daniel/dotfiles
1
0
Fork 0
Code Actions Activity

sail: Alternative frontends should only listen on tailscale

Browse source
This commit is contained in:
Daniel Kempkens 2023-03-23 10:11:11 +01:00
parent e3bd9dc8d6
commit ea675ad396
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM
12 changed files with 5 additions and 82 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
agenix/hosts/sail/anonymous-overflow/auth.age
View file

Binary file not shown.

30
agenix/hosts/sail/config.nix
View file

@ -95,42 +95,12 @@
file = ./nitter/config.age; file = ./nitter/config.age;
}; };
nitter-auth = {
file = ./nitter/auth.age;
owner = "nginx";
group = "nginx";
};
libreddit-auth = {
file = ./libreddit/auth.age;
owner = "nginx";
group = "nginx";
};
rimgo-auth = {
file = ./rimgo/auth.age;
owner = "nginx";
group = "nginx";
};
anonymous-overflow-config = { anonymous-overflow-config = {
file = ./anonymous-overflow/config.age; file = ./anonymous-overflow/config.age;
}; };
anonymous-overflow-auth = {
file = ./anonymous-overflow/auth.age;
owner = "nginx";
group = "nginx";
};
proxitok-environment = { proxitok-environment = {
file = ./proxitok/environment.age; file = ./proxitok/environment.age;
}; };
proxitok-auth = {
file = ./proxitok/auth.age;
owner = "nginx";
group = "nginx";
};
}; };
} }

BIN
agenix/hosts/sail/libreddit/auth.age
View file

Binary file not shown.

9
agenix/hosts/sail/nitter/auth.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 MtGp6g TlltW6mwuZE7iaKfHK128JI0R6Mj4yu1Yq1Hy0YWJRY
ZRS8nBzX39RHYDeEMnlKepVDuaXjLw1N0WRtP3cvBPY
-> ssh-ed25519 NbV4hw +HmaRasZJ0E+lTm8CYBoHrB/u+7bdfwroLzSHrsCgRw
xoz0PRPOFIfwMvmJGC1PGS2PsUe+v0aG7E8BIY4yUH8
-> ;r1<;&A-grease sHb XfT4F 4xh];sA@
IIIGYPwXy4uHMkFV
--- HN3r/Qy0NfVWSwIlgHwT9mR8YlR07VhSABEE1AyZQvM
íº^Ží9A¸`KuÇø¡º<14>¨".íf.8¿;œ–Á%ôH$È#ðÕß*¤µö¯mä /¶©¾ ²T<C2B2>Ïÿƒ"¾hþP­.©%ù8TsaÙNÙ KƒáfPö|¦;Oè7Ý(œÐÈ¥")ÄÎÃ*

9
agenix/hosts/sail/proxitok/auth.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 MtGp6g UsWqApJ+OzlhjmqFPWX+9lYH8WiGLGiRb9ljd2aoE0s
2QnM7xKexxWwDaP/dkIPn4t62cl0SYgFwJmPjP4qmQg
-> ssh-ed25519 NbV4hw Jxe6FiuxaJ3976a9J3iGFB4voOABKtxOFjjiV5lJg1E
jYiki61pPUnvcXM0p4zTW/SAdXpdirEPaBVB8qQFSGI
-> SZ+-grease 7`Z3we,h O2THy w@-G^,*
pING13NREsxJOhDYbGGmh6M
--- YYugx3x05vCiO23wzFQH3E7/HkehfSZJZ4I1Hhn7gCI
—Õß[ŒŽïJë™Þ:KBKŽöçS‰ãÈVMœ ×<><C397>Š˜ÛJkù$ÿn‡D„K N±ä4áù.<™,à.¿iÆ48 §ôF¤8¹kŠû](&nÁ—úꚌ31þìj<07>r]ñv[Ë•âË=ôhÓ

14
agenix/hosts/sail/rimgo/auth.age
View file

@ -1,14 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyAySTBM
aFBCMXFLc0JJeHlSMjBEM0pqeElpZ3FOYmd6WFI4bndMcGluMWxVCmJ6aHBYNFlW
RFlyTjhGYkluMWJ3bmRjaU55QWthYUZaWVpnZ081NUxYdDQKLT4gc3NoLWVkMjU1
MTkgTmJWNGh3IFN2SWJ6ZFloZkk4YVI3NXFFUkJsQnMwemV0czQ0L3Q3d0ZxQkZP
aXRFQUEKWWRSV2hQOC8zMFZ4aUFack9DcjM0SEg5VmVDdnZoUUdKb1FoTzMvclhI
YwotPiBtc017cmNSNy1ncmVhc2UgO191L2tOfSAuX2sKYjlmMEpJSTJKbFpNb1h0
U2s2K1U0NnAyejBjbHhyTDJaUG85dCtORDdMME1iTmFNTWlTZGdpRi90emVVT0ZL
RgpLemUyVXJHR1ZyNEJCbExuN3cxQWw4Q1ZvKzAzZ1l5bTJ6ekh1N2VtbWhsUAot
LS0gZDZuVXliZXRqeHpEa24vbTdLRjY2RkdReUgrVk4yRXJVam82ZklCUER5dwoi
onrE2i7Culh6zYX79xMkJOuhSXlTpX2q4LQin5RA8O0b6lVui5lGR+K+wTkfYvKw
D92KqHxvQbCpYECM5QrEued9+3ujmRjd5Zh9YBCdmoM1P7BlyTYaMIduUenN7VjP
LjqdajKkDcu8Jf7p27Qob0A=
-----END AGE ENCRYPTED FILE-----

