diff --git a/hosts/koi/configuration.nix b/hosts/koi/configuration.nix index 95d7666..36a1132 100755 --- a/hosts/koi/configuration.nix +++ b/hosts/koi/configuration.nix @@ -20,6 +20,7 @@ ./services/phpfront.nix ./services/postgresql.nix ./services/landing + ./services/terraria.nix ./containers/torrent.nix ./containers/vaultwarden.nix diff --git a/hosts/koi/containers/kanidm/proxy.nix b/hosts/koi/containers/kanidm/proxy.nix index 6f0104c..919d10b 100644 --- a/hosts/koi/containers/kanidm/proxy.nix +++ b/hosts/koi/containers/kanidm/proxy.nix @@ -29,8 +29,9 @@ in { default = []; }; uid = mkOption { - type = types.int; + type = types.nullOr types.int; description = "uid of the user that will run the service"; + default = null; }; }; })); @@ -46,7 +47,7 @@ in { name = "${name}-oidc"; value = { image = "quay.io/oauth2-proxy/oauth2-proxy:v7.7.1-amd64"; - user = "${builtins.toString service.uid}"; + ${if service.uid != null then "user" else null} = "${builtins.toString service.uid}"; environmentFiles = [ config.age.secrets.${service.envSecret}.path ]; diff --git a/hosts/koi/containers/torrent.nix b/hosts/koi/containers/torrent.nix index b5ef12b..f5e4e46 100644 --- a/hosts/koi/containers/torrent.nix +++ b/hosts/koi/containers/torrent.nix @@ -9,6 +9,7 @@ in imports = [ (secrets.declare [ { name = "qbt-dl-webhook"; mode = "777"; } + { name = "torrent-proxy-env"; mode = "777"; } ]) (containers.mkNixosContainer { name = "torrent"; @@ -30,12 +31,13 @@ in ''; config = { Preferences = { - "WebUI\\Username" = "torrent"; - "WebUI\\Password_PBKDF2" = "\"@ByteArray(Gi7vRUB4k9veY9rOKmTRzw==:Mt0Dhy7rEV+ynH9+Jvm/UwnsNV1KOOQCY1g0QF4TTR1kvT27drZO/zaebH+LTcB3tT52m2T6eikpHxg8NcmXDg==)\""; - "WebUI\\AuthSubnetWhitelist" = "10.42.0.0/16"; + # auth is managed by oidc proxy + "WebUI\\AuthSubnetWhitelist" = "0.0.0.0/0"; "WebUI\\AuthSubnetWhitelistEnabled" = "true"; "WebUI\\ReverseProxySupportEnabled" = "true"; "WebUI\\TrustedReverseProxiesList" = "10.42.0.2"; + "WebUI\\HostHeaderValidation" = "false"; + "WebUI\\CSRFProtection" = "false"; }; BitTorrent = { "Session\\DefaultSavePath" = "/mnt/download"; @@ -73,22 +75,19 @@ in }) ]; + desu.openid-proxy.services.torrent = { + clientId = "torrent"; + domain = "torrent.stupid.fish"; + upstream = "http://torrent.containers"; + envSecret = "torrent-proxy-env"; + }; + services.nginx.virtualHosts."torrent.stupid.fish" = { forceSSL = true; useACMEHost = "stupid.fish"; locations."/" = { - proxyPass = "http://torrent.containers$request_uri"; - - # https://github.com/qbittorrent/qBittorrent/issues/6962 - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host:$server_port; - proxy_hide_header Referer; - proxy_hide_header Origin; - proxy_set_header Referer '''; - proxy_set_header Origin '''; - ''; + proxyPass = "http://torrent-oidc.docker$request_uri"; }; }; } diff --git a/hosts/koi/services/coredns.nix b/hosts/koi/services/coredns.nix index be9fde4..02aeda9 100644 --- a/hosts/koi/services/coredns.nix +++ b/hosts/koi/services/coredns.nix @@ -14,6 +14,7 @@ let 10.42.0.2 puffer-webdav.stupid.fish 10.42.0.2 lore.stupid.fish 10.42.0.2 id.stupid.fish + 10.42.0.2 pds.stupid.fish 10.42.0.2 siyuan.tei.su ''; diff --git a/hosts/nixos-common.nix b/hosts/nixos-common.nix index 5e065c3..688fab4 100644 --- a/hosts/nixos-common.nix +++ b/hosts/nixos-common.nix @@ -3,6 +3,7 @@ { nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.settings.trusted-users = [ "@wheel" ]; + nixpkgs.config.allowUnfree = true; # nix.settings.sandbox = false; time.timeZone = "Europe/Moscow"; diff --git a/secrets/torrent-proxy-env.age b/secrets/torrent-proxy-env.age new file mode 100644 index 0000000..5c7e43d Binary files /dev/null and b/secrets/torrent-proxy-env.age differ