{ config, lib, pkgs, ... }: { config = { services.webdav-server-rs = { enable = true; settings = { server.listen = [ "127.0.0.1:4918" ]; accounts = { auth-type = "pam"; acct-type = "unix"; }; pam = { service = "webdav-server-rs"; }; location = [ { route = [ "/*path" ]; auth = "true"; handler = "filesystem"; setuid = true; directory = "/srv/files"; } ]; }; }; systemd.services.webdav-server-rs = { serviceConfig = { RuntimeDirectory = "webdav-server-rs"; RuntimeDirectoryMode = "0755"; }; }; security.pam.services."webdav-server-rs".text = '' auth requisite pam_succeed_if.so user ingroup webdav auth required pam_unix.so audit likeauth nullok nodelay account sufficient pam_unix.so ''; users.groups."webdav" = {}; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = '' ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; ''; upstreams.webdav = { servers = { "127.0.0.1:4918" = {}; }; }; virtualHosts = { "webdav.141.li" = { forceSSL = true; sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; locations."/" = { proxyPass = "http://webdav/"; }; }; }; }; security.acme.domains."webdav.141.li" = { zone = "141.li"; certCfg = { postRun = '' ${pkgs.systemd}/bin/systemctl try-restart nginx.service ''; }; }; systemd.services.nginx = { preStart = lib.mkForce config.services.nginx.preStart; serviceConfig = { LoadCredential = [ "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" ]; }; }; }; }