From e4c79b215530de6d3ec02d5e866aaed5f6e56e89 Mon Sep 17 00:00:00 2001
From: efim <efim666@bk.ru>
Date: Mon, 9 Oct 2023 03:15:41 +0000
Subject: [PATCH] refactor: utilizing cool options for nginx

---
 auth-notes.org | 20 ++++++++++++++++++--
 flake.nix      |  3 +--
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/auth-notes.org b/auth-notes.org
index 570d6a8..f2d0674 100644
--- a/auth-notes.org
+++ b/auth-notes.org
@@ -184,7 +184,7 @@ now works
 because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection
 *** adding a custom flag:
 https://github.com/pocketbase/pocketbase/discussions/1900
-** TODO change some additional config to option :
+** DONE change some additional config to option :
       ${optionalString config.proxyWebsockets ''
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
@@ -192,13 +192,29 @@ https://github.com/pocketbase/pocketbase/discussions/1900
       ''}
 ( also in planning poker repo )
 
+https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/web-servers/nginx/default.nix#L428
 
 
 ** TODO add docker image from nix
 *** CANCELLED add cli for port and host
 ** TODO add readme and comments
-** TODO configure tls / ssl / https on franzk deployment
+** DONE configure tls / ssl / https on franzk deployment
+https://nixos.org/manual/nixos/stable/#module-security-acme-nginx
+( and also same here https://nixos.wiki/wiki/Nginx )
+
 can it be configured on render.com?
+omg
+line 112 & 113 in project config:
+http://git.sunshine.industries/efim/go-ssr-pocketbase-oauth-attempt/commit/875de35177462f21732e3ba108a94d77a543da05
+
+and this in my server config:
+https://github.com/efim/dotfiles/commit/b3695148082d8c9850a781aaa7a88920bdb1fa7f
+
+this is all that's needed to enable tls
+mind blown
+** TODO somehow set cookie to httpOnly & secure
+with ability to disable for development session
+
 ** TODO maybe add middleware so that 401 would be a page, and not json
 ** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself?
 http://localhost:8090/_/images/oauth2/apple.svg
diff --git a/flake.nix b/flake.nix
index 80f987b..baf712a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -114,10 +114,9 @@
                   locations."/" = {
                     proxyPass = "http://127.0.0.1:${toString cfg.port}";
                     # taken from https://pocketbase.io/docs/going-to-production/
+                    proxyWebsockets = true;
                     extraConfig = ''
                       # check http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
-                      proxy_set_header Connection ''';
-                      proxy_http_version 1.1;
                       proxy_read_timeout 360s;
 
                       proxy_set_header Host $host;