renge/buchborgen: Init

2022-06-27 14:45:48 +02:00 · 2022-06-27 14:45:48 +02:00 · d3c063b909
parent 8dc59487f3
commit d3c063b909
2 changed files with 44 additions and 0 deletions
--- a/machines/renge/configuration.nix
+++ b/machines/renge/configuration.nix
@ -7,6 +7,7 @@

    ./services/ankisyncd.nix
    ./services/bang-evaluator.nix
+    ./services/buchborgen.nix
    ./services/coturn.nix
    ./services/element-web.nix
    ./services/gitea.nix
--- a/machines/renge/services/buchborgen.nix
+++ b/machines/renge/services/buchborgen.nix
@ -0,0 +1,43 @@
+{ pkgs, ... }:
+let
+  hiddenService = "kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion";
+in
+{
+  services.tor = {
+    enable = true;
+    client.enable = true;
+  };
+  systemd.services."socat-trantor" = {
+    after = [ "network.target" ];
+    before = [ "nginx.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      DynamicUser = true;
+      ExecStart = "${pkgs.socat}/bin/socat tcp4-LISTEN:3003,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:${hiddenService}:80,socksport=9050";
+      Restart = "on-failure";
+    };
+  };
+
+  services.nginx = {
+    appendHttpConfig = ''
+      proxy_cache_path /var/cache/nginx/trantor levels=1:2 keys_zone=trantor:10m max_size=200m inactive=3600m use_temp_path=off;
+    '';
+    virtualHosts."buchborgen.sbruder.xyz" = {
+      enableACME = true;
+      forceSSL = true;
+
+      basicAuthFile = "/etc/nginx/trantor.htpasswd";
+
+      locations."/" = {
+        extraConfig = ''
+          proxy_set_header Authorization "";
+          proxy_set_header Host "${hiddenService}";
+          proxy_cache trantor;
+          proxy_cache_valid any 1h;
+          proxy_pass http://127.0.0.1:3003;
+        '';
+      };
+    };
+  };
+}