From 096dd7772680dd7c3eab6fa2ad15ca2cfab12082 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Madeleine=20Sydney=20=C5=9Alaga?= <msyds@deertopia.net>
Date: Sat, 31 Jan 2026 16:23:04 -0700
Subject: [PATCH] feat(copyparty,authelia): personal storage & webDAV

---
 modules/nixos/deertopia/authelia.nix        | 19 ++++++++--
 modules/nixos/deertopia/copyparty.nix       |  5 +++
 modules/nixos/deertopia/copyparty/vault.nix | 41 +++++++++++++++++++++
 modules/nixos/deertopia/webdav.nix          |  2 +
 4 files changed, 64 insertions(+), 3 deletions(-)
 create mode 100644 modules/nixos/deertopia/copyparty/vault.nix

diff --git a/modules/nixos/deertopia/authelia.nix b/modules/nixos/deertopia/authelia.nix
index f7aef66..81820b9 100644
--- a/modules/nixos/deertopia/authelia.nix
+++ b/modules/nixos/deertopia/authelia.nix
@@ -65,9 +65,22 @@ in {
            server = {
              address = "tcp://:${builtins.toString cfg.httpPort}";
              # asset_path = "${authelia-state-dir}/assets";
-             # Necessary for Nginx integration.  No, I do not understand what it
-             # does.
-             endpoints.authz.auth-request.implementation = "AuthRequest";
+	     endpoints.authz = {
+	       # Necessary for Nginx integration.  No, I do not understand what it
+	       # does.
+	       auth-request = {
+		 implementation = "AuthRequest";
+		 authn_strategies = [
+		   {
+		     name = "HeaderAuthorization";
+		     schemes = [ "Basic" ];
+		   }
+		   {
+		     name = "CookieSession";
+		   }
+		 ];
+	       };
+	     };
            };
            authentication_backend =
              let base-dn = config.services.lldap.settings.ldap_base_dn;
diff --git a/modules/nixos/deertopia/copyparty.nix b/modules/nixos/deertopia/copyparty.nix
index 6a1f014..48a8dbd 100644
--- a/modules/nixos/deertopia/copyparty.nix
+++ b/modules/nixos/deertopia/copyparty.nix
@@ -13,8 +13,13 @@ in {
     };
   };
 
+  imports = [ ./copyparty/vault.nix ];
+
   config = lib.mkIf cfg.enable {
+    sydnix.deertopia.copyparty.vault.enable = true;
+
     sydnix.impermanence.directories = [
+      "/var/lib/copyparty"
     ];
 
     nixpkgs.overlays = [ inputs.copyparty.overlays.default ];
diff --git a/modules/nixos/deertopia/copyparty/vault.nix b/modules/nixos/deertopia/copyparty/vault.nix
new file mode 100644
index 0000000..c195527
--- /dev/null
+++ b/modules/nixos/deertopia/copyparty/vault.nix
@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.copyparty.vault;
+in {
+  options.sydnix.deertopia.copyparty.vault = {
+    enable = lib.mkEnableOption "personal storage under Copyparty";
+  };
+
+  config = lib.mkIf cfg.enable {
+    sydnix.impermanence.directories = [ "/vault" ];
+
+    # HACK: Ad-hoc permissions, as typical.
+    users.groups.vault = {};
+    users.users.copyparty.extraGroups = [ "vault" ];
+
+    systemd.tmpfiles.settings."50-vault" =
+      let e = {
+	z.group = "vault";
+	z.mode = "2775";
+	v.group = "vault";
+	v.mode = "2775";
+      };
+      in {
+	"/vault" = e;
+	"/vault/~msyds" = e;
+      };
+
+    services.copyparty.volumes = {
+      "/~msyds" = {
+	path = "/vault/~msyds";
+	access.A = [ "msyds" ];
+      };
+      "/~msyds/zotero" = {
+	path = "/vault/~msyds/zotero";
+	flags.daw = true;
+	access.A = [ "msyds" ];
+	access.rwmd = [ "zotero" ];
+      };
+    };
+  };
+}
diff --git a/modules/nixos/deertopia/webdav.nix b/modules/nixos/deertopia/webdav.nix
index 300430a..ac33e89 100644
--- a/modules/nixos/deertopia/webdav.nix
+++ b/modules/nixos/deertopia/webdav.nix
@@ -29,6 +29,8 @@ in {
     };
   };
 
+  imports = [ ./copyparty/vault.nix ];
+
   config = mkIf cfg.enable {
     users.users.${cfg.user} = {
       isSystemUser = true;