diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix index b1e6a4b..d66236b 100644 --- a/nix-system-configs/modules/system/traefik.nix +++ b/nix-system-configs/modules/system/traefik.nix @@ -64,8 +64,7 @@ in { PUBLIC_URL = "https://anubis.prg-radio.org"; # Cookie domain for proper scoping (leading dot for all subdomains) - # Use bare domain (no leading dot) for consistent modern browser behavior - COOKIE_DOMAIN = "prg-radio.org"; + COOKIE_DOMAIN = ".prg-radio.org"; # Difficulty level DIFFICULTY = 7; @@ -120,11 +119,7 @@ in { settings = { BIND_NETWORK = "tcp"; BIND = "127.0.0.1:8094"; - TARGET = "http://10.1.1.249:8087"; - # When running Anubis in reverse-proxy (inline) mode we must tell - # the instance the public URL it serves so redirects and assets use - # the protected host instead of the central anubis host. - PUBLIC_URL = "https://partdb.prg-radio.org"; + TARGET = "http://10.1.1.249:8087"; # PartDB backend DIFFICULTY = 20; SERVE_ROBOTS_TXT = true; WEBMASTER_EMAIL = "dtu.prg@gmail.com"; @@ -246,12 +241,6 @@ in { }; http.services = { - # Direct backend service (used only for the root path bypass) - partdb-direct.loadBalancer = { - servers = [ { url = "http://10.1.1.249:8087"; } ]; - passHostHeader = true; - }; - # Anubis service (challenge UI / redirect endpoint) anubis.loadBalancer = { servers = [ @@ -277,14 +266,9 @@ in { }; partdb.loadBalancer = { - # Route PartDB through the local Anubis reverse-proxy instance so the - # challenge page and cookies are served inline on the same origin. servers = [ {url = "http://127.0.0.1:8094";} ]; - # Ensure Traefik forwards the original Host header to Anubis (and - # ultimately to the backend) so absolute links and redirects are correct. - passHostHeader = true; }; };