very jank, using htpasswd
This commit is contained in:
Peder Bergebakken Sundt 2023-10-15 23:42:36 +02:00
parent b880388efb
commit 5130e39ab7
6 changed files with 56 additions and 14 deletions

View File

@ -66,8 +66,9 @@
* [ ] transgui config * [ ] transgui config
* [x] secrets - nix-sops ? * [x] secrets - nix-sops ?
* [x] flexget * [x] flexget
* [ ] microbin
* [ ] transmission * [ ] transmission
* [ ] transmission remote gui * [ ] transmission remote gui (requires sops in home-manager)
* [x] domeneshop * [x] domeneshop
* [ ] webdav * [ ] webdav
* [ ] code-remote * [ ] code-remote

View File

@ -53,7 +53,7 @@
#../../profiles/web/services/cryptpad.nix #../../profiles/web/services/cryptpad.nix
#../../profiles/web/services/galene.nix #../../profiles/web/services/galene.nix
#../../profiles/web/services/graphana.nix #../../profiles/web/services/graphana.nix
#../../profiles/web/services/hedgedoc.nix ../../profiles/web/services/hedgedoc.nix
#../../profiles/web/services/home-assistant.nix #../../profiles/web/services/home-assistant.nix
#../../profiles/web/services/jitsi-meet.nix #../../profiles/web/services/jitsi-meet.nix
#../../profiles/web/services/kukkee #../../profiles/web/services/kukkee

View File

@ -9,6 +9,7 @@ in
sops.secrets.flexget.owner = "flexget"; sops.secrets.flexget.owner = "flexget";
sops.secrets.flexget.group = "flexget"; sops.secrets.flexget.group = "flexget";
sops.secrets.flexget.restartUnits = [ "flexget.service" ];
services.flexget = { services.flexget = {
enable = true; enable = true;

View File

@ -3,19 +3,42 @@
# hedgedoc # hedgedoc
# Realtime collaborative markdown notes on all platforms # Realtime collaborative markdown notes on all platforms
sops.secrets."hedgedoc/htpasswd".owner = config.services.nginx.user;
sops.secrets."hedgedoc/env-file".owner = "hedgedoc";
sops.secrets."hedgedoc/env-file".restartUnits = [ "hedgedoc.service" ];
services.hedgedoc = { services.hedgedoc = {
#enable = true; # FIXME: make it load enable = true; # FIXME: make it load
settings.host = "127.0.0.1"; environmentFile = config.sops.secrets."hedgedoc/env-file".path;
settings.host = "localhost";
settings.port = 44776; settings.port = 44776;
settings.db.dialect = "sqlite";
settings.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite"; # reverse proxy
settings.domain = mkDomain "hedgedoc"; settings.domain = mkDomain "hedgedoc";
settings.allowAnonymous = true; settings.hsts.enale = true;
settings.useSSL = false; # we terminate ssl with nginx
settings.protocolUseSSL = true; # https:// prefix
settings.urlAddPort = false;
settings.db.dialect = "sqlite";
settings.db.storage = "${config.services.hedgedoc.workDir}/db.sqlite";
settings.email = false; # email sign-in
settings.allowFreeURL = true; # allow note creation by accessing a nonexistent note URL.
#settings.allowAnonymous = false; # default is true
settings.allowEmailRegister = false; # default is true settings.allowEmailRegister = false; # default is true
settings.allowAnonymousEdits = false; # default is false settings.allowAnonymousEdits = false; # default is false
settings.protocolUseSSL = true; # https prefix #settings.uploadsPath
settings.useSSL = false; # nginx terminates ssl
#settings.csp = {TODO}; # content security policy # content security policy
#settings.csp = {
# enable = true;
# addDefaults = true;
# upgradeInsecureRequest = "auto";
# #directives.scriptSrc = "trustworthy.scripts.example.com";
#};
#settings.useCDN = true; #settings.useCDN = true;
#settings.debug = true; #settings.debug = true;
# there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc. # there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
@ -25,10 +48,24 @@
forceSSL = true; # addSSL = true; forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain; enableACME = true; #useACMEHost = acmeDomain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}"; proxyPass = "http://localhost:${toString config.services.hedgedoc.settings.port}";
proxyWebsockets = true; proxyWebsockets = true;
# TODO: proxy headers: # TODO: proxy headers:
# https://docs.hedgedoc.org/guides/reverse-proxy/ # https://docs.hedgedoc.org/guides/reverse-proxy/
extraConfig = ''
auth_basic "Ke 'e e u vill?!?";
auth_basic_user_file ${config.sops.secrets."hedgedoc/htpasswd".path};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
}; };
extraConfig= ''
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin;
'';
}; };
} }

View File

@ -34,7 +34,7 @@ in
]; ];
# https://github.com/szabodanika/microbin/issues/106 # https://github.com/szabodanika/microbin/issues/106
#EnvironmentFile = "/var/lib/secrets/microbin.env"; # TODO: sops #EnvironmentFile = "/run/secrets/microbin-env"; # TODO: sops
#Environment.MICROBIN_AUTH_USERNAME="foo"; #Environment.MICROBIN_AUTH_USERNAME="foo";
#Environment.MICROBIN_AUTH_PASSWORD="bar"; #Environment.MICROBIN_AUTH_PASSWORD="bar";

