From eb2b08a587b09fc9e6323bcf66126db4deafce5c Mon Sep 17 00:00:00 2001 From: Tigor Hutasuhut Date: Wed, 4 Sep 2024 20:33:25 +0700 Subject: [PATCH] caddy: added basicauth to soulseek and ytptube --- secrets/secrets.yaml | 9 +++++++-- secrets/soulseek.yaml | 8 ++++++-- system/podman/soulseek.nix | 35 +++++++++++++++++++++++++++++++++++ system/podman/ytptube.nix | 31 +++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+), 4 deletions(-) diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 5ae3a9c..146bb3e 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -6,6 +6,11 @@ spotify: username: ENC[AES256_GCM,data:7uYX5Co=,iv:zc03i9P/nX6hIe/SfUulH2T3BkxD/1xiqG2izmaJbho=,tag:/djGWrxvsG9L5x3vHc9TwQ==,type:str] password: ENC[AES256_GCM,data:Yf2NCLuXVd28kPCHLLc=,iv:Ip4tAMOW5h8TPKavB7pTMt/ojtCq1wxw3Syhey4dGQI=,tag:b2FGiXAo66S6goiH43NQBA==,type:str] copilot: ENC[AES256_GCM,data:wxevVVvWYQv5iGH5I4BldwBJWMwL2BYH2b5GbemzbZRhTzNkgvNovQ2fE9gWqBginQwW5TSLgIHJnAqCYEokS26jOHXI7c1r2C1CKEp44AIwD2wb61KACH4nFCa71Blx/w==,iv:QvcwaasP8sVz8qdRWdt3aAMXV+E9eMotc74ARsSRLbw=,tag:OiktpnOw2UovNod3W41zZQ==,type:str] +caddy: + basic_auth: + username: ENC[AES256_GCM,data:EB17m1q/RVK9RA==,iv:5tZm640K3X44otNB85UVGTJrDd/hwpS7lPhnzvDdqps=,tag:E0u1KjM2XP7c1h3SkPxN1g==,type:str] + #ENC[AES256_GCM,data:uATOQMrhNQTWWtE3vIo4QnCM/W55eAUKQk1t,iv:RP/MYFWahIie1m7TJgr7QXWgeTi4g/qLp0IdJNILQWk=,tag:UsJzYRaJjha9xNc0+5kzvQ==,type:comment] + password: ENC[AES256_GCM,data:CNquBB3XWlcIgsXp7Emt9i1Oz0Bws4J6mRszWeNh5HJ11ccTAbiPN2fJSISybHY0J2Rzeuzy+FvX5Ccx,iv:1oX9MTU13FUarX0DRlfsPNS6qT5xz5GpGxlMH5UsANA=,tag:TUmFfJR9WAoX/fXgRRvdQw==,type:str] docker: config: ENC[AES256_GCM,data:H/m7lUf5UQY61QhKV9zOBnsHhrzwowj7sJ8iTwejNdUlL/JFOTCymsPA0ND4GBGAlInMMSsfBf3HYTSlTx9izjM203Hh09kjFkUxgvrJPFwATsBswQz09GBE5Rk7qxcEIKlhsEMP8I0lwJRNzqpfw/i+dLYzDiboYnNxZ9wbRKEc7pOxbboDAJkwNLyIsQP+JbVXOYw1cyieXhP4VB0h95qukP+5RWA+0REPeUVYObDI1ZWm7rU0KjwYM0E1ZlwC7Tnu1N5A5UC5zkSCv4U21lkTLYVaesgYqp3qg50SEM2cQFygfFzZ1j7H0kKKKzO4d9d0MtLYLAfcq2v/cWUuB7dQPjcbhpBD5jnF03twLAH0ynMpvzinncCG00YTqrNWUJqsPwn7/enKmIsl55zPd0fc,iv:pJzMZrq+V7yPR+czDTTZspUTcajELPRHZevB5a7CtOo=,tag:jtSJZQ3lsuBUtFDGHuWibQ==,type:str] sops: @@ -23,8 +28,8 @@ sops: UFFON2V5UWp1UUpETzZNSnVJdk5GcWsKupkOEN8OI/EOeu4Kkjo/SNhxMw2pa/gs DzlsQRvytwCvAtr7zqHJvS6oeWlyjbirAHlpSzNS4QcqtbtK3mHC/Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-13T09:09:57Z" - mac: ENC[AES256_GCM,data:Ovi5vtxADk/vb899WuaU8uWCsM/zN7jTWF47ivJxbgtGlIbQQWeI9eY0s+VaPSdGSshJCP4RYasoJBeL0CiZ64wdLtwsDqfbAB6k8LtS/YRY/hDVGvUG+5GDP+I12q5xbHzJbjiKFN4yLRuK9WVyBQp7TRr484zkdjDDkApoC6w=,iv:FCc/9Xq4xsKQ+Hwi4VpCY8/F4+zHezv42wWpSaGsrjc=,tag:m+dnpB6LjzSvf7cgugEk7g==,type:str] + lastmodified: "2024-09-04T13:29:44Z" + mac: ENC[AES256_GCM,data:zzOhlLYUtfietpg6Rszbv8/D0vJ0ghbA00ce+U1CJQZ1z7fbK9K7gjrapCl3CzLQLLfIClad+aUYhtHrNxSbq4W+VbtBtUtXdCgOsnF7+3MMPk+LcngPKuO25AgfS7EZQ8EYoazJB2lmlU+9Cd84k6RHvmaFSCJ8o0PSA77Kuk0=,iv:pphrY5oOAPLyCeGhaqg28G7xGN7Y4vkJBcJBjtFMI30=,tag:ZSlEkZsaDWwSwBQtQ/Xt3w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/secrets/soulseek.yaml b/secrets/soulseek.yaml index 881ab00..e0a0139 100644 --- a/secrets/soulseek.yaml +++ b/secrets/soulseek.yaml @@ -1,5 +1,9 @@ soulseek: env: ENC[AES256_GCM,data:r9AABW2U8Zr4fnYwF66SkJts/ljRyLsqpXQZWMQdtRpe6bkSY+s7hwXYVexjp1UVruLcAu+x7A==,iv:rngXQd3Xn/8nl5fE33BDQl++EGdHMMJPvg9KQfDA/II=,tag:r5WvaCGpo6pq8SgYEwv3UA==,type:str] + caddy: + username: ENC[AES256_GCM,data:c6yEVdiFjKt3pA==,iv:Wf+OSRliVuDicFcbqDFGn/KjRUQeF3DNx7P/sDXV8wA=,tag:9eepU589jS9HhQ7I7SsOsg==,type:str] + #ENC[AES256_GCM,data:ulRtu2Yg41GuclGqJJehbZgYdtdxtFv+LHeC,iv:64IncaTWsU9wcL1HNAMYDVMXelJuDUzeXGqx1FMHeag=,tag:B9bGHIQlEKV44it90KKZKg==,type:comment] + password: ENC[AES256_GCM,data:mOWu5RcnVKne3uLFdidI53F/6h4q22aST9Eo3n96IHBf2Y0+KSOhdlWSqQECTcTYqUb/GD6luA/tjgUV,iv:JAAF/vWUJ3yTAYLwaZT2GPqeZ9NCkXDct8Alxpt7tWw=,tag:6n2WrY5ZAbPNTDEhJ/6wVQ==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +19,8 @@ sops: M3NzdHlsL2hENll3QnVBaXBiN2JPRzgKytdiV9iYS69v1+ub790lu4sPaMe4Auac dnYZHUyMBFqvHjdQH+y4wYZ+k/O6vLwWJE0uR7ErhShrpLQmYVwdAw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-20T12:21:42Z" - mac: ENC[AES256_GCM,data:n4zNdElxX38hgAUpVNpbfSlyFedriNoB1jXB8whrXVVu/X7Y5GX2Jg1sxNjLGrY/UXHen2sc7v25iz+2eM/IGXZhKn9ZOfuLUedRyR4wJP48h1RsPt9a20Mo6dTsUKHnyHBbbGA2iLlmt815yUtEwQPbj28SMGh1Ir6ppxNrLvI=,iv:3lC6pSyB1K7gN8yHhfaLL8JEa9pwTSKqMKgTlxDK9XU=,tag:fALAy3QdW0iTIu+vv4T5qw==,type:str] + lastmodified: "2024-09-04T13:21:43Z" + mac: ENC[AES256_GCM,data:s+d/Y+Rgyaut70WVHWL0P/XORW6d5lZSeCZOlQhGL1/M10VH4wADGK08JSqdUoUsD3kWmAw0ARrnEiNeqX3daTATkgYIq6mTiAP51bDX6d0qlvi5qddYjgq0AjEyHL6GGQVeFel7bZ/fGT7Q+BTLMq+A/YJkhk+EgFVSVywSTbc=,iv:8u2o4KhSSf/XaLaR24n0aloAdtbz87wbECmFKf9R8Z4=,tag:B+ONOjbtPdraV28PvEbdYg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/system/podman/soulseek.nix b/system/podman/soulseek.nix index cd0f1fa..1b0c383 100644 --- a/system/podman/soulseek.nix +++ b/system/podman/soulseek.nix @@ -11,13 +11,45 @@ let user = config.profile.user; uid = toString user.uid; gid = toString user.gid; + basic_auth = { + username = "soulseek/caddy/username"; + password = "soulseek/caddy/password"; + template = "soulseek/caddy/basic_auth"; + }; in { config = mkIf (podman.enable && podman.