diff --git a/nixos/firewall.nix b/nixos/firewall.nix index 419b623..ae4c7e7 100644 --- a/nixos/firewall.nix +++ b/nixos/firewall.nix @@ -8,8 +8,9 @@ 2200 #forgejo ssh 3000 #forgejo http - 9090 #sync.io + 8082 #webdav + 9090 #sync.io 9091 #caddy ]; } diff --git a/nixos/linux.nix b/nixos/linux.nix index 2307dd9..d173658 100644 --- a/nixos/linux.nix +++ b/nixos/linux.nix @@ -48,8 +48,17 @@ in { time.timeZone = "America/Anchorage"; - age.secrets.nearlyfreespeech.file = ./secrets/nearlyfreespeech.age; - age.secrets.nearlyfreespeech.owner = "root"; + age.secrets = { + nearlyfreespeech = { + file = ./secrets/nearlyfreespeech.age; + owner = "root"; + }; + + webdav = { + file = ./secrets/webdav.age; + owner = "root"; + }; + }; environment.systemPackages = [ ddnsPkg @@ -144,15 +153,15 @@ in { "webdav" = { autoStart = true; - image = "dgraziotin/nginx-webdav-nononsense"; + image = "quineglobal/nginx-webdav-nononsense@sha256:86002d386e433c3ed1d265d3aa7f921f96fb678651a913aaa92af8fb78870b1c"; volumes = [ "/mnt/webdav/data:/data" "/mnt/webdav/config:/config" + (config.age.secrets."webdav".path + ":/password") ]; environment = { - "WEBDAV_USERNAME" = "foo"; - # TODO - "WEBDAV_PASSWORD" = "bar"; + "WEBDAV_USERNAME" = "ironmagma"; + "WEBDAV_PASSWORD_FILE" = "/password"; "TZ" = "America/Anchorage"; "PUID" = "60"; # nginx user @@ -221,5 +230,11 @@ in { environmentFile = config.age.secrets."nearlyfreespeech".path; webroot = null; }; + + certs."webdav.philippeterson.com" = { + dnsProvider = "nearlyfreespeech"; + environmentFile = config.age.secrets."nearlyfreespeech".path; + webroot = null; + }; }; } diff --git a/nixos/nginx.nix b/nixos/nginx.nix index f826101..8f6cad1 100644 --- a/nixos/nginx.nix +++ b/nixos/nginx.nix @@ -110,6 +110,39 @@ ''; }; }; + + "webdav.philippeterson.com" = { + serverName = "webdav.philippeterson.com"; + enableACME = true; + onlySSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:8082/"; # pass through to webdav + extraConfig = '' + # Pass required headers for WebDAV + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Pass Authorization header if required + proxy_set_header Authorization $http_authorization; + + # Set timeouts for large file uploads or long WebDAV operations + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_send_timeout 300; + + # Increase client body size for large uploads + client_max_body_size 100M; + + # Optional: Disable caching for WebDAV operations + proxy_buffering off; + proxy_cache off; + ''; + }; + }; + "forge.quinefoundation.com-https" = { serverName = "forge.quinefoundation.com"; enableACME = true; diff --git a/nixos/secrets/default.nix b/nixos/secrets/default.nix index 819eae3..6c1af5e 100644 --- a/nixos/secrets/default.nix +++ b/nixos/secrets/default.nix @@ -5,4 +5,7 @@ in { # NEARLYFREESPEECH_API_KEY # NEARLYFREESPEECH_LOGIN "./nearlyfreespeech.age".publicKeys = [mainframePublicKey]; + + # WEBDAV_PASSWORD + "./webdav.age".publicKeys = [mainframePublicKey]; } diff --git a/nixos/secrets/webdav.age b/nixos/secrets/webdav.age new file mode 100644 index 0000000..e49dfbb --- /dev/null +++ b/nixos/secrets/webdav.age @@ -0,0 +1,7 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE5GRC92ZyA3dVNY +SWE3TVY1aUx5d3QvRXlXMWpHUlUwbkJWMEh1VUx0MUh6NTdJOUZnCnNyTGdHdzlz +WlU1dUtDa3UwQ2FTbGhYbG9YeGhVZStXK2pVVjM4L0pTTDgKLS0tIGt1a3IxOFR6 +YzVPVXFTVDFDQXV6NnpKTnJ4U3VSYm51eElDTFlwUXhMc1UKS4xUGWRtLZU7K8Q0 +vwCwvntjoIxeNbLbzYbRRsOkmlu1T+V70iERWMSSWXVqqlX0FqffTw== +-----END AGE ENCRYPTED FILE-----