2
container/proxitok/default.nix
View file

@ -39,11 +39,11 @@
]; ];
services.nginx.virtualHosts."tictac.daniel.sx" = { services.nginx.virtualHosts."tictac.daniel.sx" = {
listenAddresses = [ "100.113.242.85" ];
http3 = true; http3 = true;
onlySSL = true; onlySSL = true;
useACMEHost = "daniel.sx"; useACMEHost = "daniel.sx";
basicAuthFile = config.age.secrets.proxitok-auth.path;
locations."/" = { locations."/" = {
recommendedProxySettings = true; recommendedProxySettings = true;

7
secrets.nix
View file

@ -32,15 +32,8 @@ in
"agenix/hosts/sail/invidious/databasePassword.age".publicKeys = sail; "agenix/hosts/sail/invidious/databasePassword.age".publicKeys = sail;
"agenix/hosts/sail/nitter/config.age".publicKeys = sail; "agenix/hosts/sail/nitter/config.age".publicKeys = sail;
"agenix/hosts/sail/nitter/auth.age".publicKeys = sail;
"agenix/hosts/sail/libreddit/auth.age".publicKeys = sail;
"agenix/hosts/sail/rimgo/auth.age".publicKeys = sail;
"agenix/hosts/sail/anonymous-overflow/config.age".publicKeys = sail; "agenix/hosts/sail/anonymous-overflow/config.age".publicKeys = sail;
"agenix/hosts/sail/anonymous-overflow/auth.age".publicKeys = sail;
"agenix/hosts/sail/proxitok/environment.age".publicKeys = sail; "agenix/hosts/sail/proxitok/environment.age".publicKeys = sail;
"agenix/hosts/sail/proxitok/auth.age".publicKeys = sail;
} }

2
system/nixos/anonymous-overflow.nix
View file

@ -39,12 +39,12 @@ in
}; };
services.nginx.virtualHosts."overflow.daniel.sx" = { services.nginx.virtualHosts."overflow.daniel.sx" = {
listenAddresses = [ "100.113.242.85" ];
http3 = true; http3 = true;
root = "${anonymous-overflow-pkg}/share/anonymous-overflow/public/"; root = "${anonymous-overflow-pkg}/share/anonymous-overflow/public/";
onlySSL = true; onlySSL = true;
useACMEHost = "daniel.sx"; useACMEHost = "daniel.sx";
basicAuthFile = config.age.secrets.anonymous-overflow-auth.path;
locations."/" = { locations."/" = {
tryFiles = "$uri @proxy"; tryFiles = "$uri @proxy";

2
system/nixos/libreddit.nix
View file

@ -9,11 +9,11 @@
}; };
services.nginx.virtualHosts."${secret.nginx.hostnames.libreddit}" = { services.nginx.virtualHosts."${secret.nginx.hostnames.libreddit}" = {
listenAddresses = [ "100.113.242.85" ];
http3 = true; http3 = true;
onlySSL = true; onlySSL = true;
useACMEHost = "daniel.sx"; useACMEHost = "daniel.sx";
basicAuthFile = config.age.secrets.libreddit-auth.path;
locations."/" = { locations."/" = {
recommendedProxySettings = true; recommendedProxySettings = true;

10
system/nixos/nitter.nix
View file

@ -2,11 +2,6 @@
let let
nitter-pkg = pkgs.nitter-unstable; nitter-pkg = pkgs.nitter-unstable;
proxy-no-auth = {
recommendedProxySettings = true;
proxyPass = "http://127.0.0.1:8001";
};
in in
{ {
# Based on: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/nitter.nix # Based on: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/nitter.nix
@ -53,6 +48,7 @@ in
}; };
services.nginx.virtualHosts."${secret.nginx.hostnames.nitter}" = { services.nginx.virtualHosts."${secret.nginx.hostnames.nitter}" = {
listenAddresses = [ "100.113.242.85" ];
http3 = true; http3 = true;
root = "${nitter-pkg}/share/nitter/public/"; root = "${nitter-pkg}/share/nitter/public/";
@ -63,11 +59,7 @@ in
tryFiles = "$uri @proxy"; tryFiles = "$uri @proxy";
}; };
locations."/pic/" = proxy-no-auth;
locations."/video/" = proxy-no-auth;
locations."@proxy" = { locations."@proxy" = {
basicAuthFile = config.age.secrets.nitter-auth.path;
recommendedProxySettings = true; recommendedProxySettings = true;
proxyPass = "http://127.0.0.1:8001"; proxyPass = "http://127.0.0.1:8001";
}; };

2
system/nixos/rimgo.nix
View file

@ -41,11 +41,11 @@ in
}; };
services.nginx.virtualHosts."ringo.daniel.sx" = { services.nginx.virtualHosts."ringo.daniel.sx" = {
listenAddresses = [ "100.113.242.85" ];
http3 = true; http3 = true;
onlySSL = true; onlySSL = true;
useACMEHost = "daniel.sx"; useACMEHost = "daniel.sx";
basicAuthFile = config.age.secrets.rimgo-auth.path;
locations."/" = { locations."/" = {
recommendedProxySettings = true; recommendedProxySettings = true;