From 28998dad847093fcd02baa6b5df440e225fe2850 Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Sat, 17 Aug 2024 11:41:46 -0700
Subject: [PATCH] chore(hass): hacsfiles CORS

---
 modules/nixos/home-assistant.nix |  1 +
 nixos/access/home-assistant.nix  | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/modules/nixos/home-assistant.nix b/modules/nixos/home-assistant.nix
index 5b324cfa..72ff15f4 100644
--- a/modules/nixos/home-assistant.nix
+++ b/modules/nixos/home-assistant.nix
@@ -157,6 +157,7 @@ in {
           trusted_proxies = mkIf cfg.reverseProxy.enable cfg.reverseProxy.trustedAddresses;
           cors_allowed_origins = [
             (mkIf cfg.googleAssistant.enable "https://google.com")
+            (mkIf cfg.cast.enable "https://cast.home-assistant.io")
             (mkIf (cfg.localDomain != null) "https://${cfg.localDomain}")
             # TODO: (mkIf (cfg.reverseProxy.enable && cfg.reverseProxy.auth.enable) vouch cors idk)
             "https://www.home-assistant.io"
diff --git a/nixos/access/home-assistant.nix b/nixos/access/home-assistant.nix
index 9fbf557b..126cc22e 100644
--- a/nixos/access/home-assistant.nix
+++ b/nixos/access/home-assistant.nix
@@ -4,6 +4,7 @@
   ...
 }: let
   inherit (lib.modules) mkIf mkForce mkDefault;
+  inherit (lib.strings) escapeRegex;
   inherit (config.services) nginx home-assistant;
   name.shortServer = mkDefault "home";
   listen' = {
@@ -18,6 +19,15 @@
   upstreamName = "home-assistant'access";
 in {
   config.services.nginx = {
+    commonHttpConfig = ''
+      map $http_origin $hass_allow_origin {
+        ~^https?://(.*\.)?google\.com(:\d+)?$ $http_origin;
+        ~^https?://(www|cast)\.home-assistant\.io(:\d+)?$ $http_origin;
+        ~^https?://${escapeRegex nginx.virtualHosts.home-assistant.serverName}(:\d+)?$ $http_origin;
+        ~^https?://${escapeRegex nginx.virtualHosts.home-assistant'local.serverName}(:\d+)?$ $http_origin;
+        default "";
+      }
+    '';
     upstreams'.${upstreamName}.servers = {
       local = {
         enable = mkDefault home-assistant.enable;
@@ -59,6 +69,16 @@ in {
             enable = true;
           };
         };
+        "/hacsfiles/" = {
+          proxy = {
+            inherit headers;
+            enable = true;
+          };
+          headers.set = {
+            Access-Control-Allow-Origin = "$hass_allow_origin";
+            Vary = "Origin";
+          };
+        };
         # TODO: restrict to "/auth/authorize" and "/auth/login_flow" only..?
         "/auth/" = {
           virtualHost,