servo: bitmagnet: restrict behind a login

2025-06-06 21:06:30 +00:00
parent f7b872aba0
commit 503cc832d4
3 changed files with 45 additions and 5 deletions
--- a/hosts/by-name/servo/services/bitmagnet.nix
+++ b/hosts/by-name/servo/services/bitmagnet.nix
@@ -9,17 +9,24 @@
  };

  # bitmagnet web client
-  # unauthenticated, but should be fine to expose:
-  # - WebUI doesn't expose any management/admin interfaces
-  # - Search might be a source for denial-of-service;
-  #   i can address that if/when it becomes a problem
+  # protected by passwd because it exposes some mutation operations:
+  # - queuing "jobs"
+  # - deleting torrent infos (in bulk)
+  # it uses graphql for _everything_, so no easy way to disable just the mutations (and remove the password) AFAICT.
  services.nginx.virtualHosts."bitmagnet.uninsane.org" = {
+    # basicAuth is cleartext user/pw, so FORCE this to happen over SSL
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${config.sane.netns.ovpns.veth.netns.ipv4}:3333";
    };
+    basicAuthFile = config.sops.secrets.bitmagnet_passwd.path;
  };
+  sops.secrets."bitmagnet_passwd" = {
+    owner = config.users.users.nginx.name;
+    mode = "0400";
+  };
+
  sane.dns.zones."uninsane.org".inet.CNAME."bitmagnet" = "native";

  systemd.services.bitmagnet = {
--- a/secrets/servo/README.md
+++ b/secrets/servo/README.md
@@ -1,9 +1,11 @@
+- bitmagnet_passwd
+  - generate pw hash with: `htpasswd -nB ""` (from `apacheHttpd` package)
 - ddns_he.env.bin: Hurricane Electric (he.net) passphrase
 - ddns_afraid.env.bin: freedns.afraid.org API key
  - viewable: <https://freedns.afraid.org/dynamic/>
 - dovecot_passwd: auth for mail accounts
  - passwd file looks like /etc/passwd
-  - generate pw hash with: `nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "my passwd"`
+  - generate pw hash with: `htpasswd -nB "" "my passwd"` (from `apacheHttpd` package)
 - matrix_synapse_secrets:
  - for the smtp_pass; the rest isn't sensitive
 - nix_signing_key.bin:
--- a/secrets/servo/bitmagnet_passwd.bin
+++ b/secrets/servo/bitmagnet_passwd.bin
@@ -0,0 +1,31 @@
+{
+	"data": "ENC[AES256_GCM,data:zncMgAojuCgesH/a3DEXBrge1kpf6crqln/zCS1FosZHZ10aMp5X6cmOgVT5g9nS1KUtGBeTKW+tLEijsyUhTZPS0g==,iv:ymtjdc2XicrDHjZb/CeleUmC7KBwuCqGXADvhIKij54=,tag:ftOmRTrfKeVuknEhDBGzUQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsQ01LUlNwanBSZ2ZMNVRl\nY0w4UERDWjE4REdLbHdiMmZkZFNsMzltUHlNCk5kZmp4ckxEMnd0Z0FRQThrbWZY\nK0hKalRRQkhtWmplNjYzNy9QaW9qL2sKLS0tIFFvd1pxdlI3bS8yaHN2NURlYjhI\nV3pxaWxMWnBhRWk2N1ZFS284VVJSeFEKAPPBMXIroMrjtUNDaVrPCkCg6IDcu/7H\nfhf2ojVO91i2Jwq8rrP+CeenIBgQxzyGKaNaK1VUMXFcMes+9htcrA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nw3z25gn6l8gxneqw43tp8d2354c83d9sn3r0dqy5tapakdwhyvse0j2cc",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UnBqdTdpeCtOLy8zMk1v\nNkpKNnJUT3JjZTJFRkhucHlOL1BYWmRnVkI0CnZqb1Y3aUExYUdKaHZLMTZrTGdo\nSWdua3VQdzRtZm1rbGlZTnBUK295OXMKLS0tIE4xK2ZhemlnNHF0dE4rRTJzS2tt\nQVJxMWVIMVFzSGQ0WENHVnJlcnN0TjgK2VVm06Lw2Whd6Mx8+rC8EKlm5gRPSq3o\nf8eqyN3clqI/KWq8TEruRFJGKqlaDY2S7C+G0zLzfUj//NNwOhzSyw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0bjBneHJTRVJRR1AyemV6\nUUpSLy9yNFE5dDg5N0U1dzY0dVpKVXdleEQwCkVEUDN2ay9URXN3Z3h5U1BKZXJl\namFpK0U4cCtiTDREdi9VK09kYWtVekkKLS0tIFRDcE5zQ0hGMFJod05DbTZUYkRY\nVGZwUFVEVndLT0oyRzNSVDRjZHNWL2cKy4RrAIIsT9guf+5FZqKHOV/1UyQgA4j2\nDrexw4ZPWuhbucNP/TUber4/9AcvH5ZILpKLMNiNMmHZgN9olGjeiA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YUwzNkt5UFZjQldaaFJ0\nTDRWVzJIYmR5ajQ1bzV1bkJTdmJTY2JMKzNVCitQSW50aE51eFIwbVFHRlJ5aWw0\najlkUXFja1FUSDFXWEtWSU9TQ1dmNEUKLS0tIG1ZVklESWZWRDFYbFhzcEhRTi91\ndGNJdkdGeStIN05vTG9lSU43eXJRdEUKIhhDy9sAfc/noHvq8oceluY+igrl1Rs3\noLWvaBSh3m6lZXXF8oBDFgbgjzhE0T3nvFdDU5UyY365nmQYozdwvQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeFBJcnVRcThENnNMcDhw\nUS9DQnJOY1JuVlZzaFplQ0xqWTBKYWVhMW5vCmViN3BnZnI2aWJRSE4yb2dLczZz\na21OU3ZiOE1WQ2x6YXptTHJMVVJ5R0UKLS0tIEc5K2RLUE1BMFhkVmovUWtlK0c5\nS2xGdThBRG14Z3RUNVVYeDA3Q1F4amMK4nQ9qd8eEC/jvQe7C7QfPlrTsLUh2PrP\nJQ93tK4VAe6DO/Wz/z7mAHptGrbfLZsNW03CFeoL0X1oiwpnDW1+5A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-06-06T21:00:17Z",
+		"mac": "ENC[AES256_GCM,data:0xTFtKlOF9WLIRmNLXitjNCnniVpf/YldeZAcsEBkHXiqR7h+r6W4AZ/D7uxRRiSKmZaPfYVijb+WRBoiANYKR3zGUQOTt5KEl3ErMKTZXP6d45PQTnm3UfyLR2/jpLPyUcAt4aJmCID3p3hya9+BtzFZnxOpqpLXlsdsNXdpxk=,iv:GQ88hOCxlLYkaSxW3GrCHn/uagujXMUmPrnOkiC2Huw=,tag:uk94P5FcIgesMbpgM0MKSw==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}