Add reverse proxy for ariang

2023-05-02 22:48:50 +00:00 · 2023-05-02 22:48:50 +00:00 · d156d3c286
commit d156d3c286
parent 6e55df595e
3 changed files with 28 additions and 8 deletions
--- a/hosts/iron/secrets.yaml
+++ b/hosts/iron/secrets.yaml
@ -1,4 +1,5 @@
 duckdns-secret: ENC[AES256_GCM,data:SAf/xZ28tgmvqcVKC2tMNRm838AVMMNCC3fpYLXBEIoTl7E7,iv:+KTEpNMj0+aVCGKB1dRFFslgjpBhSzBZFdee+VIAt4o=,tag:C/eSyoQjAgD7Qv4J4jsp4g==,type:str]
+ariang-htpasswd: ENC[AES256_GCM,data:itE8a36dV93mlJlQ6BcBY0W/qX0+OpKxP6tHmJ1gcL4PRTp3y5df1CtRlw==,iv:2kLY2+hgtAx+FXEGzqvfmATKdCDRzGZ+YTYTYTDqJFU=,tag:SXTR7Try692ByL4Iq51y7g==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,8 +15,8 @@ sops:
            TjdZRldhSzVtMkVoTzY1NjdGbCswRVUK0pi+8UuLqRmytcR2ikxOAM02iccl8P1y
            ixv0PKPLd+vQ23QeeQy/TfoGx16XttaDUnUrPLZR3TUKtAcld8+m6w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-02T19:30:49Z"
-    mac: ENC[AES256_GCM,data:At3/ci8Dsq1ljzL1ZkbS+NsZmU008G3r/QRyPv4abK3SY7Zf6kfTeL0YomfSixkEZxGTBSJY1hK+jHSsV1KAojG/f1xNkTIszJBjjFb/BWYpDD31CWft5I1Loz66IIf0EU8qIJv2QrDP7TrBlU6UeXNnmlCNt4OStU8n5559TA4=,iv:DawliBKBJCWUcv86CLErKo1xGdYNfTYqyrFyGNY+8z4=,tag:1FcLKAKk1v7JsFMybL5GEA==,type:str]
+    lastmodified: "2023-05-02T21:42:20Z"
+    mac: ENC[AES256_GCM,data:MJagQk4664RL2LdxBQQfaHzjuzwtcwZAj3Lde9/uxJFsioksJUT4abK1wQmL54qSQ5L0HV8uXDOLo8rWWo/sN24gWVKh7b9+i9oYfCWPLxSQP/s5Fm7VleYkTD5m/1EDqd/D59zz4GC2Pq4HYEyjUX3I2d33KHlcklepY8NcbjE=,iv:py+U05f+VHn+ImmzWax2AZqzWtSNn3cGn3lWKTKuRcA=,tag:b1u6yksJ+pzEe3ThlEL1EQ==,type:str]
    pgp:
        - created_at: "2023-05-02T19:30:42Z"
          enc: |
--- a/hosts/iron/services/nginx.nix
+++ b/hosts/iron/services/nginx.nix
@ -7,9 +7,12 @@
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
  };
-  networking.firewall.interfaces."enp3s4".allowedTCPPorts = [
-    #networking.firewall.allowedTCPPorts = [
+  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "mail@jalr.de";
+  };
 }
--- a/hosts/iron/services/torrent.nix
+++ b/hosts/iron/services/torrent.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ lib, config, pkgs, ... }:
 let
  aria2RpcPort = 6800;
  aria2ListenPort = 59832;
@ -18,7 +18,6 @@ in
      "--input-file /var/lib/aria2/aria2.session"
      "--max-concurrent-downloads=1000"
      "--rpc-allow-origin-all=true"
-      "--rpc-listen-all"
      "--seed-ratio=0.0"
    ];
    listenPortRange = [
@ -31,9 +30,26 @@ in
  };
  networking.firewall = {
    allowedTCPPorts = [ aria2ListenPort ];
-    interfaces."enp3s4".allowedTCPPorts = [ aria2RpcPort ];
  };
-  services.nginx.virtualHosts."iron.bw.lan.jalr.de" = {
+  sops.secrets.ariang-htpasswd = {
+    sopsFile = ../secrets.yaml;
+    owner = "nginx";
+  };
+  services.nginx.virtualHosts."ariang.jalr.de" = {
    root = pkgs.ariang;
+    enableACME = true;
+    forceSSL = true;
+    kTLS = true;
+    basicAuthFile = config.sops.secrets.ariang-htpasswd.path;
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+      location /jsonrpc {
+        proxy_pass         http://127.0.0.1:${toString aria2RpcPort};
+        proxy_set_header   Host $host;
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Host $server_name;
+      }
+    '';
  };
 }