chore: use oidc proxy for torrent

2024-11-02 14:53:18 +03:00 · 2024-11-02 14:53:18 +03:00 · cf157bbd1a
commit cf157bbd1a
parent d74be3f4be
6 changed files with 19 additions and 16 deletions
--- a/hosts/koi/configuration.nix
+++ b/hosts/koi/configuration.nix
@ -20,6 +20,7 @@
    ./services/phpfront.nix
    ./services/postgresql.nix
    ./services/landing
    ./services/terraria.nix
    ./containers/torrent.nix
    ./containers/vaultwarden.nix
--- a/hosts/koi/containers/kanidm/proxy.nix
+++ b/hosts/koi/containers/kanidm/proxy.nix
@ -29,8 +29,9 @@ in {
            default = [];
          };
          uid = mkOption {
-            type = types.int;
+            type = types.nullOr types.int;
            description = "uid of the user that will run the service";
            default = null;
          };
        };
      }));
@ -46,7 +47,7 @@ in {
        name = "${name}-oidc";
        value = {
          image = "quay.io/oauth2-proxy/oauth2-proxy:v7.7.1-amd64";
-          user = "${builtins.toString service.uid}";
+          ${if service.uid != null then "user" else null} = "${builtins.toString service.uid}";
          environmentFiles = [
            config.age.secrets.${service.envSecret}.path
          ];
--- a/hosts/koi/containers/torrent.nix
+++ b/hosts/koi/containers/torrent.nix
@ -9,6 +9,7 @@ in
  imports = [
    (secrets.declare [
      { name = "qbt-dl-webhook"; mode = "777"; }
      { name = "torrent-proxy-env"; mode = "777"; }
    ])
    (containers.mkNixosContainer {
      name = "torrent";
@ -30,12 +31,13 @@ in
            '';
            config = {
              Preferences = {
-                "WebUI\\Username" = "torrent";
+                # auth is managed by oidc proxy
-                "WebUI\\Password_PBKDF2" = "\"@ByteArray(Gi7vRUB4k9veY9rOKmTRzw==:Mt0Dhy7rEV+ynH9+Jvm/UwnsNV1KOOQCY1g0QF4TTR1kvT27drZO/zaebH+LTcB3tT52m2T6eikpHxg8NcmXDg==)\"";
+                "WebUI\\AuthSubnetWhitelist" = "0.0.0.0/0"; 
                "WebUI\\AuthSubnetWhitelist" = "10.42.0.0/16";
                "WebUI\\AuthSubnetWhitelistEnabled" = "true";
                "WebUI\\ReverseProxySupportEnabled" = "true";
                "WebUI\\TrustedReverseProxiesList" = "10.42.0.2";
                "WebUI\\HostHeaderValidation" = "false";
                "WebUI\\CSRFProtection" = "false";
              };
              BitTorrent = {
                "Session\\DefaultSavePath" = "/mnt/download";
@ -73,22 +75,19 @@ in
    })
  ];
  desu.openid-proxy.services.torrent = {
    clientId = "torrent";
    domain = "torrent.stupid.fish";
    upstream = "http://torrent.containers";
    envSecret = "torrent-proxy-env";
  };
  services.nginx.virtualHosts."torrent.stupid.fish" = {
    forceSSL = true;
    useACMEHost = "stupid.fish";
    locations."/" = {
-      proxyPass = "http://torrent.containers$request_uri";
+      proxyPass = "http://torrent-oidc.docker$request_uri";
      # https://github.com/qbittorrent/qBittorrent/issues/6962
      extraConfig = ''
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_hide_header   Referer;
        proxy_hide_header   Origin;
        proxy_set_header    Referer           ''';
        proxy_set_header    Origin            ''';
      '';
    };
  };
 }
--- a/hosts/koi/services/coredns.nix
+++ b/hosts/koi/services/coredns.nix
@ -14,6 +14,7 @@ let
    10.42.0.2 puffer-webdav.stupid.fish
    10.42.0.2 lore.stupid.fish
    10.42.0.2 id.stupid.fish
    10.42.0.2 pds.stupid.fish
    10.42.0.2 siyuan.tei.su
  '';
--- a/hosts/nixos-common.nix
+++ b/hosts/nixos-common.nix
@ -3,6 +3,7 @@
 {
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  nix.settings.trusted-users = [ "@wheel" ];
  nixpkgs.config.allowUnfree = true;
  # nix.settings.sandbox = false;
  time.timeZone = "Europe/Moscow";
--- a/secrets/torrent-proxy-env.age
+++ b/secrets/torrent-proxy-env.age