nix-configuration/modules/services/webdav.nix

{
  pkgs,
  config,
  lib,
  ...
}:
let
  cfg = config.aux.system.services.webdav;

  port = 6065; # Internal port to run the server on
in
{
  options = {
    aux.system.services.webdav = {
      enable = lib.mkEnableOption "Enables Webdav server.";
      home = lib.mkOption {
        default = "/var/lib/webdav";
        type = lib.types.str;
        description = "Where to store Webdav's files";
        example = "/home/webdav";
      };
      url = lib.mkOption {
        default = "";
        type = lib.types.str;
        description = "The complete URL where Webdav is hosted.";
        example = "https://dav.example.com";
      };
      users = lib.mkOption {
        default = [ ];
        type = lib.types.listOf lib.types.attrs;
        description = "List of user accounts to create.";
        example = lib.literalExpression "[ { username = \"user\"; password = \"pass\"; } ]";
      };
    };
  };

  config = lib.mkIf cfg.enable {
    services = {
      webdav = {
        enable = true;
        settings = {
          address = "127.0.0.1";
          port = port;
          scope = cfg.home;
          users = cfg.users;
          behindProxy = true;
        };
      };

      nginx.virtualHosts."${cfg.url}" = {
        useACMEHost = pkgs.util.getDomainFromURL cfg.url;
        forceSSL = true;
        locations."/".extraConfig = ''
          proxy_pass http://127.0.0.1:${builtins.toString port};
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header REMOTE-HOST $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $host;
          proxy_redirect off;
        '';
      };
    };

    environment.etc = lib.mkIf config.services.fail2ban.enable {
      "fail2ban/filter.d/webdav.conf".text = ''
        [INCLUDES]
        before = common.conf

        [Definition]
        # Failregex to match "invalid password" and extract remote_address only
        failregex = ^.*invalid password\s*\{.*"remote_address":\s*"<HOST>"\s*\}

        # Failregex to match "invalid username" and extract remote_address only (if applicable)
        failregex += ^.*invalid username\s*\{.*"remote_address":\s*"<HOST>"\s*\}

        ignoreregex =
      '';

      "fail2ban/jail.d/webdav.conf".text = ''
        [webdav]
        enabled = true
        port = ${builtins.toString port}
        filter = webdav
        logpath = /var/log/webdav/fail2ban.log
        banaction = iptables-allports
        ignoreself = false
      '';
    };

    systemd.services = {
      webdav.unitConfig.RequiresMountsFor = cfg.home;
      nginx.wants = [ config.systemd.services.webdav.name ];
    };
  };
}
Services: add webdav service 2024-10-25 20:54:19 +00:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`
			`let`
			`cfg = config.aux.system.services.webdav;`

			`port = 6065; # Internal port to run the server on`
			`in`
			`{`
			`options = {`
			`aux.system.services.webdav = {`
			`enable = lib.mkEnableOption "Enables Webdav server.";`
			`home = lib.mkOption {`
			`default = "/var/lib/webdav";`
			`type = lib.types.str;`
			`description = "Where to store Webdav's files";`
			`example = "/home/webdav";`
			`};`
			`url = lib.mkOption {`
			`default = "";`
			`type = lib.types.str;`
			`description = "The complete URL where Webdav is hosted.";`
			`example = "https://dav.example.com";`
			`};`
			`users = lib.mkOption {`
			`default = [ ];`
			`type = lib.types.listOf lib.types.attrs;`
			`description = "List of user accounts to create.";`
			`example = lib.literalExpression "[ { username = \"user\"; password = \"pass\"; } ]";`
			`};`
			`};`
			`};`

			`config = lib.mkIf cfg.enable {`
			`services = {`
			`webdav = {`
			`enable = true;`
			`settings = {`
			`address = "127.0.0.1";`
			`port = port;`
			`scope = cfg.home;`
			`users = cfg.users;`
Services: finalize and enable webdav 2024-11-02 15:53:13 +00:00			`behindProxy = true;`
Services: add webdav service 2024-10-25 20:54:19 +00:00			`};`
			`};`

			`nginx.virtualHosts."${cfg.url}" = {`
			`useACMEHost = pkgs.util.getDomainFromURL cfg.url;`
			`forceSSL = true;`
			`locations."/".extraConfig = ''`
			`proxy_pass http://127.0.0.1:${builtins.toString port};`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header REMOTE-HOST $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header Host $host;`
			`proxy_redirect off;`
			`'';`
			`};`
			`};`

Services: finalize and enable webdav 2024-11-02 15:53:13 +00:00			`environment.etc = lib.mkIf config.services.fail2ban.enable {`
			`"fail2ban/filter.d/webdav.conf".text = ''`
			`[INCLUDES]`
			`before = common.conf`

			`[Definition]`
			`# Failregex to match "invalid password" and extract remote_address only`
			`failregex = ^.invalid password\s\{."remote_address":\s"<HOST>"\s*\}`

			`# Failregex to match "invalid username" and extract remote_address only (if applicable)`
			`failregex += ^.invalid username\s\{."remote_address":\s"<HOST>"\s*\}`

			`ignoreregex =`
			`'';`

			`"fail2ban/jail.d/webdav.conf".text = ''`
			`[webdav]`
			`enabled = true`
			`port = ${builtins.toString port}`
			`filter = webdav`
			`logpath = /var/log/webdav/fail2ban.log`
			`banaction = iptables-allports`
			`ignoreself = false`
			`'';`
			`};`

Services: add webdav service 2024-10-25 20:54:19 +00:00			`systemd.services = {`
			`webdav.unitConfig.RequiresMountsFor = cfg.home;`
			`nginx.wants = [ config.systemd.services.webdav.name ];`
			`};`
			`};`
			`}`