From 34bca016b4326b65f394e0fa7a476175d00b5cc6 Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Fri, 22 Mar 2024 11:36:30 -0700
Subject: [PATCH] feat(bbuddy): hakurei access

---
 modules/nixos/barcodebuddy.nix | 18 +++++++-----
 modules/nixos/nginx/vouch.nix  | 12 +++++---
 nixos/access/barcodebuddy.nix  | 53 ++++++++++++++++++++++++++++++++++
 nixos/access/grocy.nix         |  2 +-
 nixos/barcodebuddy.nix         | 24 +++++----------
 systems/hakurei/nixos.nix      | 15 ++++++++++
 systems/tei/nixos.nix          |  1 +
 tf/cloudflare_records.tf       |  1 +
 8 files changed, 97 insertions(+), 29 deletions(-)
 create mode 100644 nixos/access/barcodebuddy.nix

diff --git a/modules/nixos/barcodebuddy.nix b/modules/nixos/barcodebuddy.nix
index 3e4cee0d..a55652e7 100644
--- a/modules/nixos/barcodebuddy.nix
+++ b/modules/nixos/barcodebuddy.nix
@@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }: let
   inherit (lib.options) mkOption mkEnableOption mkPackageOption;
-  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault mkOverride;
+  inherit (lib.modules) mkIf mkMerge mkAfter mkDefault mkOptionDefault mkOverride;
   inherit (lib.attrsets) mapAttrs mapAttrs' nameValuePair;
-  inherit (lib.lists) isList optional imap0;
+  inherit (lib.lists) isList imap0;
   inherit (lib.strings) concatStringsSep;
   mkAlmostOptionDefault = mkOverride 1250;
   mapOptionDefaults = mapAttrs (_: mkOptionDefault);
@@ -75,6 +75,9 @@ in {
       type = attrsOf (oneOf [ str bool int (listOf str) ]);
       description = "https://github.com/Forceu/barcodebuddy/blob/master/config-dist.php";
     };
+    nginxConfig = mkOption {
+      type = lines;
+    };
     nginxPhpConfig = mkOption {
       type = lines;
     };
@@ -99,16 +102,19 @@ in {
           REDIS_PW = toString cfg.redis.password;
         };
       in mkMerge [ defaults (mkIf cfg.redis.enable redis) ];
-      nginxPhpConfig = mkMerge [
+      nginxConfig = mkMerge [
         ''
+          index index.php index.html index.htm;
           include ${config.services.nginx.package}/conf/fastcgi.conf;
-          fastcgi_pass unix:${config.services.phpfpm.pools.barcodebuddy.socket};
           fastcgi_read_timeout 80s;
         ''
         (mkIf cfg.reverseProxy.enable ''
           fastcgi_pass_header "X-Accel-Buffering";
         '')
       ];
+      nginxPhpConfig = mkAfter ''
+        fastcgi_pass unix:${config.services.phpfpm.pools.barcodebuddy.socket};
+      '';
       redis = let
         redis = config.services.redis.servers.${cfg.redis.server};
       in mkIf (cfg.redis.server != null) {
@@ -171,9 +177,7 @@ in {
           '';
           "~ \\.php$".extraConfig = cfg.nginxPhpConfig;
         };
-        extraConfig = ''
-          index index.php index.html index.htm;
-        '';
+        extraConfig = cfg.nginxConfig;
       };
     };
     conf.systemd.services.bbuddy-websocket = mkIf cfg.screen.enable {
diff --git a/modules/nixos/nginx/vouch.nix b/modules/nixos/nginx/vouch.nix
index 4dcf290b..0d3d6a3b 100644
--- a/modules/nixos/nginx/vouch.nix
+++ b/modules/nixos/nginx/vouch.nix
@@ -178,16 +178,20 @@
             return 302 $vouch_url/login?url=$x_scheme://$x_forwarded_host$request_uri&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
           '';
         };
-        ${cfg.auth.requestLocation} = {
+        ${cfg.auth.requestLocation} = { config, ... }: {
           proxyPass = "${vouch.proxyOrigin}/validate";
-          proxy.headers.enableRecommended = true;
+          proxy.headers.enableRecommended = false;
+          proxied.rewriteReferer = false;
           extraConfig = let
             # nginx-proxied vouch must use X-Forwarded-Host, but vanilla vouch requires Host
             vouchProxyHost = if vouch.doubleProxy
-              then "''"
+              then "${config.proxy.host}"
               else "$x_forwarded_host";
           in ''
-            set $x_proxy_host ${vouchProxyHost};
+            proxy_set_header Host ${vouchProxyHost};
+            proxy_set_header X-Forwarded-Host $x_forwarded_host;
+            proxy_set_header Referer $x_referer;
+            proxy_set_header X-Forwarded-Proto $x_scheme;
             proxy_pass_request_body off;
             proxy_set_header Content-Length "";
           '';
diff --git a/nixos/access/barcodebuddy.nix b/nixos/access/barcodebuddy.nix
new file mode 100644
index 00000000..40920efc
--- /dev/null
+++ b/nixos/access/barcodebuddy.nix
@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (config.services) barcodebuddy nginx;
+  name.shortServer = mkDefault "bbuddy";
+  serverName = "bbuddy_internal";
+  extraConfig = ''
+    set $x_proxy_host ${serverName};
+  '';
+in {
+  config.services.nginx.virtualHosts = {
+    barcodebuddy'php = mkIf barcodebuddy.enable {
+      inherit serverName;
+      proxied.enable = mkDefault true;
+      local.denyGlobal = true;
+    };
+    barcodebuddy = {
+      inherit name extraConfig;
+      vouch = {
+        enable = true;
+        requireAuth = false;
