chore(hass): hacsfiles CORS

modules/nixos/home-assistant.nix

@@ -157,6 +157,7 @@ in {
           trusted_proxies = mkIf cfg.reverseProxy.enable cfg.reverseProxy.trustedAddresses;
           cors_allowed_origins = [
             (mkIf cfg.googleAssistant.enable "https://google.com")
+            (mkIf cfg.cast.enable "https://cast.home-assistant.io")
             (mkIf (cfg.localDomain != null) "https://${cfg.localDomain}")
             # TODO: (mkIf (cfg.reverseProxy.enable && cfg.reverseProxy.auth.enable) vouch cors idk)
             "https://www.home-assistant.io"

nixos/access/home-assistant.nix

@@ -4,6 +4,7 @@
   ...
 }: let
   inherit (lib.modules) mkIf mkForce mkDefault;
+  inherit (lib.strings) escapeRegex;
   inherit (config.services) nginx home-assistant;
   name.shortServer = mkDefault "home";
   listen' = {
@@ -18,6 +19,15 @@
   upstreamName = "home-assistant'access";
 in {
   config.services.nginx = {
+    commonHttpConfig = ''
+      map $http_origin $hass_allow_origin {
+        ~^https?://(.*\.)?google\.com(:\d+)?$ $http_origin;
+        ~^https?://(www|cast)\.home-assistant\.io(:\d+)?$ $http_origin;
+        ~^https?://${escapeRegex nginx.virtualHosts.home-assistant.serverName}(:\d+)?$ $http_origin;
+        ~^https?://${escapeRegex nginx.virtualHosts.home-assistant'local.serverName}(:\d+)?$ $http_origin;
+        default "";
+      }
+    '';
     upstreams'.${upstreamName}.servers = {
       local = {
         enable = mkDefault home-assistant.enable;
@@ -59,6 +69,16 @@ in {
             enable = true;
           };
         };
+        "/hacsfiles/" = {
+          proxy = {
+            inherit headers;
+            enable = true;
+          };
+          headers.set = {
+            Access-Control-Allow-Origin = "$hass_allow_origin";
+            Vary = "Origin";
+          };
+        };
         # TODO: restrict to "/auth/authorize" and "/auth/login_flow" only..?
         "/auth/" = {
           virtualHost,