use shb nginx module for hledger

modules/hledger.nix

@@ -72,93 +72,15 @@ in
       serviceConfig.StateDirectory = "hledger";
     };
 
-    services.nginx = {
-      enable = true;
-
-      virtualHosts.${fqdn} = {
-        forceSSL = true;
-        sslCertificate = "/var/lib/acme/${cfg.domain}/cert.pem";
-        sslCertificateKey = "/var/lib/acme/${cfg.domain}/key.pem";
-
-        # Taken from https://github.com/authelia/authelia/issues/178
-        locations."/".extraConfig = ''
-          add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-          add_header X-Content-Type-Options nosniff;
-          add_header X-Frame-Options "SAMEORIGIN";
-          add_header X-XSS-Protection "1; mode=block";
-          add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
-          add_header X-Download-Options noopen;
-          add_header X-Permitted-Cross-Domain-Policies none;
-
-          proxy_set_header Host $host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-          proxy_http_version 1.1;
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "upgrade";
-          proxy_cache_bypass $http_upgrade;
-
-          auth_request /authelia;
-          auth_request_set $user $upstream_http_remote_user;
-          auth_request_set $groups $upstream_http_remote_groups;
-          proxy_set_header X-Forwarded-User $user;
-          proxy_set_header X-Forwarded-Groups $groups;
-          # TODO: Are those needed?
-          # auth_request_set $name $upstream_http_remote_name;
-          # auth_request_set $email $upstream_http_remote_email;
-          # proxy_set_header Remote-Name $name;
-          # proxy_set_header Remote-Email $email;
-          # TODO: Would be nice to have this working, I think.
-          # set $new_cookie $http_cookie;
-          # if ($http_cookie ~ "(.*)(?:^|;)\s*example\.com\.session\.id=[^;]+(.*)") {
-          #     set $new_cookie $1$2;
-          # }
-          # proxy_set_header Cookie $new_cookie;
-
-          auth_request_set $redirect $scheme://$http_host$request_uri;
-          error_page 401 =302 ${cfg.oidcEndpoint}?rd=$redirect;
-          error_page 403 = ${cfg.oidcEndpoint}/error/403;
-
-          proxy_pass http://${toString config.services.hledger-web.host}:${toString config.services.hledger-web.port};
-          '';
-
-        # Virtual endpoint created by nginx to forward auth requests.
-        locations."/authelia".extraConfig = ''
-          internal;
-          proxy_pass ${cfg.oidcEndpoint}/api/verify;
-
-          proxy_set_header X-Forwarded-Host $host;
-          proxy_set_header X-Original-URI $request_uri;
-          proxy_set_header X-Original-URL $scheme://$host$request_uri;
-          proxy_set_header X-Forwarded-For $remote_addr;
-          proxy_set_header X-Forwarded-Proto $scheme;
-          proxy_set_header Content-Length "";
-          proxy_pass_request_body off;
-          # TODO: Would be nice to be able to enable this.
-          # proxy_ssl_verify on;
-          # proxy_ssl_trusted_certificate "/etc/ssl/certs/DST_Root_CA_X3.pem";
-          proxy_ssl_protocols TLSv1.2;
-          proxy_ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-          proxy_ssl_verify_depth 2;
-          proxy_ssl_server_name on;
-        '';
-
-      };
-    };
-
-    shb.authelia.rules = [
-      # {
-      #   domain = fqdn;
-      #   policy = "bypass";
-      #   resources = [
-      #     "^/api.*"
-      #   ];
-      # }
+    shb.nginx.autheliaProtect = [
       {
-        domain = fqdn;
-        policy = "two_factor";
-        subject = ["group:hledger_user"];
+        inherit (cfg) subdomain domain oidcEndpoint;
+        upstream = "http://${toString config.services.hledger-web.host}:${toString config.services.hledger-web.port}";
+        autheliaRules = [{
+          domain = fqdn;
+          policy = "two_factor";
+          subject = ["group:hledger_user"];
+        }];
       }
     ];