From 756f4e3c5d222072a639f0e05fa93b1c8f3f490c Mon Sep 17 00:00:00 2001 From: "Gustavo L de Mello (Guz)" Date: Fri, 8 Nov 2024 20:33:20 -0300 Subject: [PATCH] feat: anonimize domains and add auth support --- capytal/caddy.nix | 26 +++++++++-- secrets/spacestation.lesser.json | 79 ++++++++++++++++++++++---------- secrets/spacestation.yaml | 6 +-- 3 files changed, 80 insertions(+), 31 deletions(-) diff --git a/capytal/caddy.nix b/capytal/caddy.nix index 28b93da..24df3dd 100644 --- a/capytal/caddy.nix +++ b/capytal/caddy.nix @@ -11,7 +11,7 @@ in { services.caddy.xcaddy.enable = true; services.caddy.email = secrets.capytal.caddy.email; services.caddy.extraConfig = '' - (capytal_tls) { + (capytal_env) { tls { dns cloudflare { zone_token {env.CAPYTAL_CF_ZONE_TOKEN} @@ -19,7 +19,7 @@ in { } } } - (home_tls) { + (home_env) { tls { dns cloudflare { zone_token {env.HOME_CF_ZONE_TOKEN} @@ -28,7 +28,7 @@ in { } } ''; - services.caddy.virtualHosts = let + services.caddy.virtualHosts = with builtins; let caddyCfg = secrets.capytal.caddy; setConfig = c: let reverse_proxy = @@ -42,18 +42,34 @@ in { if c ? redir then "redir ${c.redir}" else ""; + + auth = + if c ? auth + then '' + basic_auth { + ${ + concatStringsSep "\n" (map (v: "${v.user} ${v.passwd}") c.auth) + } + } + '' + else ""; in { extraConfig = '' ${reverse_proxy} ${redir} + ${auth} import ${ if c ? env then c.env - else "capytal_tls" + else "capytal_env" } ''; }; - hosts = lib.attrsets.mapAttrs (n: v: setConfig v) caddyCfg.hosts; + hosts = listToAttrs (map (v: { + name = v.pattern; + value = setConfig v.config; + }) + caddyCfg.hosts); in hosts; systemd.services.caddy.serviceConfig = { diff --git a/secrets/spacestation.lesser.json b/secrets/spacestation.lesser.json index c796390..9551909 100644 --- a/secrets/spacestation.lesser.json +++ b/secrets/spacestation.lesser.json @@ -11,36 +11,69 @@ "caddy": { "email": "ENC[AES256_GCM,data:OwCqxT+aiwmyoY3i4vO+i8FAyHzN/wU=,iv:8Gw0cqrW1OKyyANlmIIKXKisch1CGYaznIfTjGYyZa8=,tag:xvTKXhag6Gp0V7xmv8NBhg==,type:str]", "defaultIp": "ENC[AES256_GCM,data:u+sITdDcl9TzabF8Pg==,iv:3GEn3lERvdbyKKf2r7qTxPOjq9/Im6TJraSKnrtOzWA=,tag:7A31e17vqsgI72Aj0kZqjA==,type:str]", - "hosts": { - "forgejo.i.capytal.company": { - "redir": "ENC[AES256_GCM,data:Qxo0iumZ9K2m/zFkPkDc6/7/7gkeCc8ThUzLfk+/qa7U,iv:aaaHns2oc9NDwxNQ8jKfKF5tCpNFL7mGGxsQ31WDK7w=,tag:pnvTcKsPX9ZLAcHzTwYaTQ==,type:str]" + "hosts": [ + { + "pattern": "ENC[AES256_GCM,data:cj3RCHnPQqnDVrHECNsKcSfrYxCScisSVg==,iv:IzmtlDXQiIEQmCX7Vgf5Q/YWmJAlyqlDCHTyAtuj4Ss=,tag:G4MYjx3p2G1Fzwu5dQVpiw==,type:str]", + "config": { + "redir": "ENC[AES256_GCM,data:AiVHPAITKBhu2nMfNGJRqJaqPm04eH1e3KETkjJaHuzI,iv:yo7VnT2IBnIYxEcRsU1Ez04k5Y5k07FK63JNRVYq3ks=,tag:r/zSBU08gUqo1vdIX10kFQ==,type:str]" + } }, - "gadmin.i.capytal.company": { - "port": "ENC[AES256_GCM,data:1BPSyA==,iv:QIFh79CReD7PmTfdJfkHOrJXUSK7+17/+OM4Y+a34uM=,tag:vKVC1CAZjE6rAw15M84I4A==,type:float]" + { + "pattern": "ENC[AES256_GCM,data:CXqDhBeiI+JvOZ5VgGKV8RCBD/1xrTg0,iv:nrp3iAUb3mQlPGw/CF6Ec8n1s6QVLS2WUzRYAeF8B6Q=,tag:9fNae5dqVdQ0PFbBvYW8dQ==,type:str]", + "config": { + "port": "ENC[AES256_GCM,data:hLsg+g==,iv:AUBzBTW77WfZ++WuXI3Qt8S+hUVDadGGU0hutF/xj5o=,tag:GdxguYHjbwK2orkTgHDNRw==,type:float]" + } }, - "gapi.i.capytal.company": { - "port": "ENC[AES256_GCM,data:WWBl+w==,iv:saxQfd1zikI2F25eTPBrH07v1BOwdQlBFTkkRDCEJfI=,tag:I6Gq7fJ7BOV1pJyt4woZXQ==,type:float]" + { + "pattern": "ENC[AES256_GCM,data:isvmRsofmk/icmu0XOLytLJWQvRNmA==,iv:/5Qh/HzHoW8heMqPR6ZMfhrW83/v92n3ycZuRjasYoY=,tag:Y/NJWB3VnZ7iOsAErRx3+Q==,type:str]", + "config": { + "port": "ENC[AES256_GCM,data:B3mFfw==,iv:DJvviYYCINzcEmXkd657UQR4lgcedGWCbtE1M+CZPVc=,tag:m8Yl11jTRH08H6QjM48ggw==,type:float]" + } }, - "gk2v.i.capytal.company": { - "port": "ENC[AES256_GCM,data:3kgX1Q==,iv:sDQdX1rh7v2W8iWrTPZQ3MceA1sofww/K3tmuyswgdY=,tag:166LvzOI5QXbWFQDCfCF+g==,type:float]" + { + "pattern": "ENC[AES256_GCM,data:TlyclBJgutYVottPkEEYm2o9hz9TVw==,iv:FVccv+ac/eqVCMSFcp2jjuquPG5armboYvLaAc+PHpI=,tag:YR6TVaTG4msI8ggdzqPTzA==,type:str]", + "config": { + "port": "ENC[AES256_GCM,data:9AAArA==,iv:sveBGP4ltKbeBD6IRerSHQxzjFy958DAzw1MSs0R7Hw=,tag:AnJcyGU4rJq0m3IvwwRZ3w==,type:float]" + } }, - "grpc.i.capytal.company": { - "port": "ENC[AES256_GCM,data:lRwqLQ==,iv:YcX79E4u47lsoOKq5EPSDVuTGSq9nwQ3nAGbwTwUkog=,tag:KQ7EJvcCiljmViR3OIWHFg==,type:float]" + { + "pattern": "ENC[AES256_GCM,data:7631wlUSUfvV+uNECvMoYr74lQZMug==,iv:GF9H4rEHVX3MnxGpAnNDDm0uhxCZzqApnPrKr8VsogQ=,tag:A+Q139PKx32hOpU1ammcKA==,type:str]", + "config": { + "port": "ENC[AES256_GCM,data:RZtqyQ==,iv:XHS+fbJwNx+i4TJHe/REO0ZGg7HDSEuhc9rZ/eDSCQ0=,tag:nVvx9cuk2CmvKlAnHJ3T4A==,type:float]" + } }, - "gweb.i.capytal.company": { - "port": "ENC[AES256_GCM,data:6estbA==,iv:552X7bzCuxynn+tvhy3+Ah+hf8O55J3H62OM7QX3qoo=,tag:Mf6lkzJxz+aQ1c0VW/9buQ==,type:float]" + { + "pattern": "ENC[AES256_GCM,data:2bwI6saJvcuQTKdE0C1qElMEP6TE8A==,iv:ptTIxkMqRYZb3AD1lA3jr3cjlnJij4+f64aTb34BkGo=,tag:BCwTM+dHEaRfsd+3k19V4w==,type:str]", + "config": { + "port": "ENC[AES256_GCM,data:oxlscg==,iv:C7PiR6yMzieXnPl/E5aNTRMsH8xgIlv5CRyyom2bDqw=,tag:xuTtIIB8N1eTknRx43Q6Iw==,type:float]" + } }, - "sqld.i.capytal.company": { - "port": "ENC[AES256_GCM,data:qnTTIw==,iv:CD6nvM/3cghGuXJ0Nz2dZdEo6YXE4bODIvIVy+j4Nus=,tag:N5CjPGpwj4WkmgG9wcLksA==,type:float]" + { + "pattern": "ENC[AES256_GCM,data:VheGanizkj6hZvI95A4FBkQayNFaJQ==,iv:mDFzX3k6G3Q9OUVU3gTFYZDGv58mnZA7FrAWO5yyLlQ=,tag:Bk/n+pJGHtEClJlwai9CyQ==,type:str]", + "config": { + "port": "ENC[AES256_GCM,data:hGsChw==,iv:SF42YLgM20LLEKXLvelZHeWM/q2OztAKQHhhcc5ovN4=,tag:PYCKwv/etrtJvKT7GqvM0Q==,type:float]" + } }, - "sqld-grpc.i.capytal.company": { - "port": "ENC[AES256_GCM,data:sPjt7w==,iv:JcGc6ckArrin/q7yrwfaYfCce3j+mD20wIE5yECMUUM=,tag:nFm5it3tqsm+FkBunHeWXw==,type:float]" + { + "pattern": "ENC[AES256_GCM,data:XdHkPDrUajh8LIVewnirgDrBkHRAickE2BHH,iv:CuXWgpLo+YZ1YBoqNYW1YyIbN6vQYdHLplNTX46HODo=,tag:E8c3ms9zsaZjOidzIjpyKw==,type:str]", + "config": { + "port": "ENC[AES256_GCM,data:ARzYdw==,iv:IXtZkdkfesNcAi78K/+5jx9GZju0T0OjfIgn0Jg0H1w=,tag:uyt/iLEPomARsDeHA/DdMQ==,type:float]" + } }, - "adguard.h.guz.one": { - "port": "ENC[AES256_GCM,data:wSRtbw==,iv:klATChefaOf+kTSiham7c3fyHb2u72qXOFTD2IPRQfg=,tag:JukmGXxwM65EB7SRGaXj/w==,type:float]", - "env": "ENC[AES256_GCM,data:xP7W2nShNU0=,iv:L6sAD6v5P1gvszgurIOndISRwAqaNpgGmwWS5EpEAy0=,tag:KmsMZYYQpaDbQGSodfTsLw==,type:str]" + { + "pattern": "ENC[AES256_GCM,data:aLoMiLJn3We5EjBzzr3GY0A=,iv:CZ05BwoPdkE+b6yP07YfSiz0GlWNKKKHbZ7ru5+SMrA=,tag