gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(bbuddy): hakurei access

Browse source
This commit is contained in:
arcnmx 2024-03-22 11:36:30 -07:00
parent c51fdb847b
commit 34bca016b4
8 changed files with 97 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/nixos/barcodebuddy.nix
View file

@ -1,8 +1,8 @@
{ config, lib, pkgs, ... }: let
inherit (lib.options) mkOption mkEnableOption mkPackageOption;
inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault mkOverride;
inherit (lib.modules) mkIf mkMerge mkAfter mkDefault mkOptionDefault mkOverride;
inherit (lib.attrsets) mapAttrs mapAttrs' nameValuePair;
inherit (lib.lists) isList optional imap0;
inherit (lib.lists) isList imap0;
inherit (lib.strings) concatStringsSep;
mkAlmostOptionDefault = mkOverride 1250;
mapOptionDefaults = mapAttrs (_: mkOptionDefault);
@ -75,6 +75,9 @@ in {
type = attrsOf (oneOf [ str bool int (listOf str) ]);
description = "https://github.com/Forceu/barcodebuddy/blob/master/config-dist.php";
};
nginxConfig = mkOption {
type = lines;
};
nginxPhpConfig = mkOption {
type = lines;
};
@ -99,16 +102,19 @@ in {
REDIS_PW = toString cfg.redis.password;
};
in mkMerge [ defaults (mkIf cfg.redis.enable redis) ];
nginxPhpConfig = mkMerge [
nginxConfig = mkMerge [
''
index index.php index.html index.htm;
include ${config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_pass unix:${config.services.phpfpm.pools.barcodebuddy.socket};
fastcgi_read_timeout 80s;
''
(mkIf cfg.reverseProxy.enable ''
fastcgi_pass_header "X-Accel-Buffering";
'')
];
nginxPhpConfig = mkAfter ''
fastcgi_pass unix:${config.services.phpfpm.pools.barcodebuddy.socket};
'';
redis = let
redis = config.services.redis.servers.${cfg.redis.server};
in mkIf (cfg.redis.server != null) {
@ -171,9 +177,7 @@ in {
'';
"~ \\.php$".extraConfig = cfg.nginxPhpConfig;
};
extraConfig = ''
index index.php index.html index.htm;
'';
extraConfig = cfg.nginxConfig;
};
};
conf.systemd.services.bbuddy-websocket = mkIf cfg.screen.enable {

12
modules/nixos/nginx/vouch.nix
View file

@ -178,16 +178,20 @@
return 302 $vouch_url/login?url=$x_scheme://$x_forwarded_host$request_uri&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
'';
};
${cfg.auth.requestLocation} = {
${cfg.auth.requestLocation} = { config, ... }: {
proxyPass = "${vouch.proxyOrigin}/validate";
proxy.headers.enableRecommended = true;
proxy.headers.enableRecommended = false;
proxied.rewriteReferer = false;
extraConfig = let
# nginx-proxied vouch must use X-Forwarded-Host, but vanilla vouch requires Host
vouchProxyHost = if vouch.doubleProxy
then "''"
then "${config.proxy.host}"
else "$x_forwarded_host";
in ''
set $x_proxy_host ${vouchProxyHost};
proxy_set_header Host ${vouchProxyHost};
proxy_set_header X-Forwarded-Host $x_forwarded_host;
proxy_set_header Referer $x_referer;
proxy_set_header X-Forwarded-Proto $x_scheme;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
'';

53
nixos/access/barcodebuddy.nix Normal file
View file

@ -0,0 +1,53 @@
{
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkDefault;
inherit (config.services) barcodebuddy nginx;
name.shortServer = mkDefault "bbuddy";
serverName = "bbuddy_internal";
extraConfig = ''
set $x_proxy_host ${serverName};
'';
in {
config.services.nginx.virtualHosts = {
barcodebuddy'php = mkIf barcodebuddy.enable {
inherit serverName;
proxied.enable = mkDefault true;
local.denyGlobal = true;
};
barcodebuddy = {
inherit name extraConfig;
vouch = {
enable = true;
requireAuth = false;
};
locations = {
"/api/" = {
proxy.headers.enableRecommended = true;
proxyPass = mkDefault "${nginx.virtualHosts.barcodebuddy.locations."/".proxyPass}/api/";
};
"/" = {
proxy.headers.enableRecommended = true;
vouch.requireAuth = true;
proxyPass = mkIf barcodebuddy.enable (mkDefault
"http://localhost:${toString nginx.defaultHTTPListenPort}"
);
};
};
};
barcodebuddy'local = {
inherit name extraConfig;
ssl.cert.copyFromVhost = "barcodebuddy";
local.enable = mkDefault true;
locations."/" = {
proxy.headers.enableRecommended = true;
proxyPass = mkDefault nginx.virtualHosts.barcodebuddy.locations."/".proxyPass;
extraConfig = ''
proxy_redirect $x_scheme://${serverName}/ $x_scheme://$x_host/;
'';
};
};
};
}