+      };
+      locations = {
+        "/api/" = {
+          proxy.headers.enableRecommended = true;
+          proxyPass = mkDefault "${nginx.virtualHosts.barcodebuddy.locations."/".proxyPass}/api/";
+        };
+        "/" = {
+          proxy.headers.enableRecommended = true;
+          vouch.requireAuth = true;
+          proxyPass = mkIf barcodebuddy.enable (mkDefault
+            "http://localhost:${toString nginx.defaultHTTPListenPort}"
+          );
+        };
+      };
+    };
+    barcodebuddy'local = {
+      inherit name extraConfig;
+      ssl.cert.copyFromVhost = "barcodebuddy";
+      local.enable = mkDefault true;
+      locations."/" = {
+        proxy.headers.enableRecommended = true;
+        proxyPass = mkDefault nginx.virtualHosts.barcodebuddy.locations."/".proxyPass;
+        extraConfig = ''
+          proxy_redirect $x_scheme://${serverName}/ $x_scheme://$x_host/;
+        '';
+      };
+    };
+  };
+}
diff --git a/nixos/access/grocy.nix b/nixos/access/grocy.nix
index c94c8651..52742ac1 100644
--- a/nixos/access/grocy.nix
+++ b/nixos/access/grocy.nix
@@ -23,7 +23,7 @@ in {
       local.enable = mkDefault true;
       locations."/" = mkIf (!grocy.enable) {
         proxyPass = mkDefault (if grocy.enable
-          then "http://localhost:${nginx.defaultHTTPListenPort}"
+          then "http://localhost:${toString nginx.defaultHTTPListenPort}"
           else nginx.virtualHosts.grocy.locations."/".proxyPass
         );
         proxy.headers.enableRecommended = true;
diff --git a/nixos/barcodebuddy.nix b/nixos/barcodebuddy.nix
index 8d7e0585..e2f9b425 100644
--- a/nixos/barcodebuddy.nix
+++ b/nixos/barcodebuddy.nix
@@ -5,17 +5,17 @@
 in {
   config.services.barcodebuddy = {
     enable = mkDefault true;
-    hostName = mkDefault "barcodebuddy";
+    hostName = mkDefault "barcodebuddy'php";
     reverseProxy.enable = mkDefault true;
     settings = {
       EXTERNAL_GROCY_URL = "https://grocy.${config.networking.domain}";
       DISABLE_AUTHENTICATION = true;
     };
-    nginxPhpConfig = mkMerge [
+    nginxConfig = mkMerge [
       ''
         include ${config.sops.secrets.barcodebuddy-fastcgi-params.path};
       ''
-      (mkIf nginx.virtualHosts.barcodebuddy.proxied.enabled (mkAfter ''
+      (mkIf cfg.reverseProxy.enable (mkAfter ''
         set $bbuddy_https "";
         if ($x_scheme = https) {
           set $bbuddy_https 1;
@@ -26,22 +26,12 @@ in {
       ''))
     ];
   };
-  config.services.nginx.virtualHosts.barcodebuddy = mkIf cfg.enable {
-    proxied.xvars.enable = true;
-    vouch = {
-      enable = true;
-      requireAuth = false;
+  config.services.nginx.virtualHosts.barcodebuddy'php = mkIf cfg.enable {
+    proxied = {
+      enable = cfg.reverseProxy.enable;
+      xvars.enable = true;
     };
     name.shortServer = mkDefault "bbuddy";
-    locations = {
-      "= /api/index.php" = {
-        vouch.requireAuth = false;
-        extraConfig = cfg.nginxPhpConfig;
-      };
-      "~ \\.php$" = {
-        vouch.requireAuth = true;
-      };
-    };
   };
   config.users.users.barcodebuddy = mkIf cfg.enable {
     uid = 912;
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 7145c91a..4a2f2605 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -43,6 +43,7 @@ in {
     nixos.access.home-assistant
     nixos.access.zigbee2mqtt
     nixos.access.grocy
+    nixos.access.barcodebuddy
     nixos.access.proxmox
     nixos.access.plex
     nixos.access.invidious
@@ -112,6 +113,14 @@ in {
         virtualHosts.grocy'local.allServerNames
       ];
     };
+    bbuddy = {
+      inherit (nginx) group;
+      domain = virtualHosts.barcodebuddy.serverName;
+      extraDomainNames = mkMerge [
+        virtualHosts.barcodebuddy.serverAliases
+        virtualHosts.barcodebuddy'local.allServerNames
+      ];
+    };
     login = {
       inherit (nginx) group;
       domain = virtualHosts.vouch.serverName;
@@ -239,6 +248,12 @@ in {
         ssl.cert.enable = true;
         locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}";
       };
+      barcodebuddy = {
+        # not the real bbuddy record-holder, so don't respond globally..
+        local.denyGlobal = true;
+        ssl.cert.enable = true;
+        locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}";
+      };
       freepbx = {
         ssl.cert.enable = true;
       };
diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix
index d98bcc6e..b15c4793 100644
--- a/systems/tei/nixos.nix
+++ b/systems/tei/nixos.nix
@@ -17,6 +17,7 @@ in {
     nixos.postgres
     nixos.nginx
     nixos.access.zigbee2mqtt
+    nixos.access.barcodebuddy
     nixos.mosquitto
     nixos.home-assistant
     nixos.zigbee2mqtt
diff --git a/tf/cloudflare_records.tf b/tf/cloudflare_records.tf
index 081b2a22..2a0a9a75 100644
--- a/tf/cloudflare_records.tf
+++ b/tf/cloudflare_records.tf
@@ -29,6 +29,7 @@ module "hakurei_system_records" {
     "home",
     "z2m",
     "grocy",
+    "bbuddy",
     "yt",
   ]
   global_subdomains = [