:3QmqBjbKZ3xu/yltMjdLcg==,type:str]", + "config": { + "port": "ENC[AES256_GCM,data:JRy9OQ==,iv:WWdjQVc12IAKWqsQnXC5WYALmc6QcJlJGnQGbkPWWBQ=,tag:mJE45PfqIMqOjXSVyPBNBw==,type:float]", + "env": "ENC[AES256_GCM,data:7VCj6pEXmpY=,iv:nVrrzX4SufKFcZVv+X+KnTs+RrEzzcWfwhucOqrcxbs=,tag:PTbnoPKJL1WAiGptiZtzhA==,type:str]", + "auth": [ + { + "user": "ENC[AES256_GCM,data:XogBJ61GPQ==,iv:VECpTjq+5f+uJ4LHIXJjjqkjxKTEee8I+tahiqqhu4I=,tag:aM4o19REPU1IMZZPw6kXKA==,type:str]", + "passwd": "ENC[AES256_GCM,data:TBHBmtRbUdnP1fh9FKW5iBduo6cMixL8ubXzYI2WoKSgVu2qLayEY/Z+NX4wVEv6ZOvdTn8T+0LoBnNy,iv:/QZQMlU6DMK14CBTnKxtNTSZ3JCHht38BNFVKOzG8Zs=,tag:4JrgPJRORi4HlxXbbOXQcg==,type:str]" + } + ] + } } - } + ] }, "services": { "forgejo": { @@ -99,8 +132,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL3dCY1VLMmoxRFRmS0Ir\nV0ppTnI0RE5ZMjcvRGNPWkNxWFdJYTBDTG00ClRGQkh1UStGTmc0RE5aNy9nL3FI\nbHJIa3hLR0ZkTjd6WkFzOFkzeFdMNUEKLS0tIDBidk93Qy9LenFlSGZ2aEpuTUFt\nWVM2eS9UdXAvbzE4eEdKMjVEM3RLdm8KKeIhk+YOKVL9Y19lLyb6/Pxv8rbewK2e\nLm96jx+LOMOCFcQGxuFKWqQbTB4br/cPvRKSY5jFmFWqVg7pCPTAzQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-11-08T13:45:54Z", - "mac": "ENC[AES256_GCM,data:B4jGOsd66wcETxULNdAcLL6rhQWkTnAJ/arjrMfdamdDS5X9Qke47v/Epg/cTfVqx7Mijn1v/YEHdzG8x0ZPRxZIVsBaEWOvJnE5Uw2Gs2It/PNef9oVtJHfiA6PntpdJkkwJYV3RIgdBlN5sS+VJuLY19MUPGN49pcHqSHqWJk=,iv:FUNX8jlXOBDmiuVHU0Q4XvPjCZDcjR/ZcL5se8BTc6k=,tag:pKpG3fDUPJyb3WAgH+HIGw==,type:str]", + "lastmodified": "2024-11-08T23:18:01Z", + "mac": "ENC[AES256_GCM,data:lsnLJVWJD7RPhnOrlvDTM+LN+/OZU6+5joMzNoecqIi4YZ8rGqiegppvhexHB1VBhDxTvWkhIme2cb/8tcl3mjoUGn4CrYeROs0ao9zM1VuJR/X/NoOAqOkPqu4+msFq7ikije+KJiN6oMKDGo/A8yIAscWeLmB8ImwcD2cA8o0=,iv:kSw4knHyjhJOfs+RBCmVItlFE51mXuMbAK+UUomR3VA=,tag:JOcjdGuHhurOiEksllB1nA==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.9.0" diff --git a/secrets/spacestation.yaml b/secrets/spacestation.yaml index db65a67..c9fce89 100644 --- a/secrets/spacestation.yaml +++ b/secrets/spacestation.yaml @@ -14,7 +14,7 @@ discord: environment: