From b88383beb2e3f0812089c1c90ddb89ecfe5cfe02 Mon Sep 17 00:00:00 2001
From: Skyler Grey <minion@freshlybakedca.ke>
Date: Tue, 6 Jan 2026 20:25:51 +0000
Subject: [PATCH] feat(pm/wiki): enable server access
Change-Id: zzxsluuvzkwnyutnznxtonwyrlyzmooy

Our servers are tagged, so aren't considered to be any specific user.
We can give them a username to allow them to access pages. This still
won't allow servers access to the private wiki as there users aren't
auto-created, so "Server" won't be valid...
---
 packetmix/systems/wiki/wiki.nix | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/packetmix/systems/wiki/wiki.nix b/packetmix/systems/wiki/wiki.nix
index 7ec8e31b..2a5d12b6 100644
--- a/packetmix/systems/wiki/wiki.nix
+++ b/packetmix/systems/wiki/wiki.nix
@@ -169,10 +169,14 @@
         $wgGroupPermissions['bureaucrat']['usermerge'] = true;
 
         $wgAuthRemoteuserUserName = function () {
-          if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) {
+          if (!isset($_SERVER['HTTP_X_FROM_TAILSCALE'])) {
             return "";
           }
 
+          if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) {
+            return "Server";
+          }
+
           if ($_SERVER['HTTP_X_WEBAUTH_LOGIN'] === 'hyperneutrino') {
             return 'HyperNeutrino';
           }
@@ -372,6 +376,7 @@
 
             extraConfig = ''
               proxy_set_header X-Webauth-Login "";
+              proxy_set_header X-From-Tailscale "";
               proxy_cache off;
             '';
           };
@@ -396,6 +401,18 @@
 
         extraConfig = ''
           proxy_cache off;
+          proxy_set_header X-From-Tailscale "Yes";
+        '';
+      };
+
+      locations."@empty" = {
+        return = "200";
+      };
+
+      locations."/auth" = {
+        extraConfig = ''
+          proxy_intercept_errors on;
+          error_page 403 =200 @empty; # We always want to return 200 so as to allow server access
         '';
       };
 
-- 
2.43.0