${name}.enable) { services.caddy.virtualHosts.${domain}.extraConfig = '' + @require_auth not remote_ip private_ranges + + basicauth @require_auth { + {$SOULSEEK_USERNAME} {$SOULSEEK_PASSWORD} + } + reverse_proxy ${ip}:6080 ''; + sops = { + secrets = + let + opts = { sopsFile = ../../secrets/soulseek.yaml; }; + in + { + ${basic_auth.username} = opts; + ${basic_auth.password} = opts; + }; + templates = { + ${basic_auth.template}.content = /*sh*/ '' + SOULSEEK_USERNAME=${config.sops.placeholder.${basic_auth.username}} + SOULSEEK_PASSWORD=${config.sops.placeholder.${basic_auth.password}} + ''; + }; + }; + + # systemd.services."caddy".serviceConfig = { + # EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ]; + # }; + system.activationScripts."podman-${name}" = '' mkdir -p ${rootVolume}/{config,downloads,incomplete} chown ${uid}:${gid} ${rootVolume} ${rootVolume}/{config,downloads,incomplete} @@ -32,6 +64,9 @@ in serviceName = "podman-${name}-autorestart"; in { + services."caddy".serviceConfig = { + EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ]; + }; services.${serviceName} = { description = "Podman container ${name} autorestart"; serviceConfig = { diff --git a/system/podman/ytptube.nix b/system/podman/ytptube.nix index 69cc7de..97f9290 100644 --- a/system/podman/ytptube.nix +++ b/system/podman/ytptube.nix @@ -10,10 +10,37 @@ let user = config.profile.user; uid = toString user.uid; gid = toString user.gid; + basic_auth = { + username = "caddy/basic_auth/username"; + password = "caddy/basic_auth/password"; + template = "caddy/basic_auth"; + }; in { config = mkIf (podman.enable && podman.${name}.enable) { + sops = { + secrets = + let + opts = { }; + in + { + ${basic_auth.username} = opts; + ${basic_auth.password} = opts; + }; + templates = { + ${basic_auth.template}.content = /*sh*/ '' + YTPTUBE_USERNAME=${config.sops.placeholder.${basic_auth.username}} + YTPTUBE_PASSWORD=${config.sops.placeholder.${basic_auth.password}} + ''; + }; + }; services.caddy.virtualHosts.${domain}.extraConfig = '' + @require_auth not remote_ip private_ranges + + basicauth @require_auth { + {$YTPTUBE_USERNAME} {$YTPTUBE_PASSWORD} + } + reverse_proxy ${ip}:8081 ''; system.activationScripts."podman-${name}" = '' @@ -21,6 +48,10 @@ in chown -R ${uid}:${gid} ${volume} ''; + systemd.services."caddy".serviceConfig = { + EnvironmentFile = [ config.sops.templates.${basic_auth.template}.path ]; + }; + environment.etc."podman/${name}/ytdlp.json" = { # https://github.com/arabcoders/ytptube?tab=readme-ov-file#ytdlpjson-file source = (pkgs.formats.json { }).generate "config.json" {