webdav: add config

group_vars/nas/vars.yml

@@ -16,3 +16,7 @@ ntfy_user_pi_pass: "{{ vault_ntfy_user_pi_pass }}"
 
 nefarious_admin_user: "{{ vault_nefarious_admin_user }}"
 nefarious_admin_pass: "{{ vault_nefarious_admin_pass }}"
+
+webdav_version: '5.7.4'
+webdav_user: "{{ vault_webdav_user }}"
+webdav_password_bcrypt: "{{ vault_webdav_password_bcrypt }}"

group_vars/nas/vault.yml

@@ -1,38 +1,43 @@
 $ANSIBLE_VAULT;1.1;AES256
-39383533373564616531386363393531386339396563323835666338383434623366623336343532
+61313631626664383562666362636266653966633162646535656238616132333434366633373563
-3265343939376332323938613039623439666465656133330a396635613563376263386234396535
+6131663830316134363130396265393636613631396339340a356137323363316565626234303233
-62363264613634323430353131366634303662616564316632373033336262316636663334333232
+33393461623663303939386465396361656131333533326166353365376132396531643732373330
-3562613462313337390a636533336265656266303766333661326438306166663837313335373862
+6338386366613665320a333365333263663038343265323862633162386561636332323438323030
-35333761653937393338393430363932336238323239623036346139303336653764316637373966
+37663434643038333861313563363261613631643939646534646338326432326633356166616232
-32316462616263363336316134393262356336373763663165353132396539653336326632376665
+34636164663166366530343562366364663538303931666534343262323633633139363137653830
-37666534666331343062353535303965373231643762396535623035313231303761393362653665
+33663830333164313531366563346235313032313264663163386234383465323739323165613161
-38363761383531663862663166363866333434376439643066353666316365306366656564656531
+38376437356662313865303065393832623638386335303031376238383964313034636363613430
-65656333313637303561656161383335343331303932373130666537323863323634343839666235
+62396435643662323936393339653561333163616563346636343066643561643566303234303465
-66353562323636663261356162363736616131646561623262363739356231613365626339383934
+32356132393434346465666261373830386230373933343561376334393334646565353763363066
-62306137613462656565646439656564396430636530306165613364303534303061346461623964
+63313763306232353434363139333135653034373336626565343538653564323165613738623662
-64396262396136393266356434356365653663376434643033363032376231643162373433393337
+61393162383837363464653439373339303832363134396330316166333734373735666634393732
-35663932633161336137336533316430346133363434346661373935326236326330346461306663
+62653835363461666633613833626435653637306132623736346662323730623732323636316533
-62316632313433333162383234333665653135353061653830313032326437383139386135376136
+36393533353539396562376636656661383766343235653663343662613130633130306162646134
-64333334366531646164393839663839646634636338373838333739346364363233346533323464
+30366239336566326461343136313264326532303962613034393335626565326261366636393238
-62646234636566656665353331346236316137323734383136363036303338643535376633353033
+62666534653839323263393535316564626362633065393861663062666335666637346539303565
-30633839383230613363613433343566333664383036666532393830303433373733343330303165
+31656339376463646534386663333332373130353131646561663136383562613137383837366336
-37626438316236666463393762353734393637346530343364646137383532666530333862643266
+63616536653834333634396431643232613832633064656162346465363133356637653438363138
-30376131343037383030393435366431383436366266623733346337623364303761623933396236
+30303466323031353265643134636138656664356463633430643465383534363836633436306537
-65393937666231656232366439333934333265653834646430313666396630656133613663323034
+35326565363637626165346265333461633261393834656263666339306163393466326131663166
-30373235303535613262616331343935373862386465616365326166656263326537373030386232
+36353937396630323733346532306331656131373634343538363835656163633061633537396137
-32323833653066666534393938363363363031313664313264653863333931333438333835653466
+63366333616265313737613264653563333232393136396437316131656639383935343833616130
-36376263373362306334346635613636656664646437626432353435363563376436616635373364
+33613566343330613032666632643634613239393963616566353332643931656134386336363363
-38666430613239336130393132646562666335663930653362356363383034383635626361353161
+34623635633166633339313734323335656137623631383539636338393432353665363835643465
-66626364633762396464353662633161616136323064383037323733306165333961636238363163
+37363762316136616631656364643763643365393662373531343362313466653366363765396261
-32326538373031336639626666653836366232366537393032386465383735363731386632343536
+31656466343461316434326432346334313136373237393438373636393631356236303234343263
-39653236636366633166323834366237376536343130376462626561326230393937323033303437
+38616138386536343265303539386564383939636262646134613736393437653564363137653865
-66623861663964663964643436363038313065633234626463363538323938373336326134303263
+38656232383564373739376234646338323432623437643362366630373731306136623636303865
-31366163623164326635386564656265306332666135623461663839633966623965383761643033
+65613134396538343430373438663862333338303030326233626534393865656633376663363961
-64653662343935613666636537366565663262393731336565646138313637323763656633396366
+65343630356635366663346132626661663036653036323233333261316635363933376634303066
-32613966323964323630366239393139366339613462356566656465323436376137303739343638
+30323666303737396338386365336533376262363739313837636239626263333931396262313430
-64303437666338666463316439623030323232343437303635666661643430323535653162303465
+66626337386639366531363539633337333834333063326463616634376230653264623339666430
-62633932336636646462376562653461306135646133386339356538343134353264626165373939
+37393163306562646138353536313561646266303732393637373634363735613131396465656436
-61383636376438613037636466633263326437373033643033353262613336326361393134316236
+39323966623134316632346131363865396534623261373832326564393161666636393030336335
-62616431656431323061613562373036353739346361346566353236646565613661303832366464
+37646266373939303530396138396465663733376433646332326634383166323961353435303235
-30376234303631363434376338343938303534383637366561383437353161383239383836636465
+33616637306334303934366466313261666264653236616335373330313631663037363632613535
-6231
+37663138396131343265376430333264336534633238356264613562643835316134306664653830
+62633766306231363635323364313438323161356331636135633832353238353036363362666463
+31353133626365373932336231343736383133323037663163636337336262653862643362353931
+62373062386264366161616230336464386662643836646436366338323861303336313733656333
+31303737643033623962366133653462626162363834333066383333633362333738373235613838
+6163386237363932613938316164333535636161306131643835

