refactor: cleaner nginx settings

2025-12-06 00:57:22 +01:00 · 2025-06-16 19:40:14 +02:00 · 2025-06-16 19:40:14 +02:00 · 266ad63ceb
commit 266ad63ceb
parent 057c7e9194
9 changed files with 438 additions and 386 deletions
--- a/modules/nixos/server/firefly-iii.nix
+++ b/modules/nixos/server/firefly-iii.nix
@ -52,12 +52,11 @@ in
          "${fireflyDomain}" = {
            locations = {
              "/api" = {
+                setOauth2Headers = false;
                extraConfig = ''
                  index index.php;
                  try_files $uri $uri/ /index.php?$query_string;
                  add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS';
-                  proxy_set_header X-User  "";
-                  proxy_set_header X-Email "";
                '';
              };
            };
@ -79,52 +78,18 @@ in
          enableACME = true;
          forceSSL = true;
          acmeRoot = null;
+          oauth2.enable = true;
+          oauth2.allowedGroups = [ "firefly_access" ];
          # main config is automatically added by nixos firefly config.
          # hence, only provide certificate
          locations = {
            "/" = {
              proxyPass = "http://${serviceName}";
-              extraConfig = ''
-                auth_request /oauth2/auth;
-                error_page 401 = /oauth2/sign_in;
-
-                # pass information via X-User and X-Email headers to backend,
-                # requires running with --set-xauthrequest flag (done by NixOS)
-                auth_request_set $user   $upstream_http_x_auth_request_user;
-                auth_request_set $email  $upstream_http_x_auth_request_email;
-                proxy_set_header X-User  $user;
-                proxy_set_header X-Email $email;
-
-                # if you enabled --pass-access-token, this will pass the token to the backend
-                auth_request_set $token  $upstream_http_x_auth_request_access_token;
-                proxy_set_header X-Access-Token $token;
-
-                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
-                auth_request_set $auth_cookie $upstream_http_set_cookie;
-                add_header Set-Cookie $auth_cookie;
-              '';
-            };
-            "/oauth2/" = {
-              proxyPass = "http://oauth2-proxy";
-              extraConfig = ''
-
-                          proxy_set_header X-Scheme                $scheme;
-                          proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
-                        '';
-            };
-            "= /oauth2/auth" = {
-              proxyPass = "http://oauth2-proxy/oauth2/auth";
-              extraConfig = ''
-                internal;
-
-                proxy_set_header X-Scheme         $scheme;
-                # nginx auth_request includes headers but not body
-                proxy_set_header Content-Length   "";
-                proxy_pass_request_body           off;
-              '';
            };
            "/api" = {
              proxyPass = "http://${serviceName}";
+              setOauth2Headers = false;
+              bypassAuth = true;
            };
          };
        };