diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index f392ca52566f..273ed95e1bce 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -351,6 +351,7 @@ in hqplayer = 319; moonraker = 320; distcc = 321; + webdav = 322; # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399! @@ -656,6 +657,7 @@ in hqplayer = 319; moonraker = 320; distcc = 321; + webdav = 322; # When adding a gid, make sure it doesn't match an existing # uid. Users and groups with the same name should have equal diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 9eca0b8d65f2..1d51fca02fbf 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -685,6 +685,7 @@ ./services/network-filesystems/diod.nix ./services/network-filesystems/u9fs.nix ./services/network-filesystems/webdav.nix + ./services/network-filesystems/webdav-server-rs.nix ./services/network-filesystems/yandex-disk.nix ./services/network-filesystems/xtreemfs.nix ./services/network-filesystems/ceph.nix diff --git a/nixos/modules/services/network-filesystems/webdav-server-rs.nix b/nixos/modules/services/network-filesystems/webdav-server-rs.nix new file mode 100644 index 000000000000..1c5c299cb673 --- /dev/null +++ b/nixos/modules/services/network-filesystems/webdav-server-rs.nix @@ -0,0 +1,144 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.webdav-server-rs; + format = pkgs.formats.toml { }; + settings = recursiveUpdate + { + server.uid = config.users.users."${cfg.user}".uid; + server.gid = config.users.groups."${cfg.group}".gid; + } + cfg.settings; +in +{ + options = { + services.webdav-server-rs = { + enable = mkEnableOption "WebDAV server"; + + user = mkOption { + type = types.str; + default = "webdav"; + description = "User to run under when setuid is not enabled."; + }; + + group = mkOption { + type = types.str; + default = "webdav"; + description = "Group to run under when setuid is not enabled."; + }; + + settings = mkOption { + type = format.type; + default = { }; + description = '' + Attrset that is converted and passed as config file. Available + options can be found at + here. + ''; + example = literalExpression '' + { + server.listen = [ "0.0.0.0:4918" "[::]:4918" ]; + accounts = { + auth-type = "htpasswd.default"; + acct-type = "unix"; + }; + htpasswd.default = { + htpasswd = "/etc/htpasswd"; + }; + location = [ + { + route = [ "/public/*path" ]; + directory = "/srv/public"; + handler = "filesystem"; + methods = [ "webdav-ro" ]; + autoindex = true; + auth = "false"; + } + { + route = [ "/user/:user/*path" ]; + directory = "~"; + handler = "filesystem"; + methods = [ "webdav-rw" ]; + autoindex = true; + auth = "true"; + setuid = true; + } + ]; + } + ''; + }; + + configFile = mkOption { + type = types.path; + default = format.generate "webdav-server.toml" settings; + defaultText = "Config file generated from services.webdav-server-rs.settings"; + description = '' + Path to config file. If this option is set, it will override any + configuration done in services.webdav-server-rs.settings. + ''; + example = "/etc/webdav-server.toml"; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = hasAttr cfg.user config.users.users && config.users.users."${cfg.user}".uid != null; + message = "users.users.${cfg.user} and users.users.${cfg.user}.uid must be defined."; + } + { + assertion = hasAttr cfg.group config.users.groups && config.users.groups."${cfg.group}".gid != null; + message = "users.groups.${cfg.group} and users.groups.${cfg.group}.gid must be defined."; + } + ]; + + users.users = optionalAttrs (cfg.user == "webdav") { + webdav = { + description = "WebDAV user"; + group = cfg.group; + uid = config.ids.uids.webdav; + }; + }; + + users.groups = optionalAttrs (cfg.group == "webdav") { + webdav.gid = config.ids.gids.webdav; + }; + + systemd.services.webdav-server-rs = { + description = "WebDAV server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.webdav-server-rs}/bin/webdav-server -c ${cfg.configFile}"; + + CapabilityBoundingSet = [ + "CAP_SETUID" + "CAP_SETGID" + ]; + + NoExecPaths = [ "/" ]; + ExecPaths = [ "/nix/store" ]; + + # This program actively detects if it is running in root user account + # when it starts and uses root privilege to switch process uid to + # respective unix user when a user logs in. Maybe we can enable + # DynamicUser in the future when it's able to detect CAP_SETUID and + # CAP_SETGID capabilities. + + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = true; + }; + }; + }; + + meta.maintainers = with maintainers; [ pmy ]; +}