freshlybakedca.ke / patisserie
Your one-stop-cake-shop for everything Freshly Baked has to offer
fork atom

feat(pm/wiki): enable server access

Our servers are tagged, so aren't considered to be any specific user.
We can give them a username to allow them to access pages. This still
won't allow servers access to the private wiki as there users aren't
auto-created, so "Server" won't be valid...

a.starrysky.fyi 382a1e5a 1c6fdcb8

5/5
deadnix.yml
packetmix-build.yml
packetmix-npins-duplicate-check.yml
packetmix-treefmt.yaml
reuse.yml
options
unified split
Changed files
+18 -1
packetmix
systems
wiki
wiki.nix
+18 -1
packetmix/systems/wiki/wiki.nix
··· 169 169 $wgGroupPermissions['bureaucrat']['usermerge'] = true; 170 170 171 171 $wgAuthRemoteuserUserName = function () { 172 - if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) { 172 + if (!isset($_SERVER['HTTP_X_FROM_TAILSCALE'])) { 173 173 return ""; 174 + } 175 + 176 + if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) { 177 + return "Server"; 174 178 } 175 179 176 180 if ($_SERVER['HTTP_X_WEBAUTH_LOGIN'] === 'hyperneutrino') { ··· 372 376 373 377 extraConfig = '' 374 378 proxy_set_header X-Webauth-Login ""; 379 + proxy_set_header X-From-Tailscale ""; 375 380 proxy_cache off; 376 381 ''; 377 382 }; ··· 396 401 397 402 extraConfig = '' 398 403 proxy_cache off; 404 + proxy_set_header X-From-Tailscale "Yes"; 405 + ''; 406 + }; 407 + 408 + locations."@empty" = { 409 + return = "200"; 410 + }; 411 + 412 + locations."/auth" = { 413 + extraConfig = '' 414 + proxy_intercept_errors on; 415 + error_page 403 =200 @empty; # We always want to return 200 so as to allow server access 399 416 ''; 400 417 }; 401 418