botalex/nixos-server
1
0
Fork 0
mirror of https://github.com/MagicBOTAlex/nixos-server.git synced 2026-02-04 05:39:18 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

pocket accept cors

Browse source
This commit is contained in:
BOTAlex 2025-10-04 02:23:05 +02:00
parent e70aee4ab6
commit 134fe2e279
10 changed files with 320 additions and 219 deletions
Download patch file Download diff file Expand all files Collapse all files

253
networking/caddy.nix
View file

@ -1,135 +1,176 @@
{pkgs, ... } : {
imports = [
./networkSetup.nix
];
{ pkgs, ... }: {
imports = [ ./networkSetup.nix ];
services.caddy.virtualHosts."immich.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:2283
reverse_proxy * 127.0.0.1:2283
'';
};
services.caddy.virtualHosts."ha.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:8123
reverse_proxy * 127.0.0.1:8123
'';
};
services.caddy.virtualHosts."jelly.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:8096
'';
};
services.caddy.virtualHosts."pocket.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:5500
reverse_proxy * 127.0.0.1:8096
'';
};
services.caddy.virtualHosts."seer.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:5055
reverse_proxy * 127.0.0.1:5055
'';
};
services.caddy.virtualHosts."penpot.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:5544
'';
};
services.caddy.virtualHosts."api.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:6333
'';
};
services.caddy.virtualHosts."pocket.deprived.dev" = {
extraConfig = ''
# Match allowed origins
@allowedOrigin header_regexp Origin ^https?://(localhost(:[0-9]+)?|deprived\.dev|([a-z0-9-]+\.)*deprived\.dev)$
@preflight method OPTIONS
# Preflight: answer directly
handle @preflight {
header {
-Access-Control-Allow-Origin
-Access-Control-Allow-Methods
-Access-Control-Allow-Headers
-Access-Control-Allow-Credentials
-Vary
}
header @allowedOrigin {
Access-Control-Allow-Origin "{http.request.header.Origin}"
Access-Control-Allow-Methods "GET,POST,PUT,PATCH,DELETE,OPTIONS"
Access-Control-Allow-Headers "*"
Access-Control-Allow-Credentials "true"
Vary "Origin"
}
respond 204
}
# Actual requests: proxy, strip upstream CORS, then set ours
handle {
reverse_proxy 127.0.0.1:3433 {
header_down -Access-Control-Allow-Origin
header_down -Access-Control-Allow-Methods
header_down -Access-Control-Allow-Headers
header_down -Access-Control-Allow-Credentials
header_down -Vary
}
header @allowedOrigin {
Access-Control-Allow-Origin "{http.request.header.Origin}"
Access-Control-Allow-Credentials "true"
Vary "Origin"
}
}
'';
};
services.caddy.virtualHosts."spotify.playing.deprived.dev" = {
extraConfig = ''
encode zstd gzip
@preflight method OPTIONS
handle @preflight {
header {
Access-Control-Allow-Origin "{http.request.header.Origin}"
Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
Access-Control-Allow-Credentials "true"
Access-Control-Max-Age "600"
Vary "Origin"
}
respond 204
}
@protected not method OPTIONS
basicauth @protected {
alice $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG
}
reverse_proxy 127.0.0.1:8800
header {
Access-Control-Allow-Origin "{http.request.header.Origin}"
Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
Access-Control-Allow-Credentials "true"
Vary "Origin"
}
'';
};
services.caddy.virtualHosts."lyrics.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:7444
'';
};
services.caddy.virtualHosts."zhenss.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:8388
'';
};
services.caddy.virtualHosts."direct.stream.deprived.dev" = {
extraConfig = ''
@allowKey {
query key=0c156f3d-dc1d-489f-866e-69e306249e92
}
route {
handle @allowKey {
reverse_proxy http://127.0.0.1:3344
}
respond "Forbidden" 403
}
'';
};
services.caddy.virtualHosts."development.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:5550
reverse_proxy * 127.0.0.1:5173
'';
};
services.caddy.virtualHosts."spotify.api.deprived.dev" = {
extraConfig = ''
encode zstd gzip
# --- CORS: preflight (OPTIONS) ---
@preflight {
method OPTIONS
header Origin *
header Access-Control-Request-Method *
}
handle @preflight {
header {
Access-Control-Allow-Origin "{http.request.header.Origin}"
Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
Access-Control-Allow-Credentials "true"
Access-Control-Max-Age "600"
Vary "Origin"
}
respond 204
}
# --- Auth: protect everything except OPTIONS ---
@protected {
not method OPTIONS
}
basicauth @protected {
alice $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG
}
# --- Reverse proxy: strip upstream CORS so we don't end up with duplicates ---
reverse_proxy 127.0.0.1:6666 {
header_down -Access-Control-Allow-Origin
header_down -Access-Control-Allow-Methods
header_down -Access-Control-Allow-Headers
header_down -Access-Control-Allow-Credentials
header_down -Vary
}
# --- CORS: set headers on actual responses (only when Origin is present) ---
@cors header Origin *
header @cors {
Access-Control-Allow-Origin "{http.request.header.Origin}"
Access-Control-Allow-Credentials "true"
# Optionally expose any headers your frontend needs to read:
# Access-Control-Expose-Headers "Content-Type, Content-Length, Date"
Vary "Origin"
}
'';
};
services.caddy.virtualHosts."spotify.playing.deprived.dev" = {
extraConfig = ''
encode zstd gzip
@preflight method OPTIONS
handle @preflight {
header {
Access-Control-Allow-Origin "{http.request.header.Origin}"
Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
Access-Control-Allow-Credentials "true"
Access-Control-Max-Age "600"
Vary "Origin"
}
respond 204
}
@protected not method OPTIONS
basicauth @protected {
alice $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG
}
reverse_proxy 127.0.0.1:8800
header {
Access-Control-Allow-Origin "{http.request.header.Origin}"
Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
Access-Control-Allow-Credentials "true"
Vary "Origin"
}
'';
};
services.caddy.virtualHosts."lyrics.deprived.dev" = {
services.caddy.virtualHosts."internal.deprived.dev" = {
extraConfig = ''
reverse_proxy * 127.0.0.1:7444
'';
# Only allow GET + POST
@not_allowed {
not method GET POST
}
respond @not_allowed 405
# Auth (same as before): require auth for non-POST (i.e., GET)
@protected {
not method POST
}
basicauth @protected {
git $2a$14$VlDba5ipUmRYKPYmjPql8.pa8vO7cYsmUf26cXzTk.MbHoRA/ZKJy
}
# /backup → 127.0.0.1:3435
@backup path /backup*
reverse_proxy @backup 127.0.0.1:3435
# everything else → 127.0.0.1:3322
reverse_proxy * 127.0.0.1:3322
'';
};
}