update nginx conf

systems/LoutreOS/hardware-configuration.nix

@@ -163,6 +163,11 @@
       fsType = "zfs";
     };
 
+  fileSystems."/mnt/webdav" =
+    { device = "loutrepool/webdav";
+      fsType = "zfs";
+    };
+
   swapDevices =
     [
       {

systems/LoutreOS/web.nix

@@ -48,14 +48,24 @@ in
     acceptTerms = true;
   };
 
-  users.groups.work = {};
+  users.groups = {
-  users.users.work = {
+    work = {};
+    webdav = {};
+  };
+  users.users = {
+    work = {
       isSystemUser = true;
       group = config.users.groups.work.name;
     };
+    webdav = {
+      isSystemUser = true;
+      group = config.users.groups.webdav.name;
+    };
+  };
 
   services = {
-    phpfpm.pools.work = {
+    phpfpm.pools = {
+      work = {
         user = config.users.users.work.name;
         phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]);
         settings = {
@@ -68,10 +78,26 @@ in
           "pm.max_requests" = 500;
         };
       };
+      drive = {
+        user = config.users.users.webdav.name;
+        settings = {
+          "listen.owner" = config.services.nginx.user;
+          "pm" = "dynamic";
+          "pm.max_children" = 75;
+          "pm.start_servers" = 10;
+          "pm.min_spare_servers" = 5;
+          "pm.max_spare_servers" = 20;
+          "pm.max_requests" = 500;
+        };
+        phpOptions = ''
+          output_buffering=off
+        '';
+      };
+    };
     nginx = {
       enable = true;
       package = pkgs.nginx.override {
-        modules = with pkgs.nginxModules; [ dav ];
+        modules = with pkgs.nginxModules; [ dav moreheaders ];
       };
       recommendedGzipSettings = true;
       recommendedOptimisation = true;
@@ -83,8 +109,6 @@ in
         }
         add_header Strict-Transport-Security  $hsts_header;
         add_header Referrer-Policy            origin-when-cross-origin;
-
-        error_page 500 502 503 504 https://nyanlout.re/errorpages/50x.html;
       '';
       sso = {
         enable = true;
@@ -128,16 +152,27 @@ in
       };
       virtualHosts = let
         base = locations: {
-          inherit locations;
+          locations = locations // {
+            "@maintenance" = {
+              root = "/var/www/errorpages/";
+              extraConfig = ''
+                rewrite ^(.*)$ /50x.html break;
+              '';
+            };
+          };
           forceSSL = true;
           enableACME = true;
+          extraConfig = ''
+            error_page 500 502 503 504 = @maintenance;
+          '';
         };
         simpleReverse = rport: base {
           "/" = {
             proxyPass = "http://127.0.0.1:${toString(rport)}/";
           };
         };
-        authReverse = rport: base {
+        authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
+          (base {
             "/" = {
               proxyPass = "http://127.0.0.1:${toString(rport)}/";
               extraConfig = ''
@@ -145,17 +180,19 @@ in
                 add_header Set-Cookie $cookie;
               '';
             };
-        } // {
+          })
+          {
             extraConfig = ''
               include ${nginxSsoAuth};
             '';
-        };
+          }
+        ];
       in {
         "nyanlout.re" = base {
           "/" = {
             alias = "/var/www/site-perso/";
           };
-          "/errorpages/" = {
+          "/maintenance/" = {
             alias = "/var/www/errorpages/";
           };
           "/.well-known/openpgpkey/" = {
@@ -194,7 +231,11 @@ in
         "jackett.nyanlout.re" = authReverse 9117;
         "pgmanage.nyanlout.re" = authReverse config.services.pgmanage.port;
         "matrix.nyanlout.re" = simpleReverse 8008;
-        "emby.nyanlout.re" = simpleReverse 8096;
+        "emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
+          locations."/" = {
+            proxyWebsockets = true;
+          };
+        };
         "ci.nyanlout.re" = simpleReverse 52350;
         "gitea.nyanlout.re" = simpleReverse config.services.gitea.httpPort;
         "musique.nyanlout.re" = simpleReverse config.services.navidrome.settings.Port;
@@ -203,27 +244,58 @@ in
             proxyWebsockets = true;
           };
         };
-        "work.rezom.eu" = base {
+        # "work.rezom.eu" = base {
+        #   "/" = {
+        #     index = "/_h5ai/public/index.php";
+        #     extraConfig = ''
+        #       dav_ext_methods PROPFIND OPTIONS;
+        #     '';
+        #   };
+        #   "~ ^/(_h5ai/public/index|random).php" = {
+        #     extraConfig = ''
+        #       fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        #       fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
+        #       include ${pkgs.nginx}/conf/fastcgi_params;
+        #       include ${pkgs.nginx}/conf/fastcgi.conf;
+        #     '';
+        #   };
+        # } // {
+        #   root = "/mnt/medias/iso_linux";
+        #   extraConfig = ''
+        #     access_log /var/log/nginx/$host.log;
+        #   '';
+        # };
+        "drive.nyanlout.re" = base {
           "/" = {
-            index = "/_h5ai/public/index.php";
+            index = "/index.php";
-            extraConfig = ''
-              dav_ext_methods PROPFIND OPTIONS;
-            '';
-          };
-          "~ ^/(_h5ai/public/index|random).php" = {
             extraConfig = ''
               fastcgi_split_path_info ^(.+\.php)(/.+)$;
-              fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
+              fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
               include ${pkgs.nginx}/conf/fastcgi_params;
               include ${pkgs.nginx}/conf/fastcgi.conf;
+
+              client_max_body_size    0;
             '';
           };
         } // {
-          root = "/mnt/medias/iso_linux";
+          root = "/mnt/webdav";
+        };
+        "rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
+          (base {
+            "/" = {
+              proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
               extraConfig = ''
-            access_log /var/log/nginx/$host.log;
+                auth_request_set $cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $cookie;
               '';
             };
+          })
+          {
+            extraConfig = ''
+              include ${nginxSsoAuth};
+            '';
+          }
+        ];
       };
     };
 
@@ -279,7 +351,10 @@ in
   };
 
   systemd.services.nginx.serviceConfig = {
-    ReadWritePaths = "/var/www/hls";
+    ReadWritePaths = [
+      "/var/www/hls"
+      "/mnt/webdav"
+    ];
   };
 
   systemd.services.phpfpm-work.serviceConfig = {