From 4d65b091ac5f1bae1b7ab86a108ba694c78e0cbc Mon Sep 17 00:00:00 2001
From: Christine Elisabeth Koppel <kuutruu@posteo.net>
Date: Sat, 14 Feb 2026 00:37:51 +0100
Subject: [PATCH] Try middle ware again

---
 nix-system-configs/modules/system/traefik.nix | 79 ++++++-------------
 1 file changed, 26 insertions(+), 53 deletions(-)

diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix
index d66236b..3fd1070 100644
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@@ -46,25 +46,26 @@ in {
 
     # Configure Anubis service
     services.anubis = {
+      # Use a single shared Anubis instance (redirect mode) so cookie + challenge
+      # state is consistent across all protected services.
       instances = {
-        "" = {
+        shared = {
           enable = true;
           settings = {
-            # Bind to TCP instead of Unix socket for Docker-style integration
             BIND_NETWORK = "tcp";
             BIND = "127.0.0.1:8090";
 
-            # Empty TARGET for redirect mode
+            # Redirect mode (Anubis will issue challenges & redirects)
             TARGET = " ";
 
-            # Configure redirect domains - ALL domains that should be able to redirect back after challenge
+            # Which domains are allowed to be redirected back to
             REDIRECT_DOMAINS = "prg-radio.org,git.prg-radio.org,wavelog.prg-radio.org,partdb.prg-radio.org,anubis.prg-radio.org";
 
-            # Public URL for Anubis
+            # Public URL for this Anubis instance
             PUBLIC_URL = "https://anubis.prg-radio.org";
 
-            # Cookie domain for proper scoping (leading dot for all subdomains)
-            COOKIE_DOMAIN = ".prg-radio.org";
+            # Use bare domain for cookie scoping (modern browsers prefer no leading dot)
+            COOKIE_DOMAIN = "prg-radio.org";
 
             # Difficulty level
             DIFFICULTY = 7;
@@ -81,52 +82,6 @@ in {
             METRICS_BIND = "127.0.0.1:8091";
           };
         };
-
-        # Per-service Anubis instances (reverse-proxy mode) ---------------------------
-        forgejo = {
-          enable = true;
-          settings = {
-            BIND_NETWORK = "tcp";
-            BIND = "127.0.0.1:8092";
-            TARGET = "http://10.1.1.4:3000"; # Forgejo backend
-            DIFFICULTY = 20;
-            SERVE_ROBOTS_TXT = true;
-            WEBMASTER_EMAIL = "dtu.prg@gmail.com";
-            METRICS_BIND_NETWORK = "tcp";
-            METRICS_BIND = "127.0.0.1:8095";
-          };
-        };
-
-        /*
-        wavelog = {
-          enable = true;
-          settings = {
-            BIND_NETWORK = "tcp";
-            BIND = "127.0.0.1:8093";
-            TARGET = "http://10.1.1.249:8086"; # Wavelog backend
-            DIFFICULTY = 20;
-            SERVE_ROBOTS_TXT = true;
-            WEBMASTER_EMAIL = "dtu.prg@gmail.com";
-            METRICS_BIND_NETWORK = "tcp";
-            METRICS_BIND = "127.0.0.1:8096";
-          };
-        };
-        */
-
-        # This part needs investigating
-        partdb = {
-          enable = true;
-          settings = {
-            BIND_NETWORK = "tcp";
-            BIND = "127.0.0.1:8094";
-            TARGET = "http://10.1.1.249:8087"; # PartDB backend
-            DIFFICULTY = 20;
-            SERVE_ROBOTS_TXT = true;
-            WEBMASTER_EMAIL = "dtu.prg@gmail.com";
-            METRICS_BIND_NETWORK = "tcp";
-            METRICS_BIND = "127.0.0.1:8097";
-          };
-        };
       };
     };
 
@@ -190,6 +145,20 @@ in {
           }
         ];
 
+        # ForwardAuth middleware so a single Anubis instance can protect many services
+        http.middlewares = lib.mkForce (lib.mkMerge [ (lib.optionalAttrs true {
+          anubis = {
+            forwardAuth = {
+              address = "http://127.0.0.1:8090/.within.website/x/cmd/anubis/api/check";
+              trustForwardHeader = true;
+              # Ensure Traefik forwards Set-Cookie from Anubis back to the client
+              authResponseHeaders = [ "Set-Cookie" ];
+              # Forward original host and proto so Anubis computes redirects correctly
+              authRequestHeaders = [ "X-Forwarded-Host" "X-Forwarded-Proto" ];
+            };
+          };
+        }) ]);
+
         http.routers = {
           #anubis-api = {
           #  rule = "Host(`anubis.prg-radio.org`) && PathPrefix(`/.within.website/x/cmd/anubis/api`)";
@@ -212,6 +181,8 @@ in {
             rule = "Host(`git.prg-radio.org`)";
             service = "forgejo";
             entryPoints = ["websecure"];
+            # Protect via shared Anubis using forwardAuth
+            middlewares = ["anubis"];
             tls = {};
           };
 
@@ -236,6 +207,8 @@ in {
             rule = "Host(`partdb.prg-radio.org`)";
             service = "partdb";
             entryPoints = ["websecure"];
+            # Protect via shared Anubis using forwardAuth
+            middlewares = ["anubis"];
             tls = {};
           };
         };