{ config, lib, pkgs, ... }:

{
  environment.systemPackages = with pkgs; [
    git-annex
    git
    rsync
  ];

  # Our files managed by git-annex actually live on a WebDAV server that is
  # declared by the following section.
  services.nginx = {
    # Nginx's WebDAV support is in a separate module we must import.
    additionalModules = [ pkgs.nginxModules.dav ];

    virtualHosts."dav.deertopia.net" = {
      addSSL = true;
      enableACME = true;
      locations."/".extraConfig = ''
        alias /persist/web/webdav;
        client_body_temp_path /tmp/nginx/webdav;
        dav_methods PUT DELETE MKCOL COPY MOVE;
        dav_ext_methods PROPFIND OPTIONS;
        create_full_put_path on

        auth_basic "Restricted Access";
        auth_basic_user_file /etc/nginx/webdav.passwd;

        # Deny all access unless authenticated
        satisfy all;
        allow all;  # This allows all authenticated users
        deny all;   # This denies all other users
      '';
    };
  };
}