View File

@ -1,4 +1,7 @@
flexget: ENC[AES256_GCM,data:vh9famQgmQI0nc9/5F8egDCwI9OvevPLATiepEcSpy+eCjJxU0WkG9NPECOCNlteW7xOOZfXAXfn8KW7j4vqHseLKu3MwGO98dYJXeW3KKyKNlVW1UF0dEb6BGLjqBnQDzURE5L8gRR5pFZ8nepWo0UG6Zuy93XrthTZ/tjuz6wvaKv0761ULtfMLQ9HddF14y666h/OkSPftkPvEA35fOdiBgPj9O/mZu11KvyBYKoQLkQxihCvwNMzMXmMSehH9WMOPk4EU3ZGLHHjlfTXa3Syn2yf28PazNao/XMEs8H9FlhPw42r1Tku5tMLM3wObKpin0t50sqbEf/LxUPo6Vu/i6e4E3UkDrEbyKFA4VXGd6vxD+gyELydrkDrHRm50JWGZmbwvW3be+Ezqe7eXuzgoNabe4BG4wogTszOpM2uXrveTiSmoQyC4JZ6lszdnodlGVFIvaKU5xdrpLQAI9W2OA==,iv:AeadtoIAjTrPiB5iPgIW7FTwLZa2BQFr/jhaTvs8WAc=,tag:VW480DHQ315YLPtDuaFYtg==,type:str] flexget: ENC[AES256_GCM,data:vh9famQgmQI0nc9/5F8egDCwI9OvevPLATiepEcSpy+eCjJxU0WkG9NPECOCNlteW7xOOZfXAXfn8KW7j4vqHseLKu3MwGO98dYJXeW3KKyKNlVW1UF0dEb6BGLjqBnQDzURE5L8gRR5pFZ8nepWo0UG6Zuy93XrthTZ/tjuz6wvaKv0761ULtfMLQ9HddF14y666h/OkSPftkPvEA35fOdiBgPj9O/mZu11KvyBYKoQLkQxihCvwNMzMXmMSehH9WMOPk4EU3ZGLHHjlfTXa3Syn2yf28PazNao/XMEs8H9FlhPw42r1Tku5tMLM3wObKpin0t50sqbEf/LxUPo6Vu/i6e4E3UkDrEbyKFA4VXGd6vxD+gyELydrkDrHRm50JWGZmbwvW3be+Ezqe7eXuzgoNabe4BG4wogTszOpM2uXrveTiSmoQyC4JZ6lszdnodlGVFIvaKU5xdrpLQAI9W2OA==,iv:AeadtoIAjTrPiB5iPgIW7FTwLZa2BQFr/jhaTvs8WAc=,tag:VW480DHQ315YLPtDuaFYtg==,type:str]
hedgedoc:
env-file: ENC[AES256_GCM,data:evTDjmO3oBTBVUPArwlfZiDCsU7QMTFWw+LzpFedROBgGhElY/vhSM6qHXWjfyMopg9eFYgcPsXgxti0ZmpdTkoItNFzo/MpbI8msgclI20AxogfsT/jkMJaEPB7W3X4PyMqm6D/zRVwWGh3Vtqm3Ze1yf4=,iv:0XoqGvS/Y5O0n4zZ7mGBBJU6JZRm5g92McLwRnIXx/U=,tag:uqIwBAEFWVk4pFkZcCiEoQ==,type:str]
htpasswd: ENC[AES256_GCM,data:qc1DDiJydPxxjPZQy2Rdh860ylZBrpbk1yj8BRd71yjPWpnxCY1869qZp4HFv4ptdyL4BRoYvJUikpb7RGVc6CbOb7l7I5ov8NA8hEEa3HB6lGjvVV4=,iv:NnXlJZ/LLhMmrAFA/efk6LHjm/1aexWFsAsA4GUgxsI=,tag:jL5ymk5CsZ3TPCfL39CDwQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -32,8 +35,8 @@ sops:
SkU1Q0NZOGVXRENrOThBT1lDdGxWWW8KtypJmkOVD0Ej14fXZzKzKrnPNv7O5SAp SkU1Q0NZOGVXRENrOThBT1lDdGxWWW8KtypJmkOVD0Ej14fXZzKzKrnPNv7O5SAp
jdQe7GSwCJKqqHuX2T/E4mzCVrSPsB/GVfqh0IymZg6NJZjYO79Wbg== jdQe7GSwCJKqqHuX2T/E4mzCVrSPsB/GVfqh0IymZg6NJZjYO79Wbg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-14T23:43:49Z" lastmodified: "2023-10-15T20:59:15Z"
mac: ENC[AES256_GCM,data:krcWdjXtd8ammOUQvqaIxE5U3UylnUMHuAqTdM82QsmQ2d+kvsjbY4ftvbNdJ1wwNQmq2PzhmtH7iunTSC9pTlmZkUxyXM43cM/EC0KqzZJA2ST6h86vZwkZ0gExWJLgk+uxoYDPT2M3c3sn6hZot8BHlUCiO1wQABHH57+FPvY=,iv:mV+q86wp9lV8ACZaL9LnUCAOcCjdvqQjVr2Fs+q6rv0=,tag:lvJoIrjExFitcAUKvsuF/Q==,type:str] mac: ENC[AES256_GCM,data:2AFjhWJ7JriF9Mmj1cbHlVCOdyrLvWcEyspH79xWB7CauvI8sWafZd9yO4nq5ZxwOFIZxulbWADNc8oW7y5EhLDZapTwbxEl9GDhOm8O2z4HUrbXtXoQVRcjJFCE+17TLXBwsbLu15ji0xMLgfmVBoUgHntIFcSPID3L8FYSdLU=,iv:bWSLlTsdlIAE5Rujq22cLc8xWGrU8jkNtd2NahdOzl8=,tag:nxgUbd/A4gxPeBpCmSfzzw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3