rpi4: reverse proxy basic auth services

hosts/rpi4/services.nix

@@ -10,6 +10,12 @@
       group = "secrets";
     };
 
+    age.secrets.htpasswd = {
+      file = ../../secrets/htpasswd.age;
+      group = "nginx";
+      mode = "0750";
+    };
+
     users.groups.secrets = {};
     users.users.acme.extraGroups = [ "secrets" ];
 
@@ -60,14 +66,35 @@
       '';
 
       virtualHosts = let
-        mkReverseProxy = port: {
         useACMEHost = "protogen.io";
+        mkProxy = args@{ upstream ? "http://127.0.0.1:${builtins.toString args.port}", auth ? false, extraConfig ? {}, ... }:
+        lib.mkMerge [
+          {
+            inherit useACMEHost;
             forceSSL = true;
             locations."/" = {
-            proxyPass = "http://127.0.0.1:${builtins.toString port}";
+              proxyPass = upstream;
               proxyWebsockets = true;
             };
-        };
+          }
+          (lib.mkIf auth {
+            basicAuthFile = config.age.secrets.htpasswd.path;
+          })
+          extraConfig
+        ];
+
+        # mkReverseProxy = port: {
+        #   inherit useACMEHost;
+        #   forceSSL = true;
+        #   locations."/" = {
+        #     proxyPass = "http://127.0.0.1:${builtins.toString port}";
+        #     proxyWebsockets = true;
+        #   };
+        # };
+
+        mkAuthProxy = port: mkProxy { inherit port; auth = true; };
+
+        mkReverseProxy = port: mkProxy { inherit port; };
       in {
         # TODO change all these with a vim macro when i learn how to extend submodules
         "changedetection.protogen.io" = mkReverseProxy 5000;
@@ -78,15 +105,28 @@
         "hass.protogen.io" = mkReverseProxy 8123;
         "node.protogen.io" = mkReverseProxy 1880;
         # z2m auth 8124
+        "z2m.protogen.io" = mkAuthProxy 8124;
         "room.protogen.io" = mkReverseProxy 8096;
-        # deemix auth 8096
+        "deemix.protogen.io" = mkAuthProxy 6595;
         # libreddit auth 8087
+        "libreddit.protogen.io" = mkAuthProxy 8087;
         "rss.protogen.io" = mkReverseProxy 8082;
         "blahaj.protogen.io" = mkReverseProxy 8086;
         # octoprint (proxy_addr is 10.10.1.8)
+        "print.protogen.io" = mkProxy { auth = true; upstream = "http://10.10.1.8:80";
         # searx auth 8088 (none for /favicon.ico, /autocompleter, /opensearch.xml)
+        "searx.protogen.io" = let
+          port = 8088;
+        in mkProxy { auth = true; inherit port; extraConfig = {
+          location = lib.genAttrs [ "/favicon.ico" "/autocompleter" "/opensearch.xml" ] (attr: {
+            basicAuthFile = lib.mkForce null;
+            basicAuth = lib.mkForce { };
+          });
+        };};
         # nbt.sh alias proot.link 8090
+        "nbt.sh" = mkProxy { port = 8090; extraConfig.serverAliases = [ "proot.link" ]; };
         # admin.nbt.sh alias admin.proot.link 8091 auth
+        "admin.nbt.sh" = mkProxy { auth = true; port = 8091; extraConfig.serverAliases = [ "admin.proot.link" ]; };
         # create track map todo later
         "uptime.protogen.io" = mkReverseProxy 3001;
         "kuma.protogen.io".locations."/".return = "301 https://uptime.protogen.io";

