rs = { + serviceConfig = { + RuntimeDirectory = "webdav-server-rs"; + RuntimeDirectoryMode = "0755"; + }; + }; + security.pam.services."webdav-server-rs".text = '' + auth requisite pam_succeed_if.so user ingroup webdav + auth required pam_unix.so audit likeauth nullok nodelay + account sufficient pam_unix.so + ''; + users.groups."webdav" = {}; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + commonHttpConfig = '' + ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; + ''; + upstreams.webdav = { + servers = { "unix:/run/webdav-server-rs/webdav-server-rs.sock" = {}; }; + }; + virtualHosts = { + "webdav.141.li" = { + forceSSL = true; + sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"; + sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem"; + locations."/" = { + proxyPass = "http://webdav/"; + }; + }; + }; + }; + security.acme.domains."webdav.141.li" = {}; + }; +} -- cgit v1.2.3