diff --git a/hosts/iron/secrets.yaml b/hosts/iron/secrets.yaml index 1db35df..53680dd 100644 --- a/hosts/iron/secrets.yaml +++ b/hosts/iron/secrets.yaml @@ -1,4 +1,5 @@ duckdns-secret: ENC[AES256_GCM,data:SAf/xZ28tgmvqcVKC2tMNRm838AVMMNCC3fpYLXBEIoTl7E7,iv:+KTEpNMj0+aVCGKB1dRFFslgjpBhSzBZFdee+VIAt4o=,tag:C/eSyoQjAgD7Qv4J4jsp4g==,type:str] +ariang-htpasswd: ENC[AES256_GCM,data:itE8a36dV93mlJlQ6BcBY0W/qX0+OpKxP6tHmJ1gcL4PRTp3y5df1CtRlw==,iv:2kLY2+hgtAx+FXEGzqvfmATKdCDRzGZ+YTYTYTDqJFU=,tag:SXTR7Try692ByL4Iq51y7g==,type:str] sops: kms: [] gcp_kms: [] @@ -14,8 +15,8 @@ sops: TjdZRldhSzVtMkVoTzY1NjdGbCswRVUK0pi+8UuLqRmytcR2ikxOAM02iccl8P1y ixv0PKPLd+vQ23QeeQy/TfoGx16XttaDUnUrPLZR3TUKtAcld8+m6w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-02T19:30:49Z" - mac: ENC[AES256_GCM,data:At3/ci8Dsq1ljzL1ZkbS+NsZmU008G3r/QRyPv4abK3SY7Zf6kfTeL0YomfSixkEZxGTBSJY1hK+jHSsV1KAojG/f1xNkTIszJBjjFb/BWYpDD31CWft5I1Loz66IIf0EU8qIJv2QrDP7TrBlU6UeXNnmlCNt4OStU8n5559TA4=,iv:DawliBKBJCWUcv86CLErKo1xGdYNfTYqyrFyGNY+8z4=,tag:1FcLKAKk1v7JsFMybL5GEA==,type:str] + lastmodified: "2023-05-02T21:42:20Z" + mac: ENC[AES256_GCM,data:MJagQk4664RL2LdxBQQfaHzjuzwtcwZAj3Lde9/uxJFsioksJUT4abK1wQmL54qSQ5L0HV8uXDOLo8rWWo/sN24gWVKh7b9+i9oYfCWPLxSQP/s5Fm7VleYkTD5m/1EDqd/D59zz4GC2Pq4HYEyjUX3I2d33KHlcklepY8NcbjE=,iv:py+U05f+VHn+ImmzWax2AZqzWtSNn3cGn3lWKTKuRcA=,tag:b1u6yksJ+pzEe3ThlEL1EQ==,type:str] pgp: - created_at: "2023-05-02T19:30:42Z" enc: | diff --git a/hosts/iron/services/nginx.nix b/hosts/iron/services/nginx.nix index ebccd4f..bb9d306 100644 --- a/hosts/iron/services/nginx.nix +++ b/hosts/iron/services/nginx.nix @@ -7,9 +7,12 @@ recommendedProxySettings = true; recommendedTlsSettings = true; }; - networking.firewall.interfaces."enp3s4".allowedTCPPorts = [ - #networking.firewall.allowedTCPPorts = [ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + security.acme = { + acceptTerms = true; + defaults.email = "mail@jalr.de"; + }; } diff --git a/hosts/iron/services/torrent.nix b/hosts/iron/services/torrent.nix index ddd3779..22520d2 100644 --- a/hosts/iron/services/torrent.nix +++ b/hosts/iron/services/torrent.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, ... }: +{ lib, config, pkgs, ... }: let aria2RpcPort = 6800; aria2ListenPort = 59832; @@ -18,7 +18,6 @@ in "--input-file /var/lib/aria2/aria2.session" "--max-concurrent-downloads=1000" "--rpc-allow-origin-all=true" - "--rpc-listen-all" "--seed-ratio=0.0" ]; listenPortRange = [ @@ -31,9 +30,26 @@ in }; networking.firewall = { allowedTCPPorts = [ aria2ListenPort ]; - interfaces."enp3s4".allowedTCPPorts = [ aria2RpcPort ]; }; - services.nginx.virtualHosts."iron.bw.lan.jalr.de" = { + sops.secrets.ariang-htpasswd = { + sopsFile = ../secrets.yaml; + owner = "nginx"; + }; + services.nginx.virtualHosts."ariang.jalr.de" = { root = pkgs.ariang; + enableACME = true; + forceSSL = true; + kTLS = true; + basicAuthFile = config.sops.secrets.ariang-htpasswd.path; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + location /jsonrpc { + proxy_pass http://127.0.0.1:${toString aria2RpcPort}; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + } + ''; }; }