fix: allow api server in firewall and add CORS header

2025-10-10 23:00:39 +02:00 · 2025-05-18 18:23:19 +02:00 · 2025-05-18 18:23:19 +02:00 · e24f9e4c0b
commit e24f9e4c0b
parent 4c2f98f9e4
5 changed files with 43 additions and 0 deletions
--- a/hosts/sire/guests/ente.nix
+++ b/hosts/sire/guests/ente.nix
@ -80,6 +80,7 @@ in
    client.via = "sentinel";
    firewallRuleForNode.sentinel.allowedTCPPorts = [
      80
      8080
      9000
    ];
  };
@ -88,6 +89,7 @@ in
    client.via = "ward";
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
      80
      8080
      9000
    ];
  };
@ -173,6 +175,11 @@ in
    mode = "440";
    group = "ente";
  };
  age.secrets.ente-smtp-password = {
    generator.script = "alnum";
    mode = "440";
    group = "ente";
  };
  services.minio = {
    enable = true;
@ -206,6 +213,15 @@ in
        rporigins = [ "https://${enteAccountsDomain}" ];
      };
      # FIXME: blocked on https://github.com/ente-io/ente/issues/5958
      # smtp = {
      #   host = config.repo.secrets.local.ente.mail.host;
      #   port = 465;
      #   email = config.repo.secrets.local.ente.mail.from;
      #   username = config.repo.secrets.local.ente.mail.user;
      #   password._secret = config.age.secrets.ente-smtp-password.path;
      # };
      s3 = {
        use_path_style_urls = true;
        b2-eu-cen = {
--- a/hosts/sire/secrets/ente/local.nix.age
+++ b/hosts/sire/secrets/ente/local.nix.age
--- a/modules/ente.nix
+++ b/modules/ente.nix
@ -319,6 +319,9 @@ in
            locations."/" = {
              root = webPackage "accounts";
              tryFiles = "$uri $uri.html /index.html";
              extraConfig = ''
                add_header Access-Control-Allow-Origin 'https://${cfgWeb.domains.api}';
              '';
            };
          };
          virtualHosts.${domainFor "cast"} = {
@ -326,6 +329,9 @@ in
            locations."/" = {
              root = webPackage "cast";
              tryFiles = "$uri $uri.html /index.html";
              extraConfig = ''
                add_header Access-Control-Allow-Origin 'https://${cfgWeb.domains.api}';
              '';
            };
          };
          virtualHosts.${domainFor "photos"} = {
@ -336,6 +342,9 @@ in
            locations."/" = {
              root = webPackage "photos";
              tryFiles = "$uri $uri.html /index.html";
              extraConfig = ''
                add_header Access-Control-Allow-Origin 'https://${cfgWeb.domains.api}';
              '';
            };
          };
        };
--- a/secrets/generated/sire-ente/ente-smtp-password.age
+++ b/secrets/generated/sire-ente/ente-smtp-password.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> X25519 uzx96W3LGgLuzEzAtwPjH+NX2vcv8ubqqX7YZiwQFgk
 KlBmy7H6aMxmwulZOlTKZstIksYCO3ZmA5FRqPNRVdw
 -> piv-p256 xqSe8Q A5M4BXtJeBxuptSTUikB5VMJKqOezt0LUujl++SkBK++
 J7Qv3r/5PbZtDE3bSDDSrH1hCZAhIfvYYQASnftZiBw
 -> ]#ef9-grease uUT
 vopjT0SJXs4y/e11dxHdH6Jm4H7fPraQnQ
 --- 8eRnzo0sQwqYPdMvoIe+yh7Z0XNz04qqmVDBiOiPuOI
 0ÅŠÍ}*&¹ªn4¯X’–Š¼{fˆÖ6Æ,!sÝ¬™Àòc´3
 7új\â$…m[7“ˆªµ£Ÿ0:’êš¼˜3+H�ƒf%òQ�SÏ–¡
--- a/secrets/rekeyed/sire-ente/5570523ddaedcea15f6024b00755055e-ente-smtp-password.age
+++ b/secrets/rekeyed/sire-ente/5570523ddaedcea15f6024b00755055e-ente-smtp-password.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 JgWCuA q5Wp7aYyyaEavf6STF9SvQgmzdYXgTyGxGfmw3oSZiQ
 NkBSO5mKfWLe191MADiA1/8UCEWYg1Wf19tDQzRKcuY
 -> Tmk{-grease 8].Slcf
 o7SZB2XURbUUce7EuhTa1K0fd40MXUyuDEu52sxbAO5w8f/o7NKhH0E6gxAomVFI
 3+u4q5rBb2CgqJ7Ggu0BZF5pmVjYUZc8K6c4OzK2w5YwiZzmnw
 --- CToVXazvableiflSVSRk1gN7L7+//TKkELjn7mJr3qw
 –aPÆo‡Ö§çªI�c	6A¢ÇwÙÍ•üàR"ûÄY}E>()iD¸ÐØêÿL<„Jå*Îªd�§kìh#3ÙýUšìŠ±qÙ	�+