feat: add tor service and style
feat: add tor service
This commit is contained in:
parent
f48390b15e
commit
7b842b3342
12 changed files with 203 additions and 24 deletions
75
module.nix
75
module.nix
|
|
@ -16,6 +16,8 @@ in
|
|||
description = "Domain to serve the website on.";
|
||||
};
|
||||
|
||||
tor.enable = lib.mkEnableOption "Tor hidden service for the website";
|
||||
|
||||
envFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.path;
|
||||
default = null;
|
||||
|
|
@ -36,6 +38,55 @@ in
|
|||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
age.secrets.webhook-secret = {
|
||||
file = "${self}/secrets/webhook-secret.age";
|
||||
mode = "0400";
|
||||
};
|
||||
|
||||
age.secrets.tor-onion-secret-key = lib.mkIf cfg.tor.enable {
|
||||
file = "${self}/secrets/tor-onion-secret-key.age";
|
||||
owner = "tor";
|
||||
group = "tor";
|
||||
mode = "0400";
|
||||
};
|
||||
age.secrets.tor-onion-public-key = lib.mkIf cfg.tor.enable {
|
||||
file = "${self}/secrets/tor-onion-public-key.age";
|
||||
owner = "tor";
|
||||
group = "tor";
|
||||
mode = "0444";
|
||||
};
|
||||
age.secrets.tor-onion-hostname = lib.mkIf cfg.tor.enable {
|
||||
file = "${self}/secrets/tor-onion-hostname.age";
|
||||
owner = "tor";
|
||||
group = "tor";
|
||||
mode = "0444";
|
||||
};
|
||||
|
||||
services.tor = lib.mkIf cfg.tor.enable {
|
||||
enable = true;
|
||||
relay.onionServices.jetpham-website = {
|
||||
map = [{ port = 80; target = { addr = "127.0.0.1"; port = 8888; }; }];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.tor-onion-keys = lib.mkIf cfg.tor.enable {
|
||||
description = "Copy Tor onion keys into place";
|
||||
after = [ "agenix.service" ];
|
||||
before = [ "tor.service" ];
|
||||
wantedBy = [ "tor.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
dir="/var/lib/tor/onion/jetpham-website"
|
||||
mkdir -p "$dir"
|
||||
cp ${config.age.secrets.tor-onion-secret-key.path} "$dir/hs_ed25519_secret_key"
|
||||
cp ${config.age.secrets.tor-onion-public-key.path} "$dir/hs_ed25519_public_key"
|
||||
cp ${config.age.secrets.tor-onion-hostname.path} "$dir/hostname"
|
||||
chown -R tor:tor "$dir"
|
||||
chmod 700 "$dir"
|
||||
chmod 400 "$dir/hs_ed25519_secret_key"
|
||||
chmod 444 "$dir/hs_ed25519_public_key" "$dir/hostname"
|
||||
'';
|
||||
};
|
||||
# Q&A API systemd service
|
||||
systemd.services.jetpham-qa-api = {
|
||||
description = "Jet Pham Q&A API";
|
||||
|
|
@ -47,14 +98,11 @@ in
|
|||
Environment = [ "QA_DB_PATH=/var/lib/jetpham-qa/qa.db" ];
|
||||
Restart = "on-failure";
|
||||
RestartSec = 5;
|
||||
} // lib.optionalAttrs (cfg.webhookSecretFile == null) {
|
||||
ExecStart = "${qaApi}/bin/jetpham-qa-api";
|
||||
LoadCredential = "webhook-secret:${config.age.secrets.webhook-secret.path}";
|
||||
} // lib.optionalAttrs (cfg.envFile != null) {
|
||||
EnvironmentFile = cfg.envFile;
|
||||
} // lib.optionalAttrs (cfg.webhookSecretFile != null) {
|
||||
LoadCredential = "webhook-secret:${cfg.webhookSecretFile}";
|
||||
};
|
||||
script = lib.mkIf (cfg.webhookSecretFile != null) ''
|
||||
script = ''
|
||||
export WEBHOOK_SECRET="$(cat $CREDENTIALS_DIRECTORY/webhook-secret)"
|
||||
exec ${qaApi}/bin/jetpham-qa-api
|
||||
'';
|
||||
|
|
@ -76,5 +124,22 @@ in
|
|||
}
|
||||
'';
|
||||
};
|
||||
|
||||
services.caddy.virtualHosts."http://127.0.0.1:8888" = lib.mkIf cfg.tor.enable {
|
||||
extraConfig = ''
|
||||
header Cross-Origin-Opener-Policy "same-origin"
|
||||
header Cross-Origin-Embedder-Policy "require-corp"
|
||||
|
||||
handle /api/* {
|
||||
reverse_proxy 127.0.0.1:3001
|
||||
}
|
||||
|
||||
handle {
|
||||
root * ${package}
|
||||
try_files {path} /index.html
|
||||
file_server
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue