feat: network overhaul

2025-12-06 00:57:22 +01:00 · 2025-06-15 04:36:40 +02:00 · 2025-06-15 04:36:40 +02:00 · ed15ef02bb
commit ed15ef02bb
parent 22fe55c284
34 changed files with 1704 additions and 1037 deletions
--- a/modules/nixos/server/firefly-iii.nix
+++ b/modules/nixos/server/firefly-iii.nix
@ -3,6 +3,7 @@ let
  cfg = config.services.firefly-iii;
  fireflyDomain = "stonks.swarsel.win";
  fireflyUser = "firefly-iii";
+  serviceName = "firefly";
 in
 {
  options.swarselsystems.modules.server.firefly = lib.mkEnableOption "enable firefly-iii on server";
@ -31,6 +32,7 @@ in
          APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path;
          APP_ENV = "local";
          DB_CONNECTION = "sqlite";
+          TRUSTED_PROXIES = "**";
          # AUTHENTICATION_GUARD = "remote_user_guard";
          # AUTHENTICATION_GUARD_HEADER = "X-User";
          # AUTHENTICATION_GUARD_EMAIL = "X-Email";
@ -42,52 +44,7 @@ in
      nginx = {
        virtualHosts = {
          "${fireflyDomain}" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            # main config is automatically added by nixos firefly config.
-            # hence, only provide certificate
            locations = {
-              "/" = {
-                extraConfig = ''
-                  auth_request /oauth2/auth;
-                  error_page 401 = /oauth2/sign_in;
-
-                  # pass information via X-User and X-Email headers to backend,
-                  # requires running with --set-xauthrequest flag (done by NixOS)
-                  auth_request_set $user   $upstream_http_x_auth_request_user;
-                  auth_request_set $email  $upstream_http_x_auth_request_email;
-                  proxy_set_header X-User  $user;
-                  proxy_set_header X-Email $email;
-
-                  # if you enabled --pass-access-token, this will pass the token to the backend
-                  auth_request_set $token  $upstream_http_x_auth_request_access_token;
-                  proxy_set_header X-Access-Token $token;
-
-                  # if you enabled --cookie-refresh, this is needed for it to work with auth_request
-                  auth_request_set $auth_cookie $upstream_http_set_cookie;
-                  add_header Set-Cookie $auth_cookie;
-                '';
-              };
-              "/oauth2/" = {
-                proxyPass = "http://oauth2-proxy";
-                extraConfig = ''
-
-                  proxy_set_header X-Scheme                $scheme;
-                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
-                '';
-              };
-              "= /oauth2/auth" = {
-                proxyPass = "http://oauth2-proxy/oauth2/auth";
-                extraConfig = ''
-                  internal;
-
-                  proxy_set_header X-Scheme         $scheme;
-                  # nginx auth_request includes headers but not body
-                  proxy_set_header Content-Length   "";
-                  proxy_pass_request_body           off;
-                '';
-              };
              "/api" = {
                extraConfig = ''
                  index index.php;
@ -102,5 +59,70 @@ in
        };
      };
    };
+
+    nodes.moonside.services.nginx = {
+      upstreams = {
+        "${serviceName}" = {
+          servers = {
+            "192.168.1.2:80" = { };
+          };
+        };
+      };
+      virtualHosts = {
+        "${fireflyDomain}" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          # main config is automatically added by nixos firefly config.
+          # hence, only provide certificate
+          locations = {
+            "/" = {
+              proxyPass = "http://${serviceName}";
+              extraConfig = ''
+                auth_request /oauth2/auth;
+                error_page 401 = /oauth2/sign_in;
+
+                # pass information via X-User and X-Email headers to backend,
+                # requires running with --set-xauthrequest flag (done by NixOS)
+                auth_request_set $user   $upstream_http_x_auth_request_user;
+                auth_request_set $email  $upstream_http_x_auth_request_email;
+                proxy_set_header X-User  $user;
+                proxy_set_header X-Email $email;
+
+                # if you enabled --pass-access-token, this will pass the token to the backend
+                auth_request_set $token  $upstream_http_x_auth_request_access_token;
+                proxy_set_header X-Access-Token $token;
+
+                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
+                auth_request_set $auth_cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $auth_cookie;
+              '';
+            };
+            "/oauth2/" = {
+              proxyPass = "http://oauth2-proxy";
+              extraConfig = ''
+
+                          proxy_set_header X-Scheme                $scheme;
+                          proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
+                        '';
+            };
+            "= /oauth2/auth" = {
+              proxyPass = "http://oauth2-proxy/oauth2/auth";
+              extraConfig = ''
+                internal;
+
+                proxy_set_header X-Scheme         $scheme;
+                # nginx auth_request includes headers but not body
+                proxy_set_header Content-Length   "";
+                proxy_pass_request_body           off;
+              '';
+            };
+            "/api" = {
+              proxyPass = "http://${serviceName}";
+            };
+          };
+        };
+      };
+    };
  };
 }