From ffac1727b92167ca6847b7ae3adc71f091d8048f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 10 Jul 2022 11:51:34 +0200 Subject: ... --- hosts/surtr/http.nix | 99 ---------------------------------------------------- 1 file changed, 99 deletions(-) delete mode 100644 hosts/surtr/http.nix (limited to 'hosts/surtr/http.nix') diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix deleted file mode 100644 index af27f178..00000000 --- a/hosts/surtr/http.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - config = { - security.pam.services."webdav".text = '' - auth requisite pam_succeed_if.so user ingroup webdav quiet_success - auth required pam_unix.so likeauth nullok nodelay quiet - account sufficient pam_unix.so quiet - ''; - users.groups."webdav" = {}; - - services.nginx = { - enable = true; - # package = pkgs.nginxQuic; - recommendedGzipSettings = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - sslDhparam = config.security.dhparams.params.nginx.path; - commonHttpConfig = '' - ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; - - log_format main - '$remote_addr "$remote_user" ' - '"$host" "$request" $status $bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '$gzip_ratio'; - - access_log syslog:server=unix:/dev/log main; - error_log syslog:server=unix:/dev/log info; - - client_body_temp_path /run/nginx-client-bodies; - ''; - additionalModules = with pkgs.nginxModules; [ dav pam ]; - virtualHosts = { - "webdav.141.li" = { - forceSSL = true; - sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; - sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; - sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem"; - locations."/".extraConfig = '' - root /srv/files/$remote_user; - - auth_pam "WebDAV"; - auth_pam_service_name "webdav"; - ''; - extraConfig = '' - dav_methods PUT DELETE MKCOL COPY MOVE; - dav_ext_methods PROPFIND OPTIONS; - dav_access user:rw; - autoindex on; - - client_max_body_size 0; - create_full_put_path on; - - add_header Strict-Transport-Security "max-age=63072000" always; - ''; - }; - }; - }; - security.acme.domains."webdav.141.li" = { - zone = "141.li"; - certCfg = { - postRun = '' - ${pkgs.systemd}/bin/systemctl try-restart nginx.service - ''; - }; - }; - systemd.services.nginx = { - preStart = lib.mkForce config.services.nginx.preStart; - serviceConfig = { - SupplementaryGroups = [ "shadow" ]; - ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - LoadCredential = [ - "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" - "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" - "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem" - ]; - RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ]; - RuntimeDirectoryMode = "0750"; - - NoNewPrivileges = lib.mkForce false; - PrivateDevices = lib.mkForce false; - ProtectHostname = lib.mkForce false; - ProtectKernelTunables = lib.mkForce false; - ProtectKernelModules = lib.mkForce false; - RestrictAddressFamilies = lib.mkForce [ ]; - LockPersonality = lib.mkForce false; - MemoryDenyWriteExecute = lib.mkForce false; - RestrictRealtime = lib.mkForce false; - RestrictSUIDSGID = lib.mkForce false; - SystemCallArchitectures = lib.mkForce ""; - ProtectClock = lib.mkForce false; - ProtectKernelLogs = lib.mkForce false; - RestrictNamespaces = lib.mkForce false; - SystemCallFilter = lib.mkForce ""; - ReadWritePaths = [ "/srv/files" ]; - }; - }; - }; -} -- cgit v1.2.3