secrets/htpasswd.age

@@ -0,0 +1,45 @@
+age-encryption.org/v1
+-> ssh-ed25519 YUrFgQ 8WQBMCkjicWOLC2VK6jU2Ptdk4RT9WgdKXraRxi3PF0
+QYy5HHQARLGUAoPThtewY03oRiZLBqFoO0chAD3q/rg
+-> ssh-rsa I7EAZw
+isc+FnXDX30TOu3Sxv053CPMoS3uj62hoKp+GlPm7tCyM3Jx4QHRFgKKpIAgGT4A
+5TFyfhCrdAcd7+qnEh7e6nuql06tDRM815KPdlNusVvmUbirmsXa3zrMV++S/AYX
+L1KldsHHb6bWFb50iExvvzRwIUrxOwzqmxa95bBoeeRT75NcJt5RA0sixp2/eQNJ
+qiapiKjB0c5AEuhxyiHxu4OcXK+2WOzn/fgCQTewyIoTBgcSl1GK4JXYO03KTPJY
+pZdir6tmZVV9EV9rrR6imDTVYLafQ0on4yuXhHSieGO1rVhfcvITdGEzplfkdTa/
+KxPwEbmlJ2JtjakcV9Cgkd0iAZbePBnWb+5GIc3PbDErhXQUb84iNgBc7zSSdg8B
+/FXo34wdbzfZRj8VQPyNDqlo1+UGZZVYC06dWJrX5R19CQWUgXzqxJajTyfzTAvO
+T3PMQhaGKRbwl/t7VAz3zaZBM2lIMF2Rg0pOWwRcdLLPn9cwhmR1B8k4MpDC0LPn
+
+-> ssh-rsa 0pGLuA
+M6m5KDIADEEpqZt0la7ClPdC0/v32qbB1fap2f6/FWQhf2mxEHu8cGbUvve0+Hqs
+qJ41cU08leDcPFATwHM2agYvpyAyaTWTFtF10+7iQ5TYIbcynsMl/ycoHcTg/Fns
+9Qn8Bh3neZ0ThF7U1DnuJG89mBbAWdZKs1W+h0Zz73XOU18J6x02TXsmCSr6Cwvz
+I0svcVQ90S0g5un/lp4+HQ7TUILEPufkAAbnT7Yxofc/rU0yvsYFvA0CEilykbC8
++IT1gwGpBCgLqdnQyOu2FuiIKHMIyExD+x/G8UA3T6GdyuhfUZWPgSxrUiSR3lz0
+9cAvEq0koDz3c3X/zvaCqZ3Ap0HbpAEF9yocmCZFhUBIh5z7q7NOQdglhsgD9Q0x
+J+zHDVFYe0crxsz3AvXeFFTfzrA0jnJFIJM8y5jgZRVddKD5PJ/zmGGJTFLqzstn
+Mc/7lnygZ762p3idjt2YFD+yWzqHcsnt4G+b/c9PYeP7wo1XCyM+3U3lXXhRGjlp
+
+-> ssh-rsa JoBDow
+WtoZZECDEnZusujZ1CQwcG6yQPCiNipdwFZZQJg5FluuF3Oyqm/BWXRlUyb3QTMF
+jhKhg1kbuIJONJZO2qVt4fxooQ/V6VOgOqDm1ULMYD6Slz1dpZslkxKsCRqNJJO8
+GNkCno8u96e/M20Htc+EldFjtNculr2WUXXT9JNWkrwqzF8CMWlkZweFXv3odn/p
+iP2TogKveKngFoJxuotvcV/tJINeP6E9zqGmjCLBdWP1YM8J+cnCdAfJW4QBV8sX
+0ZrsRMnl6xwTgZ8WFXp2HRaAz+ra598RACynYsAhJiQBQ8niZWc9DFTjLYvIOmhn
+ycNLWvIKzPCtk3wxg2q0uJewloWgDVO9rcDIDkzBmxjkyLFRpqwqlVTsnPqoEBVD
+B7g4LCmRHR9Jm6zFd8RY/m4xTmyYml3W3EgTV9F7yS5nKPSvsbxErWtT06VaOkGt
+Uz9h93l65bqmcWwkq/PXQATAmcCIMx5bbtdmoVRX9HjcIz0rA5t3a+zbXklOBBBa
+
+-> ssh-rsa wzTCUg
+pz+KL09EpRSoUDPzujMDlUEJXAPDtfRZuuykC6lhgGvUMrbc73JmOnckynkcUwVa
+w/Y0dGc9Ajiq0ncIiKBpx/GxbD7DZ2kDGeiiBiS5MrHx9yITb7/4uBuEDgeDXEbs
+11thUyLlTlkpIZFryFHcwdS5Fhj7l0255rsuHbs4M7yw/3ZCdnERrPqTr2ycbd+2
+bTowxquzR0sjBezUOLPNc6IMu0YGENywljCaybhvbKYMtTHJlSPgc2xP/MXXO63e
+tOwfX3dc6rdwWj4IX/nQD8meWVjFjvEHU2NF7SUCv5Ofy6LSW9E07hq96MZ2HiaE
+1HUIXQoBMEsV/p2DfxUfBwAXpr8uFdNdvoROCLYxSh4tK7eKwpxcevY8S3wAMkgJ
+Rju5ZWt4tIzEc7/wZfdZ6wWDvXF53M8C8/FWuofSCaODamZTOp9pBraNvo/e75IP
+b8URE+CIX9myynRnWLZtmjiZu3MP5/lPgArNmvNveZyGlfwxU9fCYeBX7rDqbS6O
+
+--- ExjpgvaIjii+XvdCimTY1jHyh1WvcVUxAepN3krSRQo
+_ÎþP´Vq2qP®ùù3׌6¨œ ”WàØKÀUOuõ˜íR^ev˜áZÂ…51ö¥ƒZ›mC•H{&´p¬ÙÍ|ˈ%-—šà6-$%{ñm…äí'°ÊŽíi~6àÌÅ›·|€ÿ

secrets/secrets.nix

@@ -14,5 +14,6 @@ in
 {
   "cloudflare-dns.age".publicKeys = [ rpi4 ] ++ all-user;
   "wireguard-rpi4.age".publicKeys = [ rpi4 ] ++ all-user;
+  "htpasswd.age".publicKeys = [ rpi4 ] ++ all-user;
 }