2
nixos/access/grocy.nix
View file

@ -23,7 +23,7 @@ in {
local.enable = mkDefault true;
locations."/" = mkIf (!grocy.enable) {
proxyPass = mkDefault (if grocy.enable
then "http://localhost:${nginx.defaultHTTPListenPort}"
then "http://localhost:${toString nginx.defaultHTTPListenPort}"
else nginx.virtualHosts.grocy.locations."/".proxyPass
);
proxy.headers.enableRecommended = true;

24
nixos/barcodebuddy.nix
View file

@ -5,17 +5,17 @@
in {
config.services.barcodebuddy = {
enable = mkDefault true;
hostName = mkDefault "barcodebuddy";
hostName = mkDefault "barcodebuddy'php";
reverseProxy.enable = mkDefault true;
settings = {
EXTERNAL_GROCY_URL = "https://grocy.${config.networking.domain}";
DISABLE_AUTHENTICATION = true;
};
nginxPhpConfig = mkMerge [
nginxConfig = mkMerge [
''
include ${config.sops.secrets.barcodebuddy-fastcgi-params.path};
''
(mkIf nginx.virtualHosts.barcodebuddy.proxied.enabled (mkAfter ''
(mkIf cfg.reverseProxy.enable (mkAfter ''
set $bbuddy_https "";
if ($x_scheme = https) {
set $bbuddy_https 1;
@ -26,22 +26,12 @@ in {
''))
];
};
config.services.nginx.virtualHosts.barcodebuddy = mkIf cfg.enable {
proxied.xvars.enable = true;
vouch = {
enable = true;
requireAuth = false;
config.services.nginx.virtualHosts.barcodebuddy'php = mkIf cfg.enable {
proxied = {
enable = cfg.reverseProxy.enable;
xvars.enable = true;
};
name.shortServer = mkDefault "bbuddy";
locations = {
"= /api/index.php" = {
vouch.requireAuth = false;
extraConfig = cfg.nginxPhpConfig;
};
"~ \\.php$" = {
vouch.requireAuth = true;
};
};
};
config.users.users.barcodebuddy = mkIf cfg.enable {
uid = 912;

15
systems/hakurei/nixos.nix
View file

@ -43,6 +43,7 @@ in {
nixos.access.home-assistant
nixos.access.zigbee2mqtt
nixos.access.grocy
nixos.access.barcodebuddy
nixos.access.proxmox
nixos.access.plex
nixos.access.invidious
@ -112,6 +113,14 @@ in {
virtualHosts.grocy'local.allServerNames
];
};
bbuddy = {
inherit (nginx) group;
domain = virtualHosts.barcodebuddy.serverName;
extraDomainNames = mkMerge [
virtualHosts.barcodebuddy.serverAliases
virtualHosts.barcodebuddy'local.allServerNames
];
};
login = {
inherit (nginx) group;
domain = virtualHosts.vouch.serverName;
@ -239,6 +248,12 @@ in {
ssl.cert.enable = true;
locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}";
};
barcodebuddy = {
# not the real bbuddy record-holder, so don't respond globally..
local.denyGlobal = true;
ssl.cert.enable = true;
locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}";
};
freepbx = {
ssl.cert.enable = true;
};

1
systems/tei/nixos.nix
View file

@ -17,6 +17,7 @@ in {
nixos.postgres
nixos.nginx
nixos.access.zigbee2mqtt
nixos.access.barcodebuddy
nixos.mosquitto
nixos.home-assistant
nixos.zigbee2mqtt

1
tf/cloudflare_records.tf
View file

@ -29,6 +29,7 @@ module "hakurei_system_records" {
"home",
"z2m",
"grocy",
"bbuddy",
"yt",
]
global_subdomains = [