freshlybakedca.ke / patisserie
Your one-stop-cake-shop for everything Freshly Baked has to offer
fork atom

feat(pm/wiki): enable server access

Our servers are tagged, so aren't considered to be any specific user.
We can give them a username to allow them to access pages. This still
won't allow servers access to the private wiki as there users aren't
auto-created, so "Server" won't be valid...

a.starrysky.fyi b88383be 53858292

4/5
deadnix.yml
packetmix-build.yml
packetmix-npins-duplicate-check.yml
packetmix-treefmt.yaml
reuse.yml
options
unified split
Changed files
+18 -1
packetmix
systems
wiki
wiki.nix
+18 -1
packetmix/systems/wiki/wiki.nix
··· 169 $wgGroupPermissions['bureaucrat']['usermerge'] = true; 170 171 $wgAuthRemoteuserUserName = function () { 172 - if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) { 173 return ""; 174 } 175 176 if ($_SERVER['HTTP_X_WEBAUTH_LOGIN'] === 'hyperneutrino') { ··· 372 373 extraConfig = '' 374 proxy_set_header X-Webauth-Login ""; 375 proxy_cache off; 376 ''; 377 }; ··· 396 397 extraConfig = '' 398 proxy_cache off; 399 ''; 400 }; 401
··· 169 $wgGroupPermissions['bureaucrat']['usermerge'] = true; 170 171 $wgAuthRemoteuserUserName = function () { 172 + if (!isset($_SERVER['HTTP_X_FROM_TAILSCALE'])) { 173 return ""; 174 + } 175 + 176 + if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) { 177 + return "Server"; 178 } 179 180 if ($_SERVER['HTTP_X_WEBAUTH_LOGIN'] === 'hyperneutrino') { ··· 376 377 extraConfig = '' 378 proxy_set_header X-Webauth-Login ""; 379 + proxy_set_header X-From-Tailscale ""; 380 proxy_cache off; 381 ''; 382 }; ··· 401 402 extraConfig = '' 403 proxy_cache off; 404 + proxy_set_header X-From-Tailscale "Yes"; 405 + ''; 406 + }; 407 + 408 + locations."@empty" = { 409 + return = "200"; 410 + }; 411 + 412 + locations."/auth" = { 413 + extraConfig = '' 414 + proxy_intercept_errors on; 415 + error_page 403 =200 @empty; # We always want to return 200 so as to allow server access 416 ''; 417 }; 418