use tailscale auth for hledger

hosts/freun-dev/configuration.nix

@@ -36,7 +36,8 @@ in
   networking.useDHCP = false;
   networking.nftables.enable = true;
 
-  services.octodns.records."" = {
+  services.octodns.records = {
+    "" = {
       A = {
         ttl = 86400;
         values = [ ipv4Address ];
@@ -46,6 +47,17 @@ in
         values = [ ipv6Address ];
       };
     };
+    "ts" = {
+      A = {
+        ttl = 86400;
+        values = [ "100.84.105.63" ];
+      };
+      AAAA = {
+        ttl = 86400;
+        values = [ "fd7a:115c:a1e0::7901:693f" ];
+      };
+    };
+  };
 
   systemd.network = {
     enable = true;

hosts/freun-dev/secrets.nix

@@ -26,6 +26,7 @@
           "mosquitto/mokkimaatti"
           "gitlab-runner/default"
           "gitlab-runner/docker"
+          "hetzner"
         ]
     )
     // {

hosts/freun-dev/services.nix

@@ -19,6 +19,7 @@ in
 {
   virtualisation.podman.enable = true;
   virtualisation.oci-containers.backend = "podman";
+  security.acme.defaults.environmentFile = secrets.hetzner.path;
 
   modules.storageBoxMounts = {
     ${immichDataDir} = {
@@ -387,12 +388,17 @@ in
       enable = true;
       subdomain = "ledger";
       stateDir = "${syncthingDataDir}/ledger";
-      basicAuthFile = secrets.hledger-basic-auth.path;
       user = config.systemd.services.syncthing.serviceConfig.User;
       group = config.systemd.services.syncthing.serviceConfig.Group;
+      extraOptions = [ "--forecast" ];
       journalFiles = [
         "main.ldg"
       ];
     };
+
+    webserver = {
+      acme.dnsChallenge = true;
+      tailscaleAuth.expectedTailnet = "tempel-vibes.ts.net";
+    };
   };
 }

modules/services/hledger-web.nix

@@ -8,9 +8,6 @@ in
     subdomain = lib.mkOption {
       type = lib.types.str;
     };
-    basicAuthFile = lib.mkOption {
-      type = lib.types.path;
-    };
     user = lib.mkOption {
       type = lib.types.str;
     };
@@ -24,13 +21,45 @@ in
       hledger-web = {
         allow = lib.mkDefault "edit";
         baseUrl = "https://${fqdn}";
+        serveApi = true;
+        extraOptions = [
+          "--exchange=€"
+        ];
       };
 
       webserver = {
         enable = lib.mkDefault true;
-        vHosts.${fqdn}.locations."/" = {
+        vHosts.${fqdn} = {
+          tailscaleAuth = true;
+          extraConfig = ''
+            root /var/www/ledgio;
+            add_header Access-Control-Allow-Origin $http_origin always;
+            add_header Access-Control-Allow-Methods 'OPTIONS, GET, PUT' always;
+            add_header Access-Control-Allow-Headers 'Content-Type' always;
+
+            location ~ \.(html|js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+              try_files $uri =404;
+            }
+          '';
+
+          locations = {
+            "@api" = {
               proxyPort = cfg.port;
-          basicAuthFile = cfg.basicAuthFile;
+            };
+
+            "/".extraConfig = ''
+              if ($request_method = OPTIONS) {
+                add_header Content-Type text/plain;
+                add_header Content-Length 0;
+                add_header Access-Control-Allow-Origin $http_origin;
+                add_header Access-Control-Allow-Methods 'OPTIONS, GET, PUT';
+                add_header Access-Control-Allow-Headers 'Content-Type';
+                return 204;
+              }
+
+              try_files $uri $uri/ @api;
+            '';
+          };
         };
       };
     };

modules/services/webserver.nix

@@ -37,6 +37,10 @@ let
           type = lib.types.bool;
           default = false;
         };
+        extraConfig = lib.mkOption {
+          type = lib.types.lines;
+          default = "";
+        };
       };
     };
   };
@@ -59,6 +63,10 @@ in
       type = lib.types.attrsOf types.vhost;
       default = { };
     };
+    tailscaleAuth.expectedTailnet = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -75,11 +83,17 @@ in
         tailscaleAuth = {
           enable = (lib.length tailscaleAuthVhosts) > 0;
           virtualHosts = tailscaleAuthVhosts;
+          expectedTailnet = cfg.tailscaleAuth.expectedTailnet;
         };
 
         virtualHosts = lib.mapAttrs (
           _:
-          { proxyBuffering, locations, ... }:
+          {
+            proxyBuffering,
+            locations,
+            extraConfig,
+            ...
+          }:
           {
             forceSSL = true;
             enableACME = true;
@@ -88,6 +102,7 @@ in
             extraConfig = lib.concatLines [
               (lib.optionalString (!proxyBuffering) "proxy_buffering off;")
               "charset utf-8;"
+              extraConfig
             ];
             locations = lib.mapAttrs (
               _:
@@ -115,12 +130,17 @@ in
       };
 
       octodns.records = lib.filterAttrs (name: _: name != config.networking.domain) (
-        lib.mapAttrs' (fqdn: _: {
+        lib.mapAttrs' (
+          fqdn:
+          { tailscaleAuth, ... }:
+          {
             name = lib.removeSuffix ".${config.networking.domain}" fqdn;
             value = {
-            CNAME.toRoot = true;
+              CNAME =
+                if tailscaleAuth then { target = "ts.${config.networking.domain}."; } else { toRoot = true; };
             };
-        }) cfg.vHosts
+          }
+        ) cfg.vHosts
       );
     };
 

secrets/secrets.nix

@@ -36,6 +36,9 @@ in
   "mosquitto/mokkimaatti.age".publicKeys = users ++ [ freun-dev ];
   "gitlab-runner/default.age".publicKeys = users ++ [ freun-dev ];
   "gitlab-runner/docker.age".publicKeys = users ++ [ freun-dev ];
-  "hetzner.age".publicKeys = users ++ [ apu ];
+  "hetzner.age".publicKeys = users ++ [
+    apu
+    freun-dev
+  ];
   "hledger-basic-auth.age".publicKeys = users ++ [ freun-dev ];
 }