From 5067079aa9e92faf8e1f3e1326c2b728502c8367 Mon Sep 17 00:00:00 2001 From: Kopatz <7265381+Kropatz@users.noreply.github.com> Date: Sun, 2 Jun 2024 10:43:44 +0200 Subject: [PATCH] add stash --- modules/services/nginx.nix | 107 ++++++++++++++++-------------- secrets/secrets.nix | 1 + secrets/stash-auth.age | 12 ++++ systems/mini-pc/configuration.nix | 2 +- systems/vm/configuration.nix | 2 +- 5 files changed, 72 insertions(+), 52 deletions(-) create mode 100644 secrets/stash-auth.age diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix index 78b7b38..16a1e31 100644 --- a/modules/services/nginx.nix +++ b/modules/services/nginx.nix @@ -1,21 +1,24 @@ { config, pkgs, lib, inputs, ... }: with lib; -let - cfg = config.custom.services.nginx; -in -{ +let cfg = config.custom.services.nginx; +in { options.custom.services.nginx = { - enable = mkEnableOption "Enables nginx"; - https = mkOption { - type = types.bool; - default = true; - description = "Should it use https?"; - }; + enable = mkEnableOption "Enables nginx"; + https = mkOption { + type = types.bool; + default = true; + description = "Should it use https?"; + }; }; config = lib.mkIf cfg.enable { networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedUDPPorts = [ 80 443 ]; + age.secrets.stash-auth = { + file = ../../secrets/stash-auth.age; + owner = "nginx"; + }; + systemd.tmpfiles.rules = [ "d /data 0770 github-actions-runner nginx -" "d /data/website 0770 github-actions-runner nginx -" @@ -31,56 +34,62 @@ in recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - statusPage = lib.mkIf config.services.prometheus.exporters.nginx.enable true; + statusPage = + lib.mkIf config.services.prometheus.exporters.nginx.enable true; # Only allow PFS-enabled ciphers with AES256 sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - appendHttpConfig= '' - more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains'; - more_set_headers 'X-XSS-Protection 1; mode=block'; - # add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net'; - more_set_headers 'X-Content-Type-Options nosniff'; - more_set_headers "Content-Security-Policy: frame-ancestors https://kopatz.ddns.net"; - more_set_headers "Referrer-Policy: same-origin"; - more_set_headers "Permissions-Policy: geolocation=(), microphone=()"; + appendHttpConfig = '' + more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains'; + more_set_headers 'X-XSS-Protection 1; mode=block'; + # add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net'; + more_set_headers 'X-Content-Type-Options nosniff'; + more_set_headers "Content-Security-Policy: frame-ancestors https://kopatz.ddns.net"; + more_set_headers "Referrer-Policy: same-origin"; + more_set_headers "Permissions-Policy: geolocation=(), microphone=()"; ''; virtualHosts = { "kopatz.ddns.net" = { serverAliases = [ - # "www.kopatz.ddns.net" - # "server.home" - # "server.home.arpa" - # "192.168.0.6" - # "localhost" + # "www.kopatz.ddns.net" + # "server.home" + # "server.home.arpa" + # "192.168.0.6" + # "localhost" ]; root = pkgs.kop-website; forceSSL = cfg.https; enableACME = cfg.https; quic = cfg.https; http3 = cfg.https; - locations."~* \\.(jpg|png)$".extraConfig= '' - add_header Access-Control-Allow-Origin *; - ''; - locations."~ ^/(stash|resources|css)".extraConfig='' - client_max_body_size 5000M; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://localhost:5091; - ''; - locations."/tracker-site" = { - tryFiles = "$uri $uri/ /tracker-site/index.html =404"; - }; - locations."/tracker-site/api" = { - extraConfig ='' - rewrite /tracker-site/api/(.*) /$1 break; + locations = { + "~* \\.(jpg|png)$".extraConfig = '' + add_header Access-Control-Allow-Origin *; ''; - proxyPass = "http://127.0.0.1:8080"; + "/stash" = { + basicAuthFile = age.secrets.stash-auth.file; + extraConfig = '' + client_max_body_size 5000M; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-NginX-Proxy true; + proxy_pass http://localhost:7777; + ''; + }; + "/tracker-site" = { + tryFiles = "$uri $uri/ /tracker-site/index.html =404"; + }; + "/tracker-site/api" = { + extraConfig = '' + rewrite /tracker-site/api/(.*) /$1 break; + ''; + proxyPass = "http://127.0.0.1:8080"; + }; }; }; #discord bot for tracking useractivity public version @@ -93,19 +102,17 @@ in enableACME = cfg.https; quic = cfg.https; http3 = cfg.https; - locations."/" = { - tryFiles = "$uri $uri/ /index.html =404"; - }; + locations."/" = { tryFiles = "$uri $uri/ /index.html =404"; }; locations."/api" = { - extraConfig ='' - rewrite /api/(.*) /$1 break; + extraConfig = '' + rewrite /api/(.*) /$1 break; ''; proxyPass = "http://127.0.0.1:8081"; }; }; "adguard.home.arpa" = { locations."/".proxyPass = "http://127.0.0.1:3000"; - }; + }; }; }; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d6c0178..5e811ff 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -27,4 +27,5 @@ in "grafana-contact-points.age".publicKeys = [ mini-pc server kop ]; "fileshelter-conf.age".publicKeys = [ mini-pc server kop ]; "webhook.age".publicKeys = [ mini-pc server kop ]; + "stash-auth.age".publicKeys = [ mini-pc server kop ]; } diff --git a/secrets/stash-auth.age b/secrets/stash-auth.age new file mode 100644 index 0000000..07c9360 --- /dev/null +++ b/secrets/stash-auth.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 su0Eyw +VIlBI3Dz8nY5ifjwFXkKh8WFVEMbNAQtaJZ5i1vxTM +IqI7A62j4yC/UIQasFW9KtVcB7ILg2o/k3etWOz8jRw +-> ssh-ed25519 IV3DkQ 14R6yP4LHgNFHvBQoxdRcV0T2ETRp/qZeD+HquKNRzQ +XtcaaDXn/xN6eV42TdyK/vEJ/GcJX69WLCh61UuHdOc +-> ssh-ed25519 DCzi1A Ra23RRc0x2mPCj3CdtzgDUQDmJpyVuAQkup1xenulGY +w971HT7+UAz7of1FdCmxPTN4Ww1NwN+wnoUptZcBIHg +--- MqLymPsV3XHYyFlM1yRFkLT/9nojHs/Y8xqX2RAtS+g +UAmX0OvP`E9׈ +Զq !J􋌩x>]lZdJ +aW 1 +uyC^d3ߦxoKc \ No newline at end of file diff --git a/systems/mini-pc/configuration.nix b/systems/mini-pc/configuration.nix index c5c90e0..92df0cf 100644 --- a/systems/mini-pc/configuration.nix +++ b/systems/mini-pc/configuration.nix @@ -55,9 +55,9 @@ services = { acme.enable = true; kop-monitor.enable = true; + kop-fileshare.enable = true; nginx.enable = true; ente.enable = true; - fileshelter.enable = true; kavita = { enable = true; dir = "/data/kavita"; diff --git a/systems/vm/configuration.nix b/systems/vm/configuration.nix index f250382..4425d4d 100644 --- a/systems/vm/configuration.nix +++ b/systems/vm/configuration.nix @@ -29,7 +29,7 @@ "localhost" = { forceSSL = false; enableACME = false; - locations."/".proxyPass = "http://127.0.0.1:4000"; + locations."/".proxyPass = "http://127.0.0.1:7777"; }; }; };