a.starrysky.fyi
Our servers are tagged, so aren't considered to be any specific user. We can give them a username to allow them to access pages. This still won't allow servers access to the private wiki as there users aren't auto-created, so "Server" won't be valid...
+18
-1
packetmix/systems/wiki/wiki.nix
+18
-1
packetmix/systems/wiki/wiki.nix
···
169
$wgGroupPermissions['bureaucrat']['usermerge'] = true;
170
171
$wgAuthRemoteuserUserName = function () {
172
-
if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) {
173
return "";
174
}
175
176
if ($_SERVER['HTTP_X_WEBAUTH_LOGIN'] === 'hyperneutrino') {
177
return 'HyperNeutrino';
178
}
···
372
373
extraConfig = ''
374
proxy_set_header X-Webauth-Login "";
375
proxy_cache off;
376
'';
377
};
···
396
397
extraConfig = ''
398
proxy_cache off;
399
'';
400
};
401
···
169
$wgGroupPermissions['bureaucrat']['usermerge'] = true;
170
171
$wgAuthRemoteuserUserName = function () {
172
+
if (!isset($_SERVER['HTTP_X_FROM_TAILSCALE'])) {
173
return "";
174
}
175
176
+
if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) {
177
+
return "Server";
178
+
}
179
+
180
if ($_SERVER['HTTP_X_WEBAUTH_LOGIN'] === 'hyperneutrino') {
181
return 'HyperNeutrino';
182
}
···
376
377
extraConfig = ''
378
proxy_set_header X-Webauth-Login "";
379
+
proxy_set_header X-From-Tailscale "";
380
proxy_cache off;
381
'';
382
};
···
401
402
extraConfig = ''
403
proxy_cache off;
404
+
proxy_set_header X-From-Tailscale "Yes";
405
+
'';
406
+
};
407
+
408
+
locations."@empty" = {
409
+
return = "200";
410
+
};
411
+
412
+
locations."/auth" = {
413
+
extraConfig = ''
414
+
proxy_intercept_errors on;
415
+
error_page 403 =200 @empty; # We always want to return 200 so as to allow server access
416
'';
417
};
418