use tailscale auth for hledger

2025-06-10 23:26:27 +03:00
parent 4d91990ea1
commit 269bb6ac6a
6 changed files with 93 additions and 22 deletions
--- a/modules/services/hledger-web.nix
+++ b/modules/services/hledger-web.nix
@@ -8,9 +8,6 @@ in
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
-    basicAuthFile = lib.mkOption {
-      type = lib.types.path;
-    };
    user = lib.mkOption {
      type = lib.types.str;
    };
@@ -24,13 +21,45 @@ in
      hledger-web = {
        allow = lib.mkDefault "edit";
        baseUrl = "https://${fqdn}";
+        serveApi = true;
+        extraOptions = [
+          "--exchange=€"
+        ];
      };

      webserver = {
        enable = lib.mkDefault true;
-        vHosts.${fqdn}.locations."/" = {
-          proxyPort = cfg.port;
-          basicAuthFile = cfg.basicAuthFile;
+        vHosts.${fqdn} = {
+          tailscaleAuth = true;
+          extraConfig = ''
+            root /var/www/ledgio;
+            add_header Access-Control-Allow-Origin $http_origin always;
+            add_header Access-Control-Allow-Methods 'OPTIONS, GET, PUT' always;
+            add_header Access-Control-Allow-Headers 'Content-Type' always;
+
+            location ~ \.(html|js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+              try_files $uri =404;
+            }
+          '';
+
+          locations = {
+            "@api" = {
+              proxyPort = cfg.port;
+            };
+
+            "/".extraConfig = ''
+              if ($request_method = OPTIONS) {
+                add_header Content-Type text/plain;
+                add_header Content-Length 0;
+                add_header Access-Control-Allow-Origin $http_origin;
+                add_header Access-Control-Allow-Methods 'OPTIONS, GET, PUT';
+                add_header Access-Control-Allow-Headers 'Content-Type';
+                return 204;
+              }
+
+              try_files $uri $uri/ @api;
+            '';
+          };
        };
      };
    };