From ea675ad396abeaba6aa064947526f01996f7aa55 Mon Sep 17 00:00:00 2001 From: Daniel Kempkens Date: Thu, 23 Mar 2023 10:11:11 +0100 Subject: [PATCH] sail: Alternative frontends should only listen on tailscale --- agenix/hosts/sail/anonymous-overflow/auth.age | Bin 542 -> 0 bytes agenix/hosts/sail/config.nix | 30 ------------------ agenix/hosts/sail/libreddit/auth.age | Bin 438 -> 0 bytes agenix/hosts/sail/nitter/auth.age | 9 ------ agenix/hosts/sail/proxitok/auth.age | 9 ------ agenix/hosts/sail/rimgo/auth.age | 14 -------- container/proxitok/default.nix | 2 +- secrets.nix | 7 ---- system/nixos/anonymous-overflow.nix | 2 +- system/nixos/libreddit.nix | 2 +- system/nixos/nitter.nix | 10 +----- system/nixos/rimgo.nix | 2 +- 12 files changed, 5 insertions(+), 82 deletions(-) delete mode 100644 agenix/hosts/sail/anonymous-overflow/auth.age delete mode 100644 agenix/hosts/sail/libreddit/auth.age delete mode 100644 agenix/hosts/sail/nitter/auth.age delete mode 100644 agenix/hosts/sail/proxitok/auth.age delete mode 100644 agenix/hosts/sail/rimgo/auth.age diff --git a/agenix/hosts/sail/anonymous-overflow/auth.age b/agenix/hosts/sail/anonymous-overflow/auth.age deleted file mode 100644 index cb5b10b8d5e8e82c9dd1286dabf5ab2ddc9f06c5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 542 zcmZ9_JB!nB003|i5y=fjQRHwi948)}vF*R3H6;Y89j?-fxGBzpxae@;2XOPnx!oNux~RDN`vO1J)Dhj+!gM;f1OIXmn)$d0A=lw3 zvJia?%H<*kGxPSeV!}Qpfq*tNTJp!Bs7Mo%84IMtbqk6Ih_EFzTpgo)H#3`1n=(OQ zpkg_jQ%fu3$wU+<3%|FlFD7V_SG8(}dP3SMZbkoZ-I0V^2~5w}QKTu8I_i|$<7Otg z*w78Mc~@t(Oq}*zSGD3zdsyHoNU9M%-XeoQmKN1~Eii%Ni%c(4xJuO^N|i>(XicLb zPV{U4w)l#;MImOWtC0>xg^~ogw(3wkl?8s%OOqwRceE`@%{R1B-z%k*g!?K^>;7z{ z4{bFu@_e0_S!`B_SsDrhOu!8r%=<<%XvQEV^8t}(Iv!)U9c+_jQrn?h6=x)S_yQC3 zLSl3@P<0>#L14V3m6jY~Do&VHgyGT@@yHL%I0i*JZuLM%S1nfdyG*kVeK}lx`EFkJ>-#Mb}KY8%s)&9BDgY@DC!Jf*k^U~XGaFqIf=IN)it6y{A2YK)6p9;78 z^VizCeEZq`Yjtn;rtCGCU*SJH;$0 z#WEwz#ne2iG@~rv-J(3K*dt6o(abD2JS{yh%$Lj6AgCzJt<=jU*D%1fz%nl>z$DDg zuOg)?(=f&^yO0($T~iVp~Y1QH5oZZhBE_VsWZMb%aw;okF0pR(L1b8=i&3PxQDtU9YFVMPSDATwS-EeyrKv?)o{5V~sYQA|7sJ^* zTGNF&-6m!+{EB*b-l6gNzWNJ2SI$on+Sa ssh-ed25519 MtGp6g TlltW6mwuZE7iaKfHK128JI0R6Mj4yu1Yq1Hy0YWJRY -ZRS8nBzX39RHYDeEMnlKepVDuaXjLw1N0WRtP3cvBPY --> ssh-ed25519 NbV4hw +HmaRasZJ0E+lTm8CYBoHrB/u+7bdfwroLzSHrsCgRw -xoz0PRPOFIfwMvmJGC1PGS2PsUe+v0aG7E8BIY4yUH8 --> ;r1<;&A-grease sHb XfT4F 4xh];sA@ -IIIGYPwXy4uHMkFV ---- HN3r/Qy0NfVWSwIlgHwT9mR8YlR07VhSABEE1AyZQvM - ^9A`Ku".f.8;%H$#*m /T"hP.