hosts.ini

@@ -50,3 +50,6 @@
 
 [otter]
 192.168.0.2 static_ip=192.168.0.2
+
+[webdav]
+192.168.0.3 static_ip=192.168.0.3

nas.yml

@@ -100,3 +100,9 @@
   roles:
     - actual
   tags: actual
+
+- hosts: nas
+  become: yes
+  roles:
+    - webdav
+  tags: webdav

roles/webdav-web/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: caddy

roles/webdav-web/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Ensure Caddyfile is present
+  template:
+    src: 'webdav.Caddyfile.j2'
+    dest: '/etc/caddy/webdav.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: caddy-reload

roles/webdav-web/templates/webdav.Caddyfile.j2

@@ -0,0 +1,5 @@
+webdav.roosens.me {
+    reverse_proxy {{ hostvars[groups['webdav'][0]].static_ip }}:8018 {
+        header_down +X-Robots-Tag "none"
+    }
+}

roles/webdav/files/webdav.data.backup.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/webdav/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"

roles/webdav/files/webdav.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=WebDAV
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=exec
+User=webdav
+Group=webdav
+ExecStart=/usr/local/bin/webdav --config /etc/webdav/config.toml
+
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/webdav/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: 'restart webdav'
+  ansible.builtin.service:
+    name: 'webdav'
+    state: 'restarted'

