From e24f9e4c0bd400fb844f6e59554897927ba4e95b Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sun, 18 May 2025 18:23:19 +0200
Subject: [PATCH] fix: allow api server in firewall and add CORS header

---
 hosts/sire/guests/ente.nix                      |  16 ++++++++++++++++
 hosts/sire/secrets/ente/local.nix.age           | Bin 0 -> 548 bytes
 modules/ente.nix                                |   9 +++++++++
 .../generated/sire-ente/ente-smtp-password.age  |  10 ++++++++++
 ...dcea15f6024b00755055e-ente-smtp-password.age |   8 ++++++++
 5 files changed, 43 insertions(+)
 create mode 100644 hosts/sire/secrets/ente/local.nix.age
 create mode 100644 secrets/generated/sire-ente/ente-smtp-password.age
 create mode 100644 secrets/rekeyed/sire-ente/5570523ddaedcea15f6024b00755055e-ente-smtp-password.age

diff --git a/hosts/sire/guests/ente.nix b/hosts/sire/guests/ente.nix
index b1b3fa0..168253b 100644
--- a/hosts/sire/guests/ente.nix
+++ b/hosts/sire/guests/ente.nix
@@ -80,6 +80,7 @@ in
     client.via = "sentinel";
     firewallRuleForNode.sentinel.allowedTCPPorts = [
       80
+      8080
       9000
     ];
   };
@@ -88,6 +89,7 @@ in
     client.via = "ward";
     firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
       80
+      8080
       9000
     ];
   };
@@ -173,6 +175,11 @@ in
     mode = "440";
     group = "ente";
   };
+  age.secrets.ente-smtp-password = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "ente";
+  };
 
   services.minio = {
     enable = true;
@@ -206,6 +213,15 @@ in
         rporigins = [ "https://${enteAccountsDomain}" ];
       };
 
+      # FIXME: blocked on https://github.com/ente-io/ente/issues/5958
+      # smtp = {
+      #   host = config.repo.secrets.local.ente.mail.host;
+      #   port = 465;
+      #   email = config.repo.secrets.local.ente.mail.from;
+      #   username = config.repo.secrets.local.ente.mail.user;
+      #   password._secret = config.age.secrets.ente-smtp-password.path;
+      # };
+
       s3 = {
         use_path_style_urls = true;
         b2-eu-cen = {
diff --git a/hosts/sire/secrets/ente/local.nix.age b/hosts/sire/secrets/ente/local.nix.age
new file mode 100644
index 0000000000000000000000000000000000000000..587ae90ba1027a7cc4241c9b6004b397ec373764
GIT binary patch
literal 548
zcmV+<0^9vzXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zV;RY+MwLwZ4VNpeqi
zIYUToc35F^Sb1}FXiQQ_Np4avIXHD}IXPEFdO-?yF+x~+QCMniQ*2g6VnJa_WKl(J
zL|0O5Hg$A3FiL1`Pgpl|Y(r9OZgUDPJ|J*ub}eu+H8vo4aZ_bDQ6NEVQ8O!MPcSq?
zId@i1W?6JHP*X{CRA+B-HAOUTcrQ?CdNwjrOE`5<LR1QQLo`ljHAzr!R%du@Hd8lc
zPDyK3QEEbLGe%E%MMO$dQg2FXHE>5!M^y?fJ|HekEoX9NVRK~)O?gB(ICVsCMq^iS
zR!lcaWkx}7RdRVUXK7G+YFK1KYDscqMl?=2aBfm-YBo4GRAo{!VrDUVRZMkvM`U$F
z3VBRaYBo-4QhG;DacWmoW>aBwa85}vM0!GVW<x<rax+U!a&&oF3N0-yAYxWmbt`R3
zMP@fucvo~+L}y4&Y(!^TdO3G<L2NZ;Ra9e9NmE5vQEz&03Yzs!>ZXVddC2v)ked4G
zAv6lx+Js);BAg6%LoW`&Emh#hb;ypUf`}f5u0hl$6LGt|hip^v8=Npfs@LBDnasf7
zY8X)-?=Pnb>uExO<1Ezo9aYqiD9a>&*EN|u4BCV6*8L=^Pn@EffE^Xeusr$O-(^|R
mAtuJ5T>P8W27{mbf@QEvp$DP#^cFJ1CTNE@g3M*`XZL1AWzg*a

