From d2479b229ea72ba125c1fad4c4ddf4e8102292a5 Mon Sep 17 00:00:00 2001
From: chn <chn@chn.moe>
Date: Thu, 16 Nov 2023 11:57:02 +0800
Subject: [PATCH] nginx.webdav: restrict write path

---
 modules/services/nginx/applications/webdav.nix | 6 +++++-
 modules/services/nginx/default.nix             | 1 -
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/modules/services/nginx/applications/webdav.nix b/modules/services/nginx/applications/webdav.nix
index 70ad06fc..465273c6 100644
--- a/modules/services/nginx/applications/webdav.nix
+++ b/modules/services/nginx/applications/webdav.nix
@@ -18,6 +18,10 @@ inputs:
         webdav = true;
         detectAuth.users = [ "chn" ];
       };
-      systemd.tmpfiles.rules = [ "d /srv/webdav 0700 nginx nginx" ];
+      systemd =
+      {
+        tmpfiles.rules = [ "d /srv/webdav 0700 nginx nginx" ];
+        services.nginx.serviceConfig.ReadWritePaths = [ "/srv/webdav" ];
+      };
     };
 }
diff --git a/modules/services/nginx/default.nix b/modules/services/nginx/default.nix
index 65ea43e5..15999de3 100644
--- a/modules/services/nginx/default.nix
+++ b/modules/services/nginx/default.nix
@@ -311,7 +311,6 @@ inputs:
           AmbientCapabilities = [ "CAP_NET_ADMIN" ];
           LimitNPROC = 65536;
           LimitNOFILE = 524288;
-          ReadWritePaths = [ "/srv" ];
         };
       }
       # transparentProxy