{ config, lib, pkgs, ... }: { config = { security.pam.services."webdav".text = '' auth requisite pam_succeed_if.so user ingroup webdav auth required pam_unix.so audit likeauth nullok nodelay account sufficient pam_unix.so ''; users.groups."webdav" = {}; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = '' ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; ''; additionalModules = with pkgs.nginxModules; [ dav pam ]; virtualHosts = { "webdav.141.li" = { forceSSL = true; sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem"; locations."/".extraConfig = '' root /srv/files/$remote_user; auth_pam "WebDAV"; auth_pam_service_name "webdav"; ''; extraConfig = '' dav_methods PUT DELETE MKCOL COPY MOVE; dav_ext_methods PROPFIND OPTIONS; dav_access user:rw; autoindex on; client_body_temp_path /run/nginx/client-bodies; client_max_body_size 0; create_full_put_path on; ''; }; }; }; users.users."nginx".extraGroups = [ "shadow" ]; security.acme.domains."webdav.141.li" = { zone = "141.li"; certCfg = { postRun = '' ${pkgs.systemd}/bin/systemctl try-restart nginx.service ''; }; }; systemd.services.nginx = { preStart = lib.mkForce config.services.nginx.preStart; serviceConfig = { ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; LoadCredential = [ "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem" ]; RuntimeDirectory = lib.mkForce [ "nginx" "nginx/client-bodies" ]; RuntimeDirectoryMode = "0700"; }; }; }; }