%8TsaN٠KfP|;O7(ȥ")* \ No newline at end of file diff --git a/agenix/hosts/sail/proxitok/auth.age b/agenix/hosts/sail/proxitok/auth.age deleted file mode 100644 index a0a08cd..0000000 --- a/agenix/hosts/sail/proxitok/auth.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 MtGp6g UsWqApJ+OzlhjmqFPWX+9lYH8WiGLGiRb9ljd2aoE0s -2QnM7xKexxWwDaP/dkIPn4t62cl0SYgFwJmPjP4qmQg --> ssh-ed25519 NbV4hw Jxe6FiuxaJ3976a9J3iGFB4voOABKtxOFjjiV5lJg1E -jYiki61pPUnvcXM0p4zTW/SAdXpdirEPaBVB8qQFSGI --> SZ+-grease 7`Z3we,h O2THy w@-G^,* -pING13NREsxJOhDYbGGmh6M ---- YYugx3x05vCiO23wzFQH3E7/HkehfSZJZ4I1Hhn7gCI -[J:KBKSVM אJk$nDK N4.<,.i48 F8k](&n31jr]v[˕=hӛ \ No newline at end of file diff --git a/agenix/hosts/sail/rimgo/auth.age b/agenix/hosts/sail/rimgo/auth.age deleted file mode 100644 index 207c66f..0000000 --- a/agenix/hosts/sail/rimgo/auth.age +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyAySTBM -aFBCMXFLc0JJeHlSMjBEM0pqeElpZ3FOYmd6WFI4bndMcGluMWxVCmJ6aHBYNFlW -RFlyTjhGYkluMWJ3bmRjaU55QWthYUZaWVpnZ081NUxYdDQKLT4gc3NoLWVkMjU1 -MTkgTmJWNGh3IFN2SWJ6ZFloZkk4YVI3NXFFUkJsQnMwemV0czQ0L3Q3d0ZxQkZP -aXRFQUEKWWRSV2hQOC8zMFZ4aUFack9DcjM0SEg5VmVDdnZoUUdKb1FoTzMvclhI -YwotPiBtc017cmNSNy1ncmVhc2UgO191L2tOfSAuX2sKYjlmMEpJSTJKbFpNb1h0 -U2s2K1U0NnAyejBjbHhyTDJaUG85dCtORDdMME1iTmFNTWlTZGdpRi90emVVT0ZL -RgpLemUyVXJHR1ZyNEJCbExuN3cxQWw4Q1ZvKzAzZ1l5bTJ6ekh1N2VtbWhsUAot -LS0gZDZuVXliZXRqeHpEa24vbTdLRjY2RkdReUgrVk4yRXJVam82ZklCUER5dwoi -onrE2i7Culh6zYX79xMkJOuhSXlTpX2q4LQin5RA8O0b6lVui5lGR+K+wTkfYvKw -D92KqHxvQbCpYECM5QrEued9+3ujmRjd5Zh9YBCdmoM1P7BlyTYaMIduUenN7VjP -LjqdajKkDcu8Jf7p27Qob0A= ------END AGE ENCRYPTED FILE----- diff --git a/container/proxitok/default.nix b/container/proxitok/default.nix index c088ad7..5167c25 100644 --- a/container/proxitok/default.nix +++ b/container/proxitok/default.nix @@ -39,11 +39,11 @@ ]; services.nginx.virtualHosts."tictac.daniel.sx" = { + listenAddresses = [ "100.113.242.85" ]; http3 = true; onlySSL = true; useACMEHost = "daniel.sx"; - basicAuthFile = config.age.secrets.proxitok-auth.path; locations."/" = { recommendedProxySettings = true; diff --git a/secrets.nix b/secrets.nix index 98275a3..c44f0b7 100644 --- a/secrets.nix +++ b/secrets.nix @@ -32,15 +32,8 @@ in "agenix/hosts/sail/invidious/databasePassword.age".publicKeys = sail; "agenix/hosts/sail/nitter/config.age".publicKeys = sail; - "agenix/hosts/sail/nitter/auth.age".publicKeys = sail; - - "agenix/hosts/sail/libreddit/auth.age".publicKeys = sail; - - "agenix/hosts/sail/rimgo/auth.age".publicKeys = sail; "agenix/hosts/sail/anonymous-overflow/config.age".publicKeys = sail; - "agenix/hosts/sail/anonymous-overflow/auth.age".publicKeys = sail; "agenix/hosts/sail/proxitok/environment.age".publicKeys = sail; - "agenix/hosts/sail/proxitok/auth.age".publicKeys = sail; } diff --git a/system/nixos/anonymous-overflow.nix b/system/nixos/anonymous-overflow.nix index 00aca94..68b801c 100644 --- a/system/nixos/anonymous-overflow.nix +++ b/system/nixos/anonymous-overflow.nix @@ -39,12 +39,12 @@ in }; services.nginx.virtualHosts."overflow.daniel.sx" = { + listenAddresses = [ "100.113.242.85" ]; http3 = true; root = "${anonymous-overflow-pkg}/share/anonymous-overflow/public/"; onlySSL = true; useACMEHost = "daniel.sx"; - basicAuthFile = config.age.secrets.anonymous-overflow-auth.path; locations."/" = { tryFiles = "$uri @proxy"; diff --git a/system/nixos/libreddit.nix b/system/nixos/libreddit.nix index 88993d7..03b8d4e 100644 --- a/system/nixos/libreddit.nix +++ b/system/nixos/libreddit.nix @@ -9,11 +9,11 @@ }; services.nginx.virtualHosts."${secret.nginx.hostnames.libreddit}" = { + listenAddresses = [ "100.113.242.85" ]; http3 = true; onlySSL = true; useACMEHost = "daniel.sx"; - basicAuthFile = config.age.secrets.libreddit-auth.path; locations."/" = { recommendedProxySettings = true; diff --git a/system/nixos/nitter.nix b/system/nixos/nitter.nix index 2d9da29..a21c394 100644 --- a/system/nixos/nitter.nix +++ b/system/nixos/nitter.nix @@ -2,11 +2,6 @@ let nitter-pkg = pkgs.nitter-unstable; - - proxy-no-auth = { - recommendedProxySettings = true; - proxyPass = "http://127.0.0.1:8001"; - }; in { # Based on: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/nitter.nix @@ -53,6 +48,7 @@ in }; services.nginx.virtualHosts."${secret.nginx.hostnames.nitter}" = { + listenAddresses = [ "100.113.242.85" ]; http3 = true; root = "${nitter-pkg}/share/nitter/public/"; @@ -63,11 +59,7 @@ in tryFiles = "$uri @proxy"; }; - locations."/pic/" = proxy-no-auth; - locations."/video/" = proxy-no-auth; - locations."@proxy" = { - basicAuthFile = config.age.secrets.nitter-auth.path; recommendedProxySettings = true; proxyPass = "http://127.0.0.1:8001"; }; diff --git a/system/nixos/rimgo.nix b/system/nixos/rimgo.nix index ed1ccad..931853e 100644 --- a/system/nixos/rimgo.nix +++ b/system/nixos/rimgo.nix @@ -41,11 +41,11 @@ in }; services.nginx.virtualHosts."ringo.daniel.sx" = { + listenAddresses = [ "100.113.242.85" ]; http3 = true; onlySSL = true; useACMEHost = "daniel.sx"; - basicAuthFile = config.age.secrets.rimgo-auth.path; locations."/" = { recommendedProxySettings = true;