Merge pull request #146965 from pmeiyu/webdav

Add webdav-server-rs

maintainers/maintainer-list.nix

@@ -8974,12 +8974,6 @@
     githubId = 8641;
     name = "Pierre Carrier";
   };
-  pengmeiyu = {
-    email = "pengmyu@gmail.com";
-    github = "pmeiyu";
-    githubId = 8529551;
-    name = "Peng Mei Yu";
-  };
   penguwin = {
     email = "penguwin@penguwin.eu";
     github = "penguwin";
@@ -9255,6 +9249,12 @@
     githubId = 178496;
     name = "Philipp Middendorf";
   };
+  pmy = {
+    email = "pmy@xqzp.net";
+    github = "pmeiyu";
+    githubId = 8529551;
+    name = "Peng Mei Yu";
+  };
   pmyjavec = {
     email = "pauly@myjavec.com";
     github = "pmyjavec";

nixos/modules/misc/ids.nix

@@ -351,6 +351,7 @@ in
       hqplayer = 319;
       moonraker = 320;
       distcc = 321;
+      webdav = 322;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -656,6 +657,7 @@ in
       hqplayer = 319;
       moonraker = 320;
       distcc = 321;
+      webdav = 322;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/module-list.nix

@@ -685,6 +685,7 @@
   ./services/network-filesystems/diod.nix
   ./services/network-filesystems/u9fs.nix
   ./services/network-filesystems/webdav.nix
+  ./services/network-filesystems/webdav-server-rs.nix
   ./services/network-filesystems/yandex-disk.nix
   ./services/network-filesystems/xtreemfs.nix
   ./services/network-filesystems/ceph.nix

nixos/modules/services/network-filesystems/webdav-server-rs.nix

@@ -0,0 +1,144 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.services.webdav-server-rs;
+  format = pkgs.formats.toml { };
+  settings = recursiveUpdate
+    {
+      server.uid = config.users.users."${cfg.user}".uid;
+      server.gid = config.users.groups."${cfg.group}".gid;
+    }
+    cfg.settings;
+in
+{
+  options = {
+    services.webdav-server-rs = {
+      enable = mkEnableOption "WebDAV server";
+
+      user = mkOption {
+        type = types.str;
+        default = "webdav";
+        description = "User to run under when setuid is not enabled.";
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "webdav";
+        description = "Group to run under when setuid is not enabled.";
+      };
+
+      settings = mkOption {
+        type = format.type;
+        default = { };
+        description = ''
+          Attrset that is converted and passed as config file. Available
+          options can be found at
+          <link xlink:href="https://github.com/miquels/webdav-server-rs/blob/master/webdav-server.toml">here</link>.
+        '';
+        example = literalExpression ''
+          {
+            server.listen = [ "0.0.0.0:4918" "[::]:4918" ];
+            accounts = {
+              auth-type = "htpasswd.default";
+              acct-type = "unix";
+            };
+            htpasswd.default = {
+              htpasswd = "/etc/htpasswd";
+            };
+            location = [
+              {
+                route = [ "/public/*path" ];
+                directory = "/srv/public";
+                handler = "filesystem";
+                methods = [ "webdav-ro" ];
+                autoindex = true;
+                auth = "false";
+              }
+              {
+                route = [ "/user/:user/*path" ];
+                directory = "~";
+                handler = "filesystem";
+                methods = [ "webdav-rw" ];
+                autoindex = true;
+                auth = "true";
+                setuid = true;
+              }
+            ];
+          }
+        '';
+      };
+
+      configFile = mkOption {
+        type = types.path;
+        default = format.generate "webdav-server.toml" settings;
+        defaultText = "Config file generated from services.webdav-server-rs.settings";
+        description = ''
+          Path to config file. If this option is set, it will override any
+          configuration done in services.webdav-server-rs.settings.
+        '';
+        example = "/etc/webdav-server.toml";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = hasAttr cfg.user config.users.users && config.users.users."${cfg.user}".uid != null;
+        message = "users.users.${cfg.user} and users.users.${cfg.user}.uid must be defined.";
+      }
+      {
+        assertion = hasAttr cfg.group config.users.groups && config.users.groups."${cfg.group}".gid != null;
+        message = "users.groups.${cfg.group} and users.groups.${cfg.group}.gid must be defined.";
+      }
+    ];
+
+    users.users = optionalAttrs (cfg.user == "webdav") {
+      webdav = {
+        description = "WebDAV user";
+        group = cfg.group;
+        uid = config.ids.uids.webdav;
+      };
+    };
+
+    users.groups = optionalAttrs (cfg.group == "webdav") {
+      webdav.gid = config.ids.gids.webdav;
+    };
+
+    systemd.services.webdav-server-rs = {
+      description = "WebDAV server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.webdav-server-rs}/bin/webdav-server -c ${cfg.configFile}";
+
+        CapabilityBoundingSet = [
+          "CAP_SETUID"
+          "CAP_SETGID"
+        ];
+
+        NoExecPaths = [ "/" ];
+        ExecPaths = [ "/nix/store" ];
+
+        # This program actively detects if it is running in root user account
+        # when it starts and uses root privilege to switch process uid to
+        # respective unix user when a user logs in.  Maybe we can enable
+        # DynamicUser in the future when it's able to detect CAP_SETUID and
+        # CAP_SETGID capabilities.
+
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = true;
+      };
+    };
+  };
+
+  meta.maintainers = with maintainers; [ pmy ];
+}