literal 0
HcmV?d00001

diff --git a/modules/ente.nix b/modules/ente.nix
index 2cceb5e..845932d 100644
--- a/modules/ente.nix
+++ b/modules/ente.nix
@@ -319,6 +319,9 @@ in
             locations."/" = {
               root = webPackage "accounts";
               tryFiles = "$uri $uri.html /index.html";
+              extraConfig = ''
+                add_header Access-Control-Allow-Origin 'https://${cfgWeb.domains.api}';
+              '';
             };
           };
           virtualHosts.${domainFor "cast"} = {
@@ -326,6 +329,9 @@ in
             locations."/" = {
               root = webPackage "cast";
               tryFiles = "$uri $uri.html /index.html";
+              extraConfig = ''
+                add_header Access-Control-Allow-Origin 'https://${cfgWeb.domains.api}';
+              '';
             };
           };
           virtualHosts.${domainFor "photos"} = {
@@ -336,6 +342,9 @@ in
             locations."/" = {
               root = webPackage "photos";
               tryFiles = "$uri $uri.html /index.html";
+              extraConfig = ''
+                add_header Access-Control-Allow-Origin 'https://${cfgWeb.domains.api}';
+              '';
             };
           };
         };
diff --git a/secrets/generated/sire-ente/ente-smtp-password.age b/secrets/generated/sire-ente/ente-smtp-password.age
new file mode 100644
index 0000000..154bcff
--- /dev/null
+++ b/secrets/generated/sire-ente/ente-smtp-password.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 uzx96W3LGgLuzEzAtwPjH+NX2vcv8ubqqX7YZiwQFgk
+KlBmy7H6aMxmwulZOlTKZstIksYCO3ZmA5FRqPNRVdw
+-> piv-p256 xqSe8Q A5M4BXtJeBxuptSTUikB5VMJKqOezt0LUujl++SkBK++
+J7Qv3r/5PbZtDE3bSDDSrH1hCZAhIfvYYQASnftZiBw
+-> ]#ef9-grease uUT
+vopjT0SJXs4y/e11dxHdH6Jm4H7fPraQnQ
+--- 8eRnzo0sQwqYPdMvoIe+yh7Z0XNz04qqmVDBiOiPuOI
+0ÅŠÍ}*&¹ªn4¯X’–Š¼{fˆÖ6Æ,!sÝ¬™Àòc´3
+7új\â$…m[7“ˆªµ£Ÿ0:’êš¼˜3+Hƒf%­òQSÏ–¡
\ No newline at end of file
diff --git a/secrets/rekeyed/sire-ente/5570523ddaedcea15f6024b00755055e-ente-smtp-password.age b/secrets/rekeyed/sire-ente/5570523ddaedcea15f6024b00755055e-ente-smtp-password.age
new file mode 100644
index 0000000..cb6df21
--- /dev/null
+++ b/secrets/rekeyed/sire-ente/5570523ddaedcea15f6024b00755055e-ente-smtp-password.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 JgWCuA q5Wp7aYyyaEavf6STF9SvQgmzdYXgTyGxGfmw3oSZiQ
+NkBSO5mKfWLe191MADiA1/8UCEWYg1Wf19tDQzRKcuY
+-> Tmk{-grease 8].Slcf
+o7SZB2XURbUUce7EuhTa1K0fd40MXUyuDEu52sxbAO5w8f/o7NKhH0E6gxAomVFI
+3+u4q5rBb2CgqJ7Ggu0BZF5pmVjYUZc8K6c4OzK2w5YwiZzmnw
+--- CToVXazvableiflSVSRk1gN7L7+//TKkELjn7mJr3qw
+–aPÆo‡Ö§çªIc	6A¢ÇwÙÍ•üàR"ûÄY}E>()iD¸ÐØêÿL<„Jå*Îªd§kìh#3ÙýUšìŠ±qÙ	+
\ No newline at end of file