smaller, simpler webdav service

hosts/modules/alexandria/services.nix

@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   ports = {
@@ -6,8 +11,45 @@ let
     librespeed = "8000";
     radicale = "8001";
     vaultwarden = "8002";
-    webdav = "8003";
   };
+  rclone-webdav-start = pkgs.writeShellScript "rclone-webdav-start.sh" ''
+    #!/bin/bash
+
+    # Configuration
+    CREDS_FILE="/run/agenix/webdav"
+    SERVE_DIR="/data/webdav"
+    SOCKET_PATH="/run/rclone-webdav/webdav.sock"
+
+    # Check if credentials file exists
+    if [ ! -f "$CREDS_FILE" ]; then
+      echo "Error: Credentials file $CREDS_FILE not found"
+      exit 1
+    fi
+
+    # Read credentials from file (format: username:password)
+    CREDENTIALS=$(cat "$CREDS_FILE")
+    USERNAME=$(echo "$CREDENTIALS" | cut -d':' -f1)
+    PASSWORD=$(echo "$CREDENTIALS" | cut -d':' -f2)
+
+    # Validate credentials
+    if [ -z "$USERNAME" ] || [ -z "$PASSWORD" ]; then
+      echo "Error: Invalid credentials format. Expected username:password"
+      exit 1
+    fi
+
+    # Ensure serve directory exists
+    mkdir -p "$SERVE_DIR"
+
+    # Remove existing socket if it exists
+    rm -f "$SOCKET_PATH"
+
+    # Start rclone serve webdav
+    exec ${pkgs.rclone}/bin/rclone serve webdav "$SERVE_DIR" \
+      --addr unix://"$SOCKET_PATH" \
+      --user "$USERNAME" \
+      --pass "$PASSWORD" \
+      --verbose
+  '';
 in
 
 {
@@ -84,15 +126,6 @@ in
       };
     };
 
-    rclone-webdav = {
-      enable = true;
-      authFile = config.age.secrets.webdav.path;
-      dataDirectory = "/data/webdav";
-      maxFileSize = "5G";
-      listenAddresses = [ "0.0.0.0" ];
-      port = lib.toInt ports.webdav;
-    };
-
     vaultwarden = {
       enable = true;
       config = {
@@ -142,9 +175,47 @@ in
     };
   };
 
-  # TODO: remove when bug fix
-  # serokell/deploy-rs/issues/57
-  # NixOS/nixpkgs/issues/180175
-  # Workaround for upstream bug in NetworkManager-wait-online.service
-  systemd.services.NetworkManager-wait-online.enable = false;
+  systemd.services = {
+    # TODO: remove when bug fix
+    # serokell/deploy-rs/issues/57
+    # NixOS/nixpkgs/issues/180175
+    # Workaround for upstream bug in NetworkManager-wait-online.service
+    NetworkManager-wait-online.enable = false;
+    rclone-webdav = {
+      description = "RClone WebDAV Server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        Type = "exec";
+        User = "user";
+        Group = "users";
+        ExecStart = "${rclone-webdav-start}";
+        Restart = "always";
+        RestartSec = "10";
+
+        # Security settings
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ReadWritePaths = [
+          "/data/webdav"
+          "/run"
+        ];
+
+        # Create runtime directory for socket
+        RuntimeDirectory = "rclone-webdav";
+        RuntimeDirectoryMode = "0755";
+      };
+
+      # Ensure the user exists
+      preStart = ''
+        # Create webdav directory if it doesn't exist
+        mkdir -p /data/webdav
+        chown user:users /data/webdav
+        chmod 755 /data/webdav
+      '';
+    };
+  };
 }