add stash

2024-06-02 10:43:44 +02:00
parent 1b3110afa8
commit 5067079aa9
5 changed files with 72 additions and 52 deletions
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -1,9 +1,7 @@
 { config, pkgs, lib, inputs, ... }:
 with lib;
-let
-  cfg = config.custom.services.nginx;
-in
-{
+let cfg = config.custom.services.nginx;
+in {
  options.custom.services.nginx = {
    enable = mkEnableOption "Enables nginx";
    https = mkOption {
@@ -16,6 +14,11 @@ in
    networking.firewall.allowedTCPPorts = [ 80 443 ];
    networking.firewall.allowedUDPPorts = [ 80 443 ];

+    age.secrets.stash-auth = {
+      file = ../../secrets/stash-auth.age;
+      owner = "nginx";
+    };
+
    systemd.tmpfiles.rules = [
      "d /data 0770 github-actions-runner nginx -"
      "d /data/website 0770 github-actions-runner nginx -"
@@ -31,12 +34,13 @@ in
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
-      statusPage = lib.mkIf config.services.prometheus.exporters.nginx.enable true;
+      statusPage =
+        lib.mkIf config.services.prometheus.exporters.nginx.enable true;

      # Only allow PFS-enabled ciphers with AES256
      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";

-      appendHttpConfig= ''
+      appendHttpConfig = ''
        more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains';
        more_set_headers 'X-XSS-Protection 1; mode=block';
        #  add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
@@ -60,10 +64,13 @@ in
          enableACME = cfg.https;
          quic = cfg.https;
          http3 = cfg.https;
-          locations."~* \\.(jpg|png)$".extraConfig= ''
+          locations = {
+            "~* \\.(jpg|png)$".extraConfig = ''
              add_header Access-Control-Allow-Origin *;
            '';
-          locations."~ ^/(stash|resources|css)".extraConfig=''
+            "/stash" = {
+              basicAuthFile = age.secrets.stash-auth.file;
+              extraConfig = ''
                client_max_body_size    5000M;
                proxy_redirect          off;
                proxy_set_header        Host $host;
@@ -71,18 +78,20 @@ in
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_set_header        X-NginX-Proxy true;
-            proxy_pass http://localhost:5091;
+                proxy_pass http://localhost:7777;
              '';
-          locations."/tracker-site" = {
+            };
+            "/tracker-site" = {
              tryFiles = "$uri $uri/ /tracker-site/index.html =404";
            };
-          locations."/tracker-site/api" = {
-            extraConfig =''
+            "/tracker-site/api" = {
+              extraConfig = ''
                rewrite /tracker-site/api/(.*) /$1 break;
              '';
              proxyPass = "http://127.0.0.1:8080";
            };
          };
+        };
        #discord bot for tracking useractivity public version 
        "activitytracker.site" = {
          #serverAliases = [
@@ -93,11 +102,9 @@ in
          enableACME = cfg.https;
          quic = cfg.https;
          http3 = cfg.https;
-          locations."/" = {
-            tryFiles = "$uri $uri/ /index.html =404";
-          };
+          locations."/" = { tryFiles = "$uri $uri/ /index.html =404"; };
          locations."/api" = {
-            extraConfig =''
+            extraConfig = ''
              rewrite /api/(.*) /$1 break;
            '';
            proxyPass = "http://127.0.0.1:8081";
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -27,4 +27,5 @@ in
  "grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
  "fileshelter-conf.age".publicKeys = [ mini-pc server kop ];
  "webhook.age".publicKeys = [ mini-pc server kop ];
+  "stash-auth.age".publicKeys = [ mini-pc server kop ];
 }
--- a/secrets/stash-auth.age
+++ b/secrets/stash-auth.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 su0Eyw +VIlBI3Dz8nY5ifjwFXkKh8WFVEMbNAQtaJZ5i1vxTM
+IqI7A62j4yC/UIQasFW9KtVcB7ILg2o/k3etWOz8jRw
+-> ssh-ed25519 IV3DkQ 14R6yP4LHgNFHvBQoxdRcV0T2ETRp/qZeD+HquKNRzQ
+XtcaaDXn/xN6eV42TdyK/vEJ/GcJX69WLCh61UuHdOc
+-> ssh-ed25519 DCzi1A Ra23RRc0x2mPCj3CdtzgDUQDmJpyVuAQkup1xenulGY
+w971HT7+UAz7of1FdCmxPTN4Ww1NwN+wnoUptZcBIHg
+--- MqLymPsV3XHYyFlM1yRFkLT/9nojHs/Y8xqX2RAtS+g
+˜U¥ìAmXŠé0OüØvP`E9×ˆ
+Ô¶´q¤ž¨É !§Jô‹Œ©x>]ÏlZèãˆd¹š<C2B9>‰J
+€±«aW¶›ì1
+u »à³yC^d<>3§ß¦xåoð—K›Øc¢
--- a/systems/mini-pc/configuration.nix
+++ b/systems/mini-pc/configuration.nix
@@ -55,9 +55,9 @@
    services = {
      acme.enable = true;
      kop-monitor.enable = true;
+      kop-fileshare.enable = true;
      nginx.enable = true;
      ente.enable = true;
-      fileshelter.enable = true;
      kavita = {
        enable = true;
        dir = "/data/kavita";
--- a/systems/vm/configuration.nix
+++ b/systems/vm/configuration.nix
@@ -29,7 +29,7 @@
      "localhost" = {
        forceSSL = false;
        enableACME = false;
-        locations."/".proxyPass = "http://127.0.0.1:4000";
+        locations."/".proxyPass = "http://127.0.0.1:7777";
      };
    };
  };