feat(bbuddy): hakurei access

2026-02-09 20:39:18 -08:00 · 2024-03-22 11:36:30 -07:00 · 2024-03-22 11:36:30 -07:00 · 34bca016b4
commit 34bca016b4
parent c51fdb847b
8 changed files with 97 additions and 29 deletions
--- a/modules/nixos/barcodebuddy.nix
+++ b/modules/nixos/barcodebuddy.nix
@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }: let
  inherit (lib.options) mkOption mkEnableOption mkPackageOption;
-  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault mkOverride;
+  inherit (lib.modules) mkIf mkMerge mkAfter mkDefault mkOptionDefault mkOverride;
  inherit (lib.attrsets) mapAttrs mapAttrs' nameValuePair;
-  inherit (lib.lists) isList optional imap0;
+  inherit (lib.lists) isList imap0;
  inherit (lib.strings) concatStringsSep;
  mkAlmostOptionDefault = mkOverride 1250;
  mapOptionDefaults = mapAttrs (_: mkOptionDefault);
@ -75,6 +75,9 @@ in {
      type = attrsOf (oneOf [ str bool int (listOf str) ]);
      description = "https://github.com/Forceu/barcodebuddy/blob/master/config-dist.php";
    };
+    nginxConfig = mkOption {
+      type = lines;
+    };
    nginxPhpConfig = mkOption {
      type = lines;
    };
@ -99,16 +102,19 @@ in {
          REDIS_PW = toString cfg.redis.password;
        };
      in mkMerge [ defaults (mkIf cfg.redis.enable redis) ];
-      nginxPhpConfig = mkMerge [
+      nginxConfig = mkMerge [
        ''
+          index index.php index.html index.htm;
          include ${config.services.nginx.package}/conf/fastcgi.conf;
-          fastcgi_pass unix:${config.services.phpfpm.pools.barcodebuddy.socket};
          fastcgi_read_timeout 80s;
        ''
        (mkIf cfg.reverseProxy.enable ''
          fastcgi_pass_header "X-Accel-Buffering";
        '')
      ];
+      nginxPhpConfig = mkAfter ''
+        fastcgi_pass unix:${config.services.phpfpm.pools.barcodebuddy.socket};
+      '';
      redis = let
        redis = config.services.redis.servers.${cfg.redis.server};
      in mkIf (cfg.redis.server != null) {
@ -171,9 +177,7 @@ in {
          '';
          "~ \\.php$".extraConfig = cfg.nginxPhpConfig;
        };
-        extraConfig = ''
-          index index.php index.html index.htm;
-        '';
+        extraConfig = cfg.nginxConfig;
      };
    };
    conf.systemd.services.bbuddy-websocket = mkIf cfg.screen.enable {
--- a/modules/nixos/nginx/vouch.nix
+++ b/modules/nixos/nginx/vouch.nix
@ -178,16 +178,20 @@
            return 302 $vouch_url/login?url=$x_scheme://$x_forwarded_host$request_uri&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
          '';
        };
-        ${cfg.auth.requestLocation} = {
+        ${cfg.auth.requestLocation} = { config, ... }: {
          proxyPass = "${vouch.proxyOrigin}/validate";
-          proxy.headers.enableRecommended = true;
+          proxy.headers.enableRecommended = false;
+          proxied.rewriteReferer = false;
          extraConfig = let
            # nginx-proxied vouch must use X-Forwarded-Host, but vanilla vouch requires Host
            vouchProxyHost = if vouch.doubleProxy
-              then "''"
+              then "${config.proxy.host}"
              else "$x_forwarded_host";
          in ''
-            set $x_proxy_host ${vouchProxyHost};
+            proxy_set_header Host ${vouchProxyHost};
+            proxy_set_header X-Forwarded-Host $x_forwarded_host;
+            proxy_set_header Referer $x_referer;
+            proxy_set_header X-Forwarded-Proto $x_scheme;
            proxy_pass_request_body off;
            proxy_set_header Content-Length "";
          '';