configurations/nixos/configure/smarthome/mqtt-webui: don't require auth for webmanifest and favicon

commit cde5b0117344e4456e58f761271d5910bd3dfbcd
parent 9593d63f393d31dbe72f239b348ca1c3e875dfd7
Author: Katja (ctucx) <git@ctu.cx>
Date: Thu, 24 Apr 2025 11:12:30 +0200

configurations/nixos/configure/smarthome/mqtt-webui: don't require auth for webmanifest and favicon

1 file changed, 15 insertions(+), 3 deletions(-)

configurations/nixos/configure/smarthome/mqtt-webui/default.nix

+++++++++++++++---

diff --git a/configurations/nixos/configure/smarthome/mqtt-webui/default.nix b/configurations/nixos/configure/smarthome/mqtt-webui/default.nix
@@ -13,9 +13,10 @@
       extraConfig = ''
         ssl_crl /etc/ctucxCA.crl;
         ssl_client_certificate ${../../../../../secrets/certs/rootCA.crt};
-        ssl_verify_client on;
+        ssl_verify_client optional;
       '';
 
+
       locations  = {
         "/" = {
           root  = "${pkgs.buildEnv {

@@ -26,13 +27,25 @@
               (pkgs.writeTextDir "config.json" (builtins.toJSON (import ./config.nix)))
             ];
           }}/";
+          extraConfig = ''
+            location ~ ^/(?!(favicon-512x512\.png|manifest\.json)) {
+              if ($ssl_client_verify != SUCCESS) {
+                  return 403;
+              }
+            }
+          '';
         };
         "/mqtt" = {
           proxyPass       = "http://[::1]:9005";
           proxyWebsockets = true;
+          extraConfig = ''
+            if ($ssl_client_verify != SUCCESS) {
+                return 403;
+            }
+          '';
         };
       };
     };
   };
 
-}-
\ No newline at end of file
+}