a.starrysky.fyi
Our servers are tagged, so aren't considered to be any specific user. We can give them a username to allow them to access pages. This still won't allow servers access to the private wiki as there users aren't auto-created, so "Server" won't be valid...
+18
-1
packetmix/systems/wiki/wiki.nix
+18
-1
packetmix/systems/wiki/wiki.nix
···
169
169
$wgGroupPermissions['bureaucrat']['usermerge'] = true;
170
170
171
171
$wgAuthRemoteuserUserName = function () {
172
-
if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) {
172
+
if (!isset($_SERVER['HTTP_X_FROM_TAILSCALE'])) {
173
173
return "";
174
174
}
175
175
176
+
if (!isset($_SERVER['HTTP_X_WEBAUTH_LOGIN'])) {
177
+
return "Server";
178
+
}
179
+
176
180
if ($_SERVER['HTTP_X_WEBAUTH_LOGIN'] === 'hyperneutrino') {
177
181
return 'HyperNeutrino';
178
182
}
···
372
376
373
377
extraConfig = ''
374
378
proxy_set_header X-Webauth-Login "";
379
+
proxy_set_header X-From-Tailscale "";
375
380
proxy_cache off;
376
381
'';
377
382
};
···
396
401
397
402
extraConfig = ''
398
403
proxy_cache off;
404
+
proxy_set_header X-From-Tailscale "Yes";
405
+
'';
406
+
};
407
+
408
+
locations."@empty" = {
409
+
return = "200";
410
+
};
411
+
412
+
locations."/auth" = {
413
+
extraConfig = ''
414
+
proxy_intercept_errors on;
415
+
error_page 403 =200 @empty; # We always want to return 200 so as to allow server access
399
416
'';
400
417
};
401
418