refactor(nginx): proxy options

2026-02-09 12:29:19 -08:00 · 2024-04-18 10:40:35 -07:00 · 2024-04-18 10:40:35 -07:00 · 02508ecbd3
commit 02508ecbd3
parent c3f3fe1fed
18 changed files with 638 additions and 424 deletions
--- a/nixos/grocy.nix
+++ b/nixos/grocy.nix
@ -11,58 +11,54 @@ in {
        currency = mkDefault "CAD";
      };
    };
-    services.nginx = let
-      extraConfig = mkAfter ''
-        set $grocy_user guest;
-        set $grocy_middleware Grocy\Middleware\ReverseProxyAuthMiddleware;
-        set $grocy_auth_header GENSO_GROCY_USER;
-        set $grocy_auth_env true;
+    services.nginx.virtualHosts = {
+      grocy'php = mkIf cfg.enable ({config, xvars, ...}: let
+        extraConfig = mkAfter ''
+          set $grocy_user guest;
+          set $grocy_middleware Grocy\Middleware\ReverseProxyAuthMiddleware;
+          set $grocy_auth_header GENSO_GROCY_USER;
+          set $grocy_auth_env true;

-        if ($http_grocy_api_key) {
-          set $grocy_user "";
-        }
-        if ($request_uri ~ "^/api(/.*|)$") {
-          set $grocy_user "";
-        }
-        if ($http_x_vouch_user ~ "^([^@]+)@.*$") {
-          set $grocy_user $1;
-        }
-        if ($http_x_grocy_user) {
-          #set $grocy_auth_header X-Grocy-User;
-          #set $grocy_auth_env false;
-          set $grocy_user $http_x_grocy_user;
-        }
-        if ($grocy_user = "") {
-          set $grocy_middleware Grocy\Middleware\DefaultAuthMiddleware;
-        }
+          if ($http_grocy_api_key) {
+            set $grocy_user "";
+          }
+          if ($request_uri ~ "^/api(/.*|)$") {
+            set $grocy_user "";
+          }
+          if ($http_x_vouch_user ~ "^([^@]+)@.*$") {
+            set $grocy_user $1;
+          }
+          if ($http_x_grocy_user) {
+            #set $grocy_auth_header X-Grocy-User;
+            #set $grocy_auth_env false;
+            set $grocy_user $http_x_grocy_user;
+          }
+          if ($grocy_user = "") {
+            set $grocy_middleware Grocy\Middleware\DefaultAuthMiddleware;
+          }

-        fastcgi_param GROCY_AUTH_CLASS $grocy_middleware;
-        fastcgi_param GROCY_REVERSE_PROXY_AUTH_USE_ENV $grocy_auth_env;
-        fastcgi_param GROCY_REVERSE_PROXY_AUTH_HEADER $grocy_auth_header;
-        fastcgi_param GENSO_GROCY_USER $grocy_user;
+          fastcgi_param GROCY_AUTH_CLASS $grocy_middleware;
+          fastcgi_param GROCY_REVERSE_PROXY_AUTH_USE_ENV $grocy_auth_env;
+          fastcgi_param GROCY_REVERSE_PROXY_AUTH_HEADER $grocy_auth_header;
+          fastcgi_param GENSO_GROCY_USER $grocy_user;

-        set $grocy_https "";
-        if ($x_scheme = https) {
-          set $grocy_https 1;
-        }
-        fastcgi_param HTTP_HOST $x_forwarded_host;
-        fastcgi_param REQUEST_SCHEME $x_scheme;
-        fastcgi_param HTTPS $grocy_https if_not_empty;
-      '';
-    in {
-      virtualHosts = {
-        grocy'php = mkIf cfg.enable ({config, ...}: {
-          name.shortServer = mkDefault "grocy";
-          proxied = {
-            enable = true;
-            xvars.enable = true;
-          };
-          local.denyGlobal = true;
-          locations."~ \\.php$" = {
-            inherit extraConfig;
-          };
-        });
-      };
+          set $grocy_https "";
+          if (${xvars.get.scheme} = https) {
+            set $grocy_https 1;
+          }
+          fastcgi_param HTTP_HOST ${xvars.get.host};
+          fastcgi_param REQUEST_SCHEME ${xvars.get.scheme};
+          fastcgi_param HTTPS $grocy_https if_not_empty;
+        '';
+      in {
+        name.shortServer = mkDefault "grocy";
+        proxied.enable = true;
+        xvars.enable = true;
+        local.denyGlobal = true;
+        locations."~ \\.php$" = {
+          inherit extraConfig;
+        };
+      });
    };
    users.users.grocy = mkIf cfg.enable {
      uid = 911;