From 6f4c6c807224c11a0778f556b29739b1b6882a09 Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Tue, 28 Feb 2023 14:55:57 +0100
Subject: [PATCH] proxitok: init

---
 agenix/hosts/sail/config.nix               |  11 ++++
 agenix/hosts/sail/proxitok/auth.age        |   9 ++++
 agenix/hosts/sail/proxitok/environment.age | Bin 0 -> 557 bytes
 container/proxitok/default.nix             |  57 +++++++++++++++++++++
 secrets.nix                                |   3 ++
 system/hosts/sail.nix                      |   1 +
 6 files changed, 81 insertions(+)
 create mode 100644 agenix/hosts/sail/proxitok/auth.age
 create mode 100644 agenix/hosts/sail/proxitok/environment.age
 create mode 100644 container/proxitok/default.nix

diff --git a/agenix/hosts/sail/config.nix b/agenix/hosts/sail/config.nix
index c6298d7..3f0ce65 100644
--- a/agenix/hosts/sail/config.nix
+++ b/agenix/hosts/sail/config.nix
@@ -99,5 +99,16 @@
       owner = "nginx";
       group = "nginx";
     };
+
+    proxitok-environment = {
+      file = ./proxitok/environment.age;
+      mode = "444";
+    };
+
+    proxitok-auth = {
+      file = ./proxitok/auth.age;
+      owner = "nginx";
+      group = "nginx";
+    };
   };
 }
diff --git a/agenix/hosts/sail/proxitok/auth.age b/agenix/hosts/sail/proxitok/auth.age
new file mode 100644
index 0000000..a0a08cd
--- /dev/null
+++ b/agenix/hosts/sail/proxitok/auth.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 MtGp6g UsWqApJ+OzlhjmqFPWX+9lYH8WiGLGiRb9ljd2aoE0s
+2QnM7xKexxWwDaP/dkIPn4t62cl0SYgFwJmPjP4qmQg
+-> ssh-ed25519 NbV4hw Jxe6FiuxaJ3976a9J3iGFB4voOABKtxOFjjiV5lJg1E
+jYiki61pPUnvcXM0p4zTW/SAdXpdirEPaBVB8qQFSGI
+-> SZ+-grease 7`Z3we,h O2THy w@-G^,*
+pING13NREsxJOhDYbGGmh6M
+--- YYugx3x05vCiO23wzFQH3E7/HkehfSZJZ4I1Hhn7gCI
+—Õß[ŒŽïJë™Þ:KBKŽöçS‰ãÈVMœ×Š˜ÛJkù$ÿn‡D„KN±ä4áù.<™,à.¿iÆ48§ôF¤8¹kŠû](&nÁ—‹úêš‰‘Œ31þìjr]ñv[Ë•âË=ôhÓ›‘
\ No newline at end of file
diff --git a/agenix/hosts/sail/proxitok/environment.age b/agenix/hosts/sail/proxitok/environment.age
new file mode 100644
index 0000000000000000000000000000000000000000..cbbaa62819db842888584391dcc25fd805825c58
GIT binary patch
literal 557
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlEpaa}OII+>33du{
zjxtC|_II+VDtB}@j>t6CPtP<r&UX&V^T>;E*LL?ebS~G=apg)iPYFv&Ej2GS_14Y}
zN-nR+$}%*{GAj12$}%+Y_VLMdax*tF4fYEzcSX0&FDc9<qg){?C$lKL(y+85)6gX}
zT;Dv&&$rCE(AzoB-N&agz^5Qx+c_g8pfaG$Es!hQDX%!Y%0DVO!bv+S+1WVH&oRr{
zy*#o+KgrO=qa?&7*xS-9z@ot1)e&S{WN3h^ik@zIQEFmwDwk=lVTxZ>Kw70|YNm^`
zWtd@-xqqQ)SczdlT6TCrX+Tm+QhthYu1}U@REa@=XS#EGW|@&`q+6A?FPE;au0nEz
zbAf4@X_{w%m%G1dQEsKBX|6$Wa)E`rwwGm*zkW%Mm$|97tBZk)0oVNRNe5?`1%LGy
zkWT&l(7C!!Io!SMDigzox;rM8_lml=1pc`9bH(b{yLOsRTCKUnlzFL3Y}$X{@Ar5N
z12wE>DXp*m;`Th{w$;_5<X!6=^P`TXKTf|l{bS9c)9yRdGqU%{d^qWI=ebX|lkMi5
zW&MS|rBh;F-g2w0DN&PVe!bCBMArSkZb97HaP#jMmdU(R$(bQ_QEd6mebw>NGdDgE
m`CnPd$nE|=h`YtXCiqK;=eB+C=B6Bre*8v4PUXVQ<6;2y?9(m)

literal 0
HcmV?d00001

diff --git a/container/proxitok/default.nix b/container/proxitok/default.nix
new file mode 100644
index 0000000..1bba301
--- /dev/null
+++ b/container/proxitok/default.nix
@@ -0,0 +1,57 @@
+{ config, ... }:
+
+{
+  virtualisation.arion.projects.proxitok.settings = {
+    services = {
+      proxitok-web = {
+        service = {
+          image = "ghcr.io/pablouser1/proxitok:master";
+          container_name = "proxitok-web";
+          restart = "unless-stopped";
+          depends_on = [ "proxitok-signer" ];
+          ports = [ "127.0.0.1:8005:80" ];
+          env_file = [ config.age.secrets.proxitok-environment.path ];
+          labels = {
+            "com.centurylinklabs.watchtower.enable" = "true";
+          };
+        };
+      };
+
+      proxitok-signer = {
+        service = {
+          image = "ghcr.io/pablouser1/signtok:master";
+          container_name = "proxitok-signer";
+          restart = "unless-stopped";
+          labels = {
+            "com.centurylinklabs.watchtower.enable" = "true";
+          };
+        };
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
+
+    virtualHosts."proxitok.only.internal" = {
+      listen = [
+        {
+          addr = "127.0.0.1";
+          port = 80;
+        }
+      ];
+
+      forceSSL = false;
+      enableACME = false;
+
+      locations."/" = {
+        basicAuthFile = config.age.secrets.proxitok-auth.path;
+        recommendedProxySettings = true;
+        proxyPass = "http://127.0.0.1:8005";
+      };
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 124a460..46943e2 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -31,4 +31,7 @@ in
 
   "agenix/hosts/sail/anonymous-overflow/config.age".publicKeys = sail;
   "agenix/hosts/sail/anonymous-overflow/auth.age".publicKeys = sail;
+
+  "agenix/hosts/sail/proxitok/environment.age".publicKeys = sail;
+  "agenix/hosts/sail/proxitok/auth.age".publicKeys = sail;
 }
diff --git a/system/hosts/sail.nix b/system/hosts/sail.nix
index 4ad97a7..604d56f 100644
--- a/system/hosts/sail.nix
+++ b/system/hosts/sail.nix
@@ -39,6 +39,7 @@ in
     ../nixos/arion.nix
     ../../container/webserver
     ../../container/matrix
+    ../../container/proxitok
   ];
 
   system.stateVersion = "22.11";