From 01e8a4dd21c98dadc2ddc698412c2ea51566b43e Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 17 Aug 2024 15:24:06 +0200
Subject: ...

---
 hosts/surtr/etebase/default.nix     |  2 +-
 hosts/surtr/http/default.nix        |  3 +--
 hosts/surtr/http/webdav/default.nix | 11 +----------
 3 files changed, 3 insertions(+), 13 deletions(-)

(limited to 'hosts/surtr')

diff --git a/hosts/surtr/etebase/default.nix b/hosts/surtr/etebase/default.nix
index 3b0bd9d3..ddcd01a1 100644
--- a/hosts/surtr/etebase/default.nix
+++ b/hosts/surtr/etebase/default.nix
@@ -97,7 +97,7 @@
 
     systemd.services.nginx = {
       serviceConfig = {
-        ReadPaths = [
+        ReadOnlyPaths = [
           config.services.etebase-server.settings.global.static_root
           pkgs.etesync-web
         ];
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index c70eb8f8..f3a7154e 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -8,7 +8,7 @@
     services.nginx = {
       enable = true;
       package = pkgs.nginxQuic;
-      recommendedGzipSettings = true;
+      recommendedGzipSettings = false;
       recommendedProxySettings = true;
       recommendedTlsSettings = true;
       sslDhparam = config.security.dhparams.params.nginx.path;
@@ -35,7 +35,6 @@
     systemd.services.nginx = {
       preStart = lib.mkForce config.services.nginx.preStart;
       serviceConfig = {
-        SupplementaryGroups = [ "shadow" ];
         ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" "nginx-proxy-bodies" ];
         RuntimeDirectoryMode = "0750";
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
index f94935ee..24bc5866 100644
--- a/hosts/surtr/http/webdav/default.nix
+++ b/hosts/surtr/http/webdav/default.nix
@@ -20,13 +20,6 @@ let
   };
 in {
   config = {
-    security.pam.services."webdav".text = ''
-      auth requisite  pam_succeed_if.so user ingroup webdav quiet_success
-      auth required   pam_unix.so likeauth nullok nodelay quiet
-      account sufficient pam_unix.so quiet
-    '';
-    users.groups."webdav" = {};
-
     services.nginx = {
       # upstreams."py-webdav" = {
       #   servers = {
@@ -44,9 +37,6 @@ in {
         locations = {
           "/".extraConfig = ''
             root /srv/files/$remote_user;
-
-            auth_pam "WebDAV";
-            auth_pam_service_name "webdav";
           '';
 
           # "/py/".extraConfig = ''
@@ -68,6 +58,7 @@ in {
 
           add_header Strict-Transport-Security "max-age=63072000" always;
         '';
+        basicAuthFile = pkgs.writeText "htpasswd" (concatMapStringsSep "\n" (user: "${user}:${config.users.users.${user}.hashedPassword}") ["gkleen"]);
       };
     };
     security.acme.rfc2136Domains."webdav.141.li" = {
-- 
cgit v1.2.3