roles/webdav/tasks/main.yml

@@ -0,0 +1,117 @@
+---
+# Download latest version of binary
+- name: Ensure download directory is present
+  ansible.builtin.file:
+    path: "/home/debian/webdav/{{ webdav_version }}"
+    state: directory
+    mode: '0755'
+
+- name: Ensure compressed binary is downloaded
+  ansible.builtin.get_url:
+    url: "https://github.com/hacdias/webdav/releases/download/v{{ webdav_version }}/linux-arm64-webdav.tar.gz"
+    dest: "/home/debian/webdav/{{ webdav_version }}/webdav-{{ webdav_version }}.tar.gz"
+  register: res
+
+- name: Ensure binary is decompressed
+  ansible.builtin.shell:
+    chdir: "/home/debian/webdav/{{ webdav_version }}"
+    cmd: "tar --extract --gzip --file webdav-{{ webdav_version }}.tar.gz"
+  when: 'res.changed'
+
+- name: Ensure binary is copied to correct location
+  ansible.builtin.copy:
+    src: "/home/debian/webdav/{{ webdav_version }}/webdav"
+    remote_src: true
+    dest: '/usr/local/bin/webdav'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: 'res.changed'
+  notify: 'restart webdav'
+
+
+# Set up system user and data directories
+- name: Ensure system group exists
+  ansible.builtin.group:
+    name: 'webdav'
+    gid: 5000
+    system: true
+    state: present
+
+- name: Ensure system user exists
+  ansible.builtin.user:
+    name: 'webdav'
+    group: 'webdav'
+    uid: 5000
+    system: true
+    create_home: false
+
+- name: Ensure data directory is present
+  ansible.builtin.file:
+    path: '/mnt/data1/webdav'
+    state: directory
+    mode: '0755'
+    owner: 'webdav'
+    group: 'webdav'
+
+- name: Ensure data subvolumes are present
+  community.general.btrfs_subvolume:
+    name: '/webdav/{{ item }}'
+  loop:
+    - 'data'
+
+- name: Ensure subvolume permissions are correct
+  ansible.builtin.file:
+    path: "/mnt/data1/webdav/{{ item }}"
+    state: directory
+    mode: '0755'
+    owner: 'webdav'
+    group: 'webdav'
+  loop:
+    - 'data'
+
+
+# Set up configuration, backup scripts and systemd service
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/webdav'
+    state: directory
+    mode: '0755'
+
+- name: Ensure config file is present
+  ansible.builtin.template:
+    src: 'config.toml.j2'
+    dest: '/etc/webdav/config.toml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart webdav'
+
+- name: Ensure backup scripts are present
+  ansible.builtin.copy:
+    src: "webdav.{{ item }}.backup.sh"
+    dest: "/etc/backups/webdav.{{ item }}.backup.sh"
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop:
+    - 'data'
+
+- name: Ensure service file is present
+  ansible.builtin.copy:
+    src: 'webdav.service'
+    dest: '/lib/systemd/system/webdav.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: res
+
+- name: systemd-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  when: 'res.changed'
+
+- name: Ensure webdav service is enabled
+  ansible.builtin.service:
+    name: 'webdav'
+    enabled: true

roles/webdav/templates/config.toml.j2

@@ -0,0 +1,31 @@
+address = '0.0.0.0'
+port = 8018
+
+# Handled by reverse proxy
+tls = false
+
+prefix = '/'
+debug = false
+noSniff = false
+
+behindProxy = true
+directory = '/mnt/data1/webdav/data'
+
+permissions = 'R'
+rulesBehavior = 'overwrite'
+
+[log]
+format = 'console'
+# Color output isn't useful when ingested via systemd
+colors = false
+outputs = ['stdout']
+
+[cors]
+enabled = false
+
+[[users]]
+username = '{{ webdav_user }}'
+password = '{bcrypt}{{ webdav_password_bcrypt }}'
+permissions = 'CRUD'
+
+# vim: ft=toml

web.yml

@@ -80,5 +80,11 @@
 - hosts: web
   become: yes
   roles:
-    - otter-web
+    - webdav-web
-  tags: otter
+  tags: webdav
+
+# - hosts: web
+#   become: yes
+#   roles:
+#     - otter-web
+#   tags: otter