fix(calibre-web): secure /opds

secrets/secrets.nix

@@ -25,6 +25,7 @@ in {
   "owntracks/recorder.env.age".publicKeys = [ felschr home-pc home-server ];
   "owntracks/htpasswd.age".publicKeys = [ felschr home-pc home-server ];
   "etebase-server.age".publicKeys = [ felschr home-pc home-server ];
+  "calibre-web/htpasswd.age".publicKeys = [ felschr home-pc home-server ];
   "miniflux.age".publicKeys = [ felschr home-pc home-server ];
   "paperless.age".publicKeys = [ felschr home-pc home-server ];
   "nextcloud/admin.age".publicKeys = [ felschr home-pc home-server ];

services/calibre-web.nix

@@ -2,6 +2,11 @@
 
 let port = 8088;
 in {
+  age.secrets.calibre-web-htpasswd = {
+    file = ../secrets/calibre-web/htpasswd.age;
+    owner = config.services.nginx.user;
+  };
+
   services.calibre-web = {
     enable = true;
     group = "media";
@@ -16,11 +21,17 @@ in {
     virtualHosts."books.felschr.com" = {
       enableACME = true;
       forceSSL = true;
-      locations."/" = {
+      locations = {
-        proxyPass = "http://[::1]:${toString port}";
+        "/" = {
-        extraConfig = ''
+          proxyPass = "http://[::1]:${toString port}";
-          client_max_body_size 500M;
+          extraConfig = ''
-        '';
+            client_max_body_size 500M;
+          '';
+        };
+        "/opds" = {
+          proxyPass = "http://[::1]:${toString port}";
+          basicAuthFile = config.age.secrets.calibre-web-htpasswd.path;
+        };
       };
     };
   };