From 836ccc93cd1d63dd844f79cbb364558e6bc9be29 Mon Sep 17 00:00:00 2001 From: Conrad Kramer Date: Sun, 19 Apr 2026 14:04:42 -0700 Subject: [PATCH] Patch Zulip uwsgi scheme at runtime --- nixos/modules/burrow-zulip.nix | 62 ++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/nixos/modules/burrow-zulip.nix b/nixos/modules/burrow-zulip.nix index 9a805c4..3149a88 100644 --- a/nixos/modules/burrow-zulip.nix +++ b/nixos/modules/burrow-zulip.nix @@ -307,34 +307,6 @@ SQL install -m 0644 ${composeFile} ${lib.escapeShellArg "${cfg.dataDir}/compose.yaml"} : > ${lib.escapeShellArg "${cfg.dataDir}/secrets/email-password"} chmod 0600 ${lib.escapeShellArg "${cfg.dataDir}/secrets/email-password"} - cat > ${lib.escapeShellArg "${cfg.dataDir}/uwsgi_params"} <<'EOF' -uwsgi_param QUERY_STRING $query_string; -uwsgi_param REQUEST_METHOD $request_method; -uwsgi_param CONTENT_TYPE $content_type; -uwsgi_param CONTENT_LENGTH $content_length; -uwsgi_param REQUEST_URI $request_uri; -uwsgi_param PATH_INFO $document_uri; -uwsgi_param DOCUMENT_ROOT $document_root; -uwsgi_param SERVER_PROTOCOL $server_protocol; -uwsgi_param REQUEST_SCHEME $trusted_x_forwarded_proto; -uwsgi_param HTTPS on; -uwsgi_param REMOTE_ADDR $remote_addr; -uwsgi_param REMOTE_PORT $remote_port; -uwsgi_param SERVER_ADDR $server_addr; -uwsgi_param SERVER_PORT $server_port; -uwsgi_param SERVER_NAME $server_name; -uwsgi_param HTTP_X_REAL_IP $remote_addr; -uwsgi_param HTTP_X_FORWARDED_PROTO $trusted_x_forwarded_proto; -uwsgi_param HTTP_X_FORWARDED_SSL ""; -uwsgi_param HTTP_X_PROXY_MISCONFIGURATION $x_proxy_misconfiguration; - -# This value is the default, and is provided for explicitness; it must -# be longer than the configured 55s "harakiri" timeout in uwsgi -uwsgi_read_timeout 60s; - -uwsgi_pass django; -EOF - chmod 0644 ${lib.escapeShellArg "${cfg.dataDir}/uwsgi_params"} metadata_xml="$(${pkgs.curl}/bin/curl -fsSL https://${cfg.authentikDomain}/application/saml/${cfg.authentikProviderSlug}/metadata/)" saml_cert="$(printf '%s' "$metadata_xml" | ${pkgs.python3}/bin/python3 -c ' @@ -418,8 +390,6 @@ services: }, }, } - volumes: - - ${cfg.dataDir}/uwsgi_params:/etc/nginx/uwsgi_params:ro EOF ''; }; @@ -484,6 +454,37 @@ EOF chmod 0600 "$zulip_data_dir/secrets/bootstrap-owner-password" } + patch_uwsgi_scheme_handling() { + podman exec burrow-zulip_zulip_1 bash -lc "cat > /etc/nginx/uwsgi_params <<'EOF' +uwsgi_param QUERY_STRING \$query_string; +uwsgi_param REQUEST_METHOD \$request_method; +uwsgi_param CONTENT_TYPE \$content_type; +uwsgi_param CONTENT_LENGTH \$content_length; +uwsgi_param REQUEST_URI \$request_uri; +uwsgi_param PATH_INFO \$document_uri; +uwsgi_param DOCUMENT_ROOT \$document_root; +uwsgi_param SERVER_PROTOCOL \$server_protocol; +uwsgi_param REQUEST_SCHEME \$trusted_x_forwarded_proto; +uwsgi_param HTTPS on; +uwsgi_param REMOTE_ADDR \$remote_addr; +uwsgi_param REMOTE_PORT \$remote_port; +uwsgi_param SERVER_ADDR \$server_addr; +uwsgi_param SERVER_PORT \$server_port; +uwsgi_param SERVER_NAME \$server_name; +uwsgi_param HTTP_X_REAL_IP \$remote_addr; +uwsgi_param HTTP_X_FORWARDED_PROTO \$trusted_x_forwarded_proto; +uwsgi_param HTTP_X_FORWARDED_SSL \"\"; +uwsgi_param HTTP_X_PROXY_MISCONFIGURATION \$x_proxy_misconfiguration; + +# This value is the default, and is provided for explicitness; it must +# be longer than the configured 55s harakiri timeout in uwsgi +uwsgi_read_timeout 60s; + +uwsgi_pass django; +EOF +supervisorctl restart nginx zulip-django >/dev/null" + } + bootstrap_realm_if_needed() { local realm_exists local attempts=0 @@ -532,6 +533,7 @@ EOF ensure_zulip_data_layout compose up -d zulip + patch_uwsgi_scheme_handling bootstrap_realm_if_needed ''; };