From 875de35177462f21732e3ba108a94d77a543da05 Mon Sep 17 00:00:00 2001
From: efim <efim666@bk.ru>
Date: Sun, 8 Oct 2023 20:36:21 +0000
Subject: [PATCH] feat: attempted allowance for nixos ssl

---
 auth-notes.org |  7 +++++++
 flake.nix      | 39 ++++++++++++++++++++++++---------------
 2 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/auth-notes.org b/auth-notes.org
index 9266631..570d6a8 100644
--- a/auth-notes.org
+++ b/auth-notes.org
@@ -184,6 +184,13 @@ now works
 because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection
 *** adding a custom flag:
 https://github.com/pocketbase/pocketbase/discussions/1900
+** TODO change some additional config to option :
+      ${optionalString config.proxyWebsockets ''
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+      ''}
+( also in planning poker repo )
 
 
 
diff --git a/flake.nix b/flake.nix
index 879e94a..f442264 100644
--- a/flake.nix
+++ b/flake.nix
@@ -70,6 +70,12 @@
                 description =
                   "Whether pocketbase should serve on https and issue own certs. Main case for true - when not under nginx";
               };
+              useHostTls = lib.mkOption {
+                type = lib.types.bool;
+                default = false;
+                description =
+                  "Whether virtual host should enable NixOS ACME certs";
+              };
             };
             config = let
               username = "${shortName}-user";
@@ -102,22 +108,25 @@
                 };
               };
               services.nginx = lib.mkIf cfg.useNginx {
-                virtualHosts.${cfg.host}.locations."/" = {
-                  proxyPass =
-                    "http://127.0.0.1:${toString cfg.port}";
-                  # taken from https://pocketbase.io/docs/going-to-production/
-                  extraConfig = ''
-                    # check http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
-                    proxy_set_header Connection ''';
-                    proxy_http_version 1.1;
-                    proxy_read_timeout 360s;
+                virtualHosts.${cfg.host} = {
+                  forceSSL = cfg.useHostTls;
+                  enableACME = cfg.useHostTls;
+                  locations."/" = {
+                    proxyPass = "http://127.0.0.1:${toString cfg.port}";
+                    # taken from https://pocketbase.io/docs/going-to-production/
+                    extraConfig = ''
+                      # check http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
+                      proxy_set_header Connection ''';
+                      proxy_http_version 1.1;
+                      proxy_read_timeout 360s;
 
-                    proxy_set_header Host $host;
-                    proxy_set_header X-Real-IP $remote_addr;
-                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                    proxy_set_header X-Forwarded-Proto $scheme;
-                  '';
-                  # TODO doesn't include tls sadly
+                      proxy_set_header Host $host;
+                      proxy_set_header X-Real-IP $remote_addr;
+                      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                      proxy_set_header X-Forwarded-Proto $scheme;
+                    '';
+                    # TODO doesn't include tls sadly
+                  };
                 };
               };
             };