refactor(nginx): fastcgi params

2026-02-09 12:29:19 -08:00 · 2024-04-20 15:08:27 -07:00 · 2024-04-20 15:08:27 -07:00 · 818106a50f
commit 818106a50f
parent aa13db5f96
8 changed files with 197 additions and 83 deletions
--- a/nixos/access/grocy.nix
+++ b/nixos/access/grocy.nix
@ -51,6 +51,8 @@ in {
    virtualHosts = {
      grocy'php = mkIf grocy.enable {
        inherit serverName;
+        proxied.enable = true;
+        local.denyGlobal = true;
      };
      grocy = mkMerge [ luaAuthHost {
        inherit name extraConfig locations;
--- a/nixos/barcodebuddy.nix
+++ b/nixos/barcodebuddy.nix
@ -1,36 +1,27 @@
-{config, lib, ...}: let
-  inherit (lib.modules) mkIf mkMerge mkAfter mkDefault;
+{config, access, lib, ...}: let
+  inherit (lib.modules) mkIf mkDefault;
  inherit (config.services) nginx;
  cfg = config.services.barcodebuddy;
 in {
  config.services.barcodebuddy = {
    enable = mkDefault true;
    hostName = mkDefault "barcodebuddy'php";
-    reverseProxy.enable = mkDefault true;
+    reverseProxy = {
+      enable = mkDefault nginx.virtualHosts.${cfg.hostName}.proxied.enable;
+      trustedAddresses = access.cidrForNetwork.allLan.all;
+    };
    settings = {
      EXTERNAL_GROCY_URL = "https://grocy.${config.networking.domain}";
      DISABLE_AUTHENTICATION = true;
    };
-    nginxConfig = let
-      xvars = nginx.virtualHosts.barcodebuddy'php.xvars.lib;
-    in mkMerge [
-      ''
-        include ${config.sops.secrets.barcodebuddy-fastcgi-params.path};
-      ''
-      (mkIf cfg.reverseProxy.enable (mkAfter ''
-        set $bbuddy_https "";
-        if (${xvars.get.scheme} = https) {
-          set $bbuddy_https 1;
-        }
-        fastcgi_param HTTPS $bbuddy_https if_not_empty;
-        fastcgi_param REQUEST_SCHEME ${xvars.get.scheme};
-        fastcgi_param HTTP_HOST ${xvars.get.host};
-      ''))
-    ];
+    nginxPhpSettings.extraConfig = ''
+      include ${config.sops.secrets.barcodebuddy-fastcgi-params.path};
+    '';
  };
-  config.services.nginx.virtualHosts.barcodebuddy'php = mkIf cfg.enable {
-    proxied.enable = cfg.reverseProxy.enable;
+  config.services.nginx.virtualHosts.${cfg.hostName} = mkIf cfg.enable {
    name.shortServer = mkDefault "bbuddy";
+    proxied.enable = mkDefault true;
+    local.denyGlobal = mkDefault true;
  };
  config.users.users.barcodebuddy = mkIf cfg.enable {
    uid = 912;
--- a/nixos/grocy.nix
+++ b/nixos/grocy.nix
@ -1,5 +1,5 @@
 {config, lib, ...}: let
-  inherit (lib.modules) mkIf mkDefault mkAfter;
+  inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
  cfg = config.services.grocy;
 in {
  config = {
@ -12,50 +12,57 @@ in {
      };
    };
    services.nginx.virtualHosts = {
-      grocy'php = mkIf cfg.enable ({config, xvars, ...}: let
-        extraConfig = mkAfter ''
-          set $grocy_user guest;
-          set $grocy_middleware Grocy\Middleware\ReverseProxyAuthMiddleware;
-          set $grocy_auth_header GENSO_GROCY_USER;
-          set $grocy_auth_env true;
-
-          if ($http_grocy_api_key) {
-            set $grocy_user "";
-          }
-          if ($request_uri ~ "^/api(/.*|)$") {
-            set $grocy_user "";
-          }
-          if ($http_x_vouch_user ~ "^([^@]+)@.*$") {
-            set $grocy_user $1;
-          }
-          if ($http_x_grocy_user) {
-            #set $grocy_auth_header X-Grocy-User;
-            #set $grocy_auth_env false;
-            set $grocy_user $http_x_grocy_user;
-          }
-          if ($grocy_user = "") {
+      grocy'php = mkIf cfg.enable ({config, ...}: let
+        authHeader = "GENSO_GROCY_USER";
+        extraConfig = mkMerge [
+          (mkBefore ''
            set $grocy_middleware Grocy\Middleware\DefaultAuthMiddleware;
-          }
+            set $grocy_user "";
+          '')
+          (mkIf config.proxied.enable ''
+            set $grocy_user guest;
+            set $grocy_auth_header ${authHeader};
+            set $grocy_auth_env true;

-          fastcgi_param GROCY_AUTH_CLASS $grocy_middleware;
-          fastcgi_param GROCY_REVERSE_PROXY_AUTH_USE_ENV $grocy_auth_env;
-          fastcgi_param GROCY_REVERSE_PROXY_AUTH_HEADER $grocy_auth_header;
-          fastcgi_param GENSO_GROCY_USER $grocy_user;
+            if ($http_grocy_api_key) {
+              set $grocy_user "";
+            }
+            if ($request_uri ~ "^/api(/.*|)$") {
+              set $grocy_user "";
+            }
+            if ($http_x_vouch_user ~ "^([^@]+)@.*$") {
+              set $grocy_user $1;
+            }
+            if ($http_x_grocy_user) {
+              #set $grocy_auth_header X-Grocy-User;
+              #set $grocy_auth_env false;
+              set $grocy_user $http_x_grocy_user;
+            }

-          set $grocy_https "";
-          if (${xvars.get.scheme} = https) {
-            set $grocy_https 1;
-          }
-          fastcgi_param HTTP_HOST ${xvars.get.host};
-          fastcgi_param REQUEST_SCHEME ${xvars.get.scheme};
-          fastcgi_param HTTPS $grocy_https if_not_empty;
-        '';
+            if ($grocy_user) {
+              set $grocy_middleware Grocy\Middleware\ReverseProxyAuthMiddleware;
+            }
+          '')
+        ];
      in {
        name.shortServer = mkDefault "grocy";
-        proxied.enable = true;
-        xvars.enable = true;
-        local.denyGlobal = true;
        locations."~ \\.php$" = {
+          fastcgi = {
+            enable = true;
+            phpfpmPool = "grocy";
+            socket = null;
+            includeDefaults = false;
+            params = mkMerge [
+              {
+                GROCY_AUTH_CLASS = "$grocy_middleware";
+              }
+              (mkIf config.proxied.enable {
+                GROCY_REVERSE_PROXY_AUTH_USE_ENV = "$grocy_auth_env";
+                GROCY_REVERSE_PROXY_AUTH_HEADER = "$grocy_auth_header";
+                ${authHeader} = "$grocy_user";
+              })
+            ];
+          };
          inherit extraConfig;
        };
      });