use tailscale auth for hledger

2025-06-10 23:26:27 +03:00
parent 4d91990ea1
commit 269bb6ac6a
6 changed files with 93 additions and 22 deletions
--- a/modules/services/hledger-web.nix
+++ b/modules/services/hledger-web.nix
@@ -8,9 +8,6 @@ in
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
-    basicAuthFile = lib.mkOption {
-      type = lib.types.path;
-    };
    user = lib.mkOption {
      type = lib.types.str;
    };
@@ -24,13 +21,45 @@ in
      hledger-web = {
        allow = lib.mkDefault "edit";
        baseUrl = "https://${fqdn}";
+        serveApi = true;
+        extraOptions = [
+          "--exchange=€"
+        ];
      };

      webserver = {
        enable = lib.mkDefault true;
-        vHosts.${fqdn}.locations."/" = {
-          proxyPort = cfg.port;
-          basicAuthFile = cfg.basicAuthFile;
+        vHosts.${fqdn} = {
+          tailscaleAuth = true;
+          extraConfig = ''
+            root /var/www/ledgio;
+            add_header Access-Control-Allow-Origin $http_origin always;
+            add_header Access-Control-Allow-Methods 'OPTIONS, GET, PUT' always;
+            add_header Access-Control-Allow-Headers 'Content-Type' always;
+
+            location ~ \.(html|js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+              try_files $uri =404;
+            }
+          '';
+
+          locations = {
+            "@api" = {
+              proxyPort = cfg.port;
+            };
+
+            "/".extraConfig = ''
+              if ($request_method = OPTIONS) {
+                add_header Content-Type text/plain;
+                add_header Content-Length 0;
+                add_header Access-Control-Allow-Origin $http_origin;
+                add_header Access-Control-Allow-Methods 'OPTIONS, GET, PUT';
+                add_header Access-Control-Allow-Headers 'Content-Type';
+                return 204;
+              }
+
+              try_files $uri $uri/ @api;
+            '';
+          };
        };
      };
    };
--- a/modules/services/webserver.nix
+++ b/modules/services/webserver.nix
@@ -37,6 +37,10 @@ let
          type = lib.types.bool;
          default = false;
        };
+        extraConfig = lib.mkOption {
+          type = lib.types.lines;
+          default = "";
+        };
      };
    };
  };
@@ -59,6 +63,10 @@ in
      type = lib.types.attrsOf types.vhost;
      default = { };
    };
+    tailscaleAuth.expectedTailnet = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+    };
  };

  config = lib.mkIf cfg.enable {
@@ -75,11 +83,17 @@ in
        tailscaleAuth = {
          enable = (lib.length tailscaleAuthVhosts) > 0;
          virtualHosts = tailscaleAuthVhosts;
+          expectedTailnet = cfg.tailscaleAuth.expectedTailnet;
        };

        virtualHosts = lib.mapAttrs (
          _:
-          { proxyBuffering, locations, ... }:
+          {
+            proxyBuffering,
+            locations,
+            extraConfig,
+            ...
+          }:
          {
            forceSSL = true;
            enableACME = true;
@@ -88,6 +102,7 @@ in
            extraConfig = lib.concatLines [
              (lib.optionalString (!proxyBuffering) "proxy_buffering off;")
              "charset utf-8;"
+              extraConfig
            ];
            locations = lib.mapAttrs (
              _:
@@ -115,12 +130,17 @@ in
      };

      octodns.records = lib.filterAttrs (name: _: name != config.networking.domain) (
-        lib.mapAttrs' (fqdn: _: {
-          name = lib.removeSuffix ".${config.networking.domain}" fqdn;
-          value = {
-            CNAME.toRoot = true;
-          };
-        }) cfg.vHosts
+        lib.mapAttrs' (
+          fqdn:
+          { tailscaleAuth, ... }:
+          {
+            name = lib.removeSuffix ".${config.networking.domain}" fqdn;
+            value = {
+              CNAME =
+                if tailscaleAuth then { target = "ts.${config.networking.domain}."; } else { toRoot = true; };
+            };
+          }
+        ) cfg.vHosts
      );
    };