teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: use oidc proxy for torrent

Browse source
This commit is contained in:
alina 🌸 2024-11-02 14:53:18 +03:00
parent d74be3f4be
commit cf157bbd1a
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
6 changed files with 19 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hosts/koi/configuration.nix
View file

@ -20,6 +20,7 @@
./services/phpfront.nix
./services/postgresql.nix
./services/landing
./services/terraria.nix
./containers/torrent.nix
./containers/vaultwarden.nix

5
hosts/koi/containers/kanidm/proxy.nix
View file

@ -29,8 +29,9 @@ in {
default = [];
};
uid = mkOption {
type = types.int;
type = types.nullOr types.int;
description = "uid of the user that will run the service";
default = null;
};
};
}));
@ -46,7 +47,7 @@ in {
name = "${name}-oidc";
value = {
image = "quay.io/oauth2-proxy/oauth2-proxy:v7.7.1-amd64";
user = "${builtins.toString service.uid}";
${if service.uid != null then "user" else null} = "${builtins.toString service.uid}";
environmentFiles = [
config.age.secrets.${service.envSecret}.path
];

27
hosts/koi/containers/torrent.nix
View file

@ -9,6 +9,7 @@ in
imports = [
(secrets.declare [
{ name = "qbt-dl-webhook"; mode = "777"; }
{ name = "torrent-proxy-env"; mode = "777"; }
])
(containers.mkNixosContainer {
name = "torrent";
@ -30,12 +31,13 @@ in
'';
config = {
Preferences = {
"WebUI\\Username" = "torrent";
"WebUI\\Password_PBKDF2" = "\"@ByteArray(Gi7vRUB4k9veY9rOKmTRzw==:Mt0Dhy7rEV+ynH9+Jvm/UwnsNV1KOOQCY1g0QF4TTR1kvT27drZO/zaebH+LTcB3tT52m2T6eikpHxg8NcmXDg==)\"";
"WebUI\\AuthSubnetWhitelist" = "10.42.0.0/16";
# auth is managed by oidc proxy
"WebUI\\AuthSubnetWhitelist" = "0.0.0.0/0";
"WebUI\\AuthSubnetWhitelistEnabled" = "true";
"WebUI\\ReverseProxySupportEnabled" = "true";
"WebUI\\TrustedReverseProxiesList" = "10.42.0.2";
"WebUI\\HostHeaderValidation" = "false";
"WebUI\\CSRFProtection" = "false";
};
BitTorrent = {
"Session\\DefaultSavePath" = "/mnt/download";
@ -73,22 +75,19 @@ in
})
];
desu.openid-proxy.services.torrent = {
clientId = "torrent";
domain = "torrent.stupid.fish";
upstream = "http://torrent.containers";
envSecret = "torrent-proxy-env";
};
services.nginx.virtualHosts."torrent.stupid.fish" = {
forceSSL = true;
useACMEHost = "stupid.fish";
locations."/" = {
proxyPass = "http://torrent.containers$request_uri";
# https://github.com/qbittorrent/qBittorrent/issues/6962
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_hide_header Referer;
proxy_hide_header Origin;
proxy_set_header Referer ''';
proxy_set_header Origin ''';
'';
proxyPass = "http://torrent-oidc.docker$request_uri";
};
};
}

1
hosts/koi/services/coredns.nix
View file

@ -14,6 +14,7 @@ let
10.42.0.2 puffer-webdav.stupid.fish
10.42.0.2 lore.stupid.fish
10.42.0.2 id.stupid.fish
10.42.0.2 pds.stupid.fish
10.42.0.2 siyuan.tei.su
'';

1
hosts/nixos-common.nix
View file

@ -3,6 +3,7 @@
{
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.trusted-users = [ "@wheel" ];
nixpkgs.config.allowUnfree = true;
# nix.settings.sandbox = false;
time.timeZone = "Europe/Moscow";

BIN
secrets/torrent-proxy-env.age Normal file
View file

Binary file not shown.