nixos/modules/services/network-filesystems/webdav.nix

@@ -80,13 +80,13 @@ in
     users.users = mkIf (cfg.user == "webdav") {
       webdav = {
         description = "WebDAV daemon user";
-        isSystemUser = true;
         group = cfg.group;
+        uid = config.ids.uids.webdav;
       };
     };
 
     users.groups = mkIf (cfg.group == "webdav") {
-      webdav = { };
+      webdav.gid = config.ids.gids.webdav;
     };
 
     systemd.services.webdav = {
@@ -103,5 +103,5 @@ in
     };
   };
 
-  meta.maintainers = with maintainers; [ pengmeiyu ];
+  meta.maintainers = with maintainers; [ pmy ];
 }

pkgs/data/misc/rime-data/default.nix

@@ -61,6 +61,6 @@ stdenv.mkDerivation {
       # rime-cantonese
       cc-by-40
     ];
-    maintainers = [ maintainers.pengmeiyu ];
+    maintainers = with maintainers; [ pmy ];
   };
 }

pkgs/os-specific/linux/lm-sensors/default.nix

@@ -44,7 +44,7 @@ stdenv.mkDerivation rec {
     changelog = "https://raw.githubusercontent.com/lm-sensors/lm-sensors/V${dashedVersion}/CHANGES";
     description = "Tools for reading hardware sensors";
     license = with licenses; [ lgpl21Plus gpl2Plus ];
-    maintainers = with maintainers; [ pengmeiyu ];
+    maintainers = with maintainers; [ pmy ];
     platforms = platforms.linux;
     mainProgram = "sensors";
   };

pkgs/servers/webdav-server-rs/default.nix

@@ -0,0 +1,47 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, rustPlatform
+, libtirpc
+, pam
+, rpcsvc-proto
+, enablePAM ? stdenv.isLinux
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "webdav-server-rs";
+  # The v0.4.0 tag cannot build.  So we use the 547602e commit.
+  version = "unstable-2021-08-16";
+
+  src = fetchFromGitHub {
+    owner = "miquels";
+    repo = pname;
+    rev = "547602e78783935b4ddd038fb795366c9c476bcc";
+    sha256 = "sha256-nTygUEjAUXD0mRTmjt8/UPVfZA4rP6oop1s/fI5mYeg=";
+  };
+
+  cargoHash = "sha256-TDDfGQig4i/DpsilTPqMQ1oT0mXK5DKlZmwsPPLrzFc=";
+
+  buildInputs = [ libtirpc ] ++ lib.optional enablePAM pam;
+  nativeBuildInputs = [ rpcsvc-proto ];
+
+  buildNoDefaultFeatures = true;
+  buildFeatures = [ "quota" ] ++ lib.optional enablePAM "pam";
+
+  postPatch = ''
+    substituteInPlace fs_quota/build.rs \
+       --replace '/usr/include/tirpc' '${libtirpc.dev}/include/tirpc'
+  '';
+
+  meta = with lib; {
+    description = "An implementation of WebDAV server in Rust";
+    longDescription = ''
+      webdav-server-rs is an implementation of WebDAV with full support for
+      RFC4918.  It also supports local unix accounts, PAM authentication, and
+      quota.
+    '';
+    homepage = "https://github.com/miquels/webdav-server-rs";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ pmy ];
+  };
+}

pkgs/servers/webdav/default.nix

@@ -17,6 +17,6 @@ buildGoModule rec {
     description = "Simple WebDAV server";
     homepage = "https://github.com/hacdias/webdav";
     license = licenses.mit;
-    maintainers = with maintainers; [ pengmeiyu ];
+    maintainers = with maintainers; [ pmy ];
   };
 }

pkgs/tools/inputmethods/ibus-engines/ibus-rime/default.nix

@@ -39,6 +39,6 @@ stdenv.mkDerivation rec {
     homepage = "https://rime.im/";
     license = licenses.gpl3Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ pengmeiyu ];
+    maintainers = with maintainers; [ pmy ];
   };
 }

pkgs/top-level/all-packages.nix

@@ -21711,6 +21711,8 @@ with pkgs;
 
   webdav = callPackage ../servers/webdav { };
 
+  webdav-server-rs = callPackage ../servers/webdav-server-rs { };
+
   webmetro = callPackage ../servers/webmetro { };
 
   wsdd = callPackage ../servers/wsdd { };