feat(webdav): WebDAV

2025-09-08 07:53:43 -06:00
parent 6a96a2a074
commit 9fcb115fa8
3 changed files with 54 additions and 11 deletions
--- a/modules/nixos/deertopia/syncthing.nix
+++ b/modules/nixos/deertopia/syncthing.nix
@@ -21,7 +21,7 @@ in {
          ];
        };
        "org" = {
-          path = "/persist/deertopia.net/dav/org";
+          path = "/var/lib/webdav/~msyds/org";
          ignorePerms = true;
          devices = [
            "sydpc"
@@ -36,6 +36,7 @@ in {
      "jellyfin"
      "nginx"
      "media"
+      "webdav"
    ];

    sydnix.deertopia.nginx.vhosts."syncthing".vhost = {
--- a/modules/nixos/deertopia/webdav.nix
+++ b/modules/nixos/deertopia/webdav.nix
@@ -13,32 +13,54 @@ in {
        type = lib.types.port;
        description = ''
          The internal WebDAV port.  The actual server will be hosted at
-          https://dav.deertopia.net:80/.
+          https://dav.deertopia.net/.
        '';
      };
+
+      user = lib.mkOption {
+        default = "webdav";
+        type = lib.types.str;
+      };
+
+      group = lib.mkOption {
+        default = "webdav";
+        type = lib.types.str;
+      };
    };
  };

  config = mkIf cfg.enable {
-    systemd.services.deertopia-webdav-server =
-      let htpasswdFile = "/persist/deertopia.net/htpasswd";
-          directory = "/persist/deertopia.net/dav";
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+    };
+
+    users.groups.${cfg.group} = {};
+
+    systemd.services.webdav =
+      let htpasswdFile = "/run/secrets/webdav-htpasswd";
+          directory = "/var/lib/webdav";
      in {
        description = "Deertopia's WebDAV server";
        after = [ "network.target" ];
        wantedBy = [ "multi-user.target" ];
-        # TODO: Exclude .git.
-        # TODO: Respect .gitignore.
        script = ''
          ${pkgs.rclone}/bin/rclone serve webdav \
            --addr ":${builtins.toString cfg.port}" \
            --htpasswd "${htpasswdFile}" "${directory}"
        '';
-        serviceConfig.Restart = "always";
+        serviceConfig = {
+          User = cfg.user;
+          Group = cfg.group;
+          Restart = "always";
+        };
+        unitConfig = {
+          StateDirectory = "webdav";
+        };
      };

    # Without this, Nginx will attempt redirections to https://localhost, which
-    # is not okay, as localhost does not have any associated certs!
+    # is not okay because localhost does not have any associated certs!
    # See: https://forum.seafile.com/t/seafdav-move-command-causing-502/11582/26
    services.nginx.appendHttpConfig = ''
      map $http_destination $http_destination_webdav {
@@ -47,6 +69,25 @@ in {
      }
    '';

+    systemd.tmpfiles.settings."50-var-lib-webdav" =
+      let
+        e =
+          let x = { inherit (cfg) user group; mode = "2775"; };
+          in { z = x; v = x; };
+      in {
+        "/var/lib/webdav/~msyds/org" = e;
+        "/var/lib/webdav/~msyds/zotero" = e;
+      };
+
+    sydnix.sops.secrets.webdav-htpasswd = {
+      owner = cfg.user;
+      mode = "0600";
+    };
+
+    sydnix.impermanence.directories = [
+      "/var/lib/webdav"
+    ];
+
    sydnix.deertopia.nginx.vhosts."dav".vhost = {
      forceSSL = true;
      enableACME = true;