feat(torrserver): protect dashboard

mrtnvgr · Apr 6, 2024 · aeb1e2e · aeb1e2e
1 parent 4e6d8d7
commit aeb1e2e
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 2 deletions.
diff --git a/hosts/cloud/default.nix b/hosts/cloud/default.nix
@@ -43,7 +43,8 @@
       torrserver = {
         enable = true;
         expose = true;
-        users = import ./secrets/tsdb.nix;
+        users = import ./secrets/tsusers.nix;
+        webUsers = import ./secrets/tsweb.nix;
       };
     };
   };

diff --git a/hosts/cloud/secrets/tsdb.nix → hosts/cloud/secrets/tsusers.nix b/hosts/cloud/secrets/tsdb.nix → hosts/cloud/secrets/tsusers.nix
diff --git a/hosts/cloud/secrets/tsweb.nix b/hosts/cloud/secrets/tsweb.nix
diff --git a/modules/server/misc/torrserver/default.nix b/modules/server/misc/torrserver/default.nix
@@ -42,6 +42,11 @@ in {
       type = types.attrsOf types.str;
       default = {};
     };
+
+    webUsers = mkOption {
+      type = types.attrsOf types.str;
+      default = {};
+    };
   };
 
   config = mkIf cfg.enable {
@@ -87,7 +92,10 @@ in {
     networking.firewall.allowedUDPPorts = mkIf cfg.expose [ cfg.port ];
 
     services.nginx.virtualHosts."ts.${domain}" = mkIf webIsSupported {
-      locations."/".proxyPass = "http://localhost:${toString cfg.port}";
+      locations."/" = {
+        proxyPass = "http://localhost:${toString cfg.port}";
+        basicAuth = cfg.webUsers;
+      };
 
       enableACME = true;
       forceSSL = true;