ENC[AES256_GCM,data:014h9/uoqKr6LDd4eDK/Ji91i8MR42q+p3sS4U2fx3VgjX34Xlx1KHxdXaX6BF4QBO9saQNfW2QjN/qE6qILDEGd9uZA4DiRnjoJCOYAETWyiMiK9Se6kE4QbN33IwpIphcxpRm+HP0x5R08WIbWJ+CHSoSpgEcez8iuwqTdK1sC7jrILmqQLMGPmF+yYZcxbaPfNRj0mu0jPpRt6fnhDuHvJ00wXHDC1n5bgsxi7oUdsGYJegLhFcRqAsdgq5qB/vO+d5GVJ9IkF0CsYiSUQVvUVdbOHvcA657jLjB8Fz+KIqW/AM2mMcgRdpRReOLYEsVAaS6gRdZr,iv:hdhTSfBZHgabivcAQTtL8Nfy+Pog+OD5SOJTtL8sJJA=,tag:JxUgFpiHG+55OWOb5TCnKw==,type:str] caddy: capytal: - env: ENC[AES256_GCM,data:6V7iWEKf0BT1pwqygAct2VA9HMVNAPEeZkdxsKme/HZZFpAKHvzV8hkAXYxPoMWgX+iEM6CG1VjzVEfh/AoXk9wvfpDDe+9IBKHUGvynq4l5HQFryDlpkBlncBNeWAM0wuSMo22NuTo8S3tlF37bl4H4AUjjCk89cUbrHiTXxgsi+FZoDZuNtCAQELZxWTbelSlmXBqgp4Jy2rSmurXINlMOIqUxpD6K8v5I2+Tqr3wnUCJ6fGyqNCtTeCKWNzaCMGDyeBWVvUAZ6O078+l7+5xhP0tZADoCp4RKa2Oa1Yj9NYuFffsllRmHuhxj/JQGNipsSRs=,iv:3e6nKOKKrlPpQaKvfgJCHVcJD8t8jLbmlZlm2VJVNjg=,tag:GL/gmT+pQPG82eS09ywK7g==,type:str] + env: ENC[AES256_GCM,data:7t9Vv+S9LFzNIR/STpXzVeH9MCnog9Yb27gvrV3HGCWwN0139qvX36ja95iwLPpRK9SLFYTA+ToiMLiU4HK+imBC/4ZXbxKIPFGCoEx44fwxFrri/2s74BHLzGvo8kJujZ2GX+3TGSYxzqMB7VSIeBgefl9qu3Byn/hMJ4bTsBLjIrSAtlnhGbbGsU5xbU+sjPeqFHLmQm0vPYovW437j3/Ok+NxvxquKr+iPiCOuysldzaccOmuflrG8NhKZSAcAzJCiMVMyj7ERtUL6M4s+vdImVW1cDqavvXmt97v+pZPzGjrEeIzn8k9YUppvWYgN0tlL76mm4C9CbS6dMpaOXW6+s1ylPzdykhZ9Gq+Ye33qSs4Sw7taCplZr9T6c/UmBZ5ouABLHxiOuWPjUjyABhLvkMd2SLCsANOJOzgHWNpFERX5PFqeUWlSSVWoprWclUgBQ==,iv:pgEzAQHH/Vm66W+/QYulQc37/m3XJwY7krEBwgK0cTY=,tag:8BHfKFElXTFLRK6SINuRxw==,type:str] sops: kms: [] gcp_kms: [] @@ -30,8 +30,8 @@ sops: amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO 4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-08T13:37:06Z" - mac: ENC[AES256_GCM,data:qOa5zdcTwutZvVKgrnrR66qJbWVRi36dyreqSZE5ugnGMIjAxQNewknCGk8/q9QUf22/84hHvEvO+uubm6tIIPOtmnfzUyhjk5vF+qPKDRE14lo1te0HZdgIJEi2dcjL7DyKBit4MqRBG+zQ/0eZ08/WIJtjGvMiRDl/e+Emq+I=,iv:gKMryS7SyTVKa1szEMT98gF7CCb96+6nUqQ2+j/lD0w=,tag:mn79m26+XxI2RJP989E4cw==,type:str] + lastmodified: "2024-11-08T14:30:52Z" + mac: ENC[AES256_GCM,data:Xrvfbm3JsCkalLrDbPVn9wnvmsNya3MSdK+EigsFHR90Ut7rNx0ol08nODDGeMNjNuNqVKfR6ppmb0fwU0LO/77SHgnfxTW5aueTGUlF+8H40IqeMqOKdGWCFxMFfi8XDmMjlQRzyIOrTYyL7yxetykP/T/p0uISldy8mhuc67M=,iv:wu4z2uC/jRrRhmD5ytUgLwU5MRy+/lWK9iW2NySOa5I=,tag:mlExbX4ojefFjUiY9p+dYw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0