feat: add Git-annex module

2025-01-23 14:08:56 -07:00
parent f4924eeb59
commit fbd7553bc6
8 changed files with 262 additions and 70 deletions
--- a/modules/nixos/deertopia/git-annex.nix
+++ b/modules/nixos/deertopia/git-annex.nix
@@ -1,46 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.sydnix.deertopia.git-annex;
-in
-{
-  options.sydnix.deertopia.git-annex = {
-    enable = lib.mkEnableOption "Git-annex";
-  };
-
-  config = {
-    environment.systemPackages = with pkgs; [
-      git-annex
-      # git
-      # rsync
-    ];
-
-    # # Our files managed by git-annex actually live on a WebDAV server that is
-    # # declared by the following section.  This is mainly because it's the most
-    # # convenient way to share files with my iPhone.  Apple hates developers!
-    # services.nginx = {
-    #   # Nginx's WebDAV support is in a separate module we must import.
-    #   additionalModules = [ pkgs.nginxModules.dav ];
-
-    #   virtualHosts."dav.deertopia.net" = {
-    #     addSSL = true;
-    #     enableACME = true;
-    #     locations."/".extraConfig = ''
-    #       alias /persist/web/webdav;
-    #       client_body_temp_path /tmp/nginx/webdav;
-    #       dav_methods PUT DELETE MKCOL COPY MOVE;
-    #       dav_ext_methods PROPFIND OPTIONS;
-    #       create_full_put_path on
-
-    #       auth_basic "Restricted Access";
-    #       auth_basic_user_file /etc/nginx/webdav.passwd;
-
-    #       # Deny all access unless authenticated
-    #       satisfy all;
-    #       allow all;  # This allows all authenticated users
-    #       deny all;   # This denies all other users
-    #     '';
-    #   };
-    # };
-  };
-}
--- a/modules/nixos/deertopia/nginx.nix
+++ b/modules/nixos/deertopia/nginx.nix
@@ -41,6 +41,16 @@ in
            type = lib.types.str;
            default = "${cfg.root}/${name}";
          };
+          user = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            description = "The owning user of the host's root directory.";
+            default = cfg.user;
+          };
+          group = lib.mkOption {
+            type = lib.types.nullOr lib.types.str;
+            description = "The owning group of the host's root directory.";
+            default = cfg.group;
+          };
          vhostName = lib.mkOption {
            type = lib.types.str;
            default = "${name}.deertopia.net";
@@ -98,22 +108,22 @@ in
    #   };
    # };

-    system.activationScripts.initialiseDeertopiaRoot.text =
-      let
-        directories =
-          builtins.catAttrs "directory" (builtins.attrValues cfg.vhosts);
-        inherit (cfg) root group user;
-      in ''
-        mkdir -p "${root}"
-        chown -R "${user}:${group}" "${root}"
-        chmod -R 775 "${root}"
+    # system.activationScripts.initialiseDeertopiaRoot.text =
+    #   let
+    #     # FIXME: Use `lib.strings.toShellVar`.
+    #     inherit (cfg) root group user;
+    #   in ''
+    #     mkdir -p "${root}"
+    #     chown -R "${user}:${group}" "${root}"
+    #     chmod -R 775 "${root}"

-        dirs=(${builtins.concatStringsSep " " (map (x: "'${x}'") directories)})
-        for i in "''${dirs[@]}"; do
-          mkdir -p "$i"
-          chown -R "${user}:${group}" "$i"
-          chmod -R 775 "$i"
-        done
-    '';
+    #     ${lib.toShellVar "dirs"
+    #       (builtins.catAttrs "directory" (builtins.attrValues cfg.vhosts))}
+    #     for i in "''${dirs[@]}"; do
+    #       mkdir -p "$i"
+    #       chown -R "${user}:${group}" "$i"
+    #       chmod -R 775 "$i"
+    #     done
+    # '';
  };
 }
--- a/modules/nixos/deertopia/webdav.nix
+++ b/modules/nixos/deertopia/webdav.nix
@@ -0,0 +1,63 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let cfg = config.sydnix.deertopia.webdav;
+in {
+  options = {
+    sydnix.deertopia.webdav = {
+      enable = mkEnableOption "Deertopia's WebDAV server";
+
+      port = lib.mkOption {
+        default = 22016;
+        type = lib.types.port;
+        description = ''
+          The internal WebDAV port.  The actual server will be hosted at
+          https://dav.deertopia.net:80/.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.deertopia-webdav-server =
+      let htpasswdFile = "/persist/deertopia.net/htpasswd";
+          directory = "/persist/deertopia.net/dav";
+      in {
+        description = "Deertopia's WebDAV server";
+        after = [ "network.target" ];
+        wantedBy = [ "multi-user.target" ];
+        script = ''
+          ${pkgs.rclone}/bin/rclone serve webdav \
+            --addr ":${builtins.toString cfg.port}" \
+            --htpasswd "${htpasswdFile}" "${directory}"
+        '';
+        serviceConfig.Restart = "always";
+      };
+
+    # Without this, Nginx will attempt redirections to https://localhost, which
+    # is not okay, as localhost does not have any associated certs!
+    # See: https://forum.seafile.com/t/seafdav-move-command-causing-502/11582/26
+    services.nginx.appendHttpConfig = ''
+      map $http_destination $http_destination_webdav {
+        ~*https://(.+) http://$1;
+        default $http_destination;
+      }
+    '';
+
+    sydnix.deertopia.nginx.vhosts."dav".vhost = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        extraConfig = ''
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          # See previous note regarding the HTTPS -> HTTP redirection.
+          proxy_set_header Destination $http_destination_webdav;
+
+          proxy_pass "http://localhost:${builtins.toString cfg.port}";
+        '';
+      };
+    };
+  };
+}