Reverse proxy tweaks for Paperless

* Allow large uploads through nginx
* Pass though WebSocket connections

2 files changed, 25 insertions, 7 deletions

diff --git a/tw/services/paperless.scm b/tw/services/paperless.scm
index 6db99f65..b643ac99 100644
--- a/tw/services/paperless.scm
+++ b/tw/services/paperless.scm
@@ -4,6 +4,7 @@
   #:use-module (gnu services)
   #:use-module (gnu services configuration)
   #:use-module (gnu services databases)
+  #:use-module (gnu services web)
   #:use-module (guix records)
   #:use-module (tw services docker)
   #:use-module (tw services restic)
@@ -80,7 +81,16 @@ PAPERLESS_GID=" (number->string %paperless-uid) "
                (destination-ip
                 (if (string=? bind-address "0.0.0.0")
                     "127.0.0.1"
-                    bind-address)))))))
+                    bind-address))
+               (extra-locations
+                (list (nginx-location-configuration
+                       (uri "/ws/")   ; e.g. /ws/status/ endpoint
+                       ;; https://nginx.org/en/docs/http/websocket.html
+                       (body `(("proxy_pass http://" ,destination-ip ":"
+                                ,(number->string destination-port) ";")
+                               "proxy_http_version 1.1;"
+                               "proxy_set_header Upgrade $http_upgrade;"
+                               "proxy_set_header Connection \"upgrade\";"))))))))))
 
 (define %paperless-backup-repo
   (restic-local-repository (path "/var/backups/paperless")))
diff --git a/tw/services/web.scm b/tw/services/web.scm
index 835aebd3..aed11083 100644
--- a/tw/services/web.scm
+++ b/tw/services/web.scm
@@ -5,7 +5,7 @@
   #:use-module (gnu services web)
   #:use-module (guix gexp)
   #:use-module (guix records)
-  #:use-module ((srfi srfi-1) #:select (concatenate))
+  #:use-module ((srfi srfi-1) #:select (every concatenate))
   #:export (%nginx-cert-deploy-hook
             https-reverse-proxy-service-type
             https-reverse-proxy-configuration))
@@ -14,6 +14,10 @@
   (program-file "nginx-cert-deploy-hook"
     #~(kill (call-with-input-file "/var/run/nginx/pid" read) SIGHUP)))
 
+(define (list-of-nginx-location-configurations? thing)
+  (and (list? thing)
+       (every nginx-location-configuration? thing)))
+
 (define-configuration/no-serialization https-reverse-proxy-configuration
   (domains list-of-strings "List of domain names that nginx should proxy
 requests for.")
@@ -21,8 +25,9 @@ requests for.")
 proxied to.")
   (destination-ip (string "127.0.0.1") "The IP address of the server that
 should be proxied to.  Usually, this should be localhost.")
-  (destination-protocol (string "http") "The protocol that the proxied service
-speaks.  Set to @code{\"https\"} if you want to proxy HTTPS-to-HTTPS."))
+  (extra-locations (list-of-nginx-location-configurations '()) "A list of
+@code{nginx-location-configuration} records to apply in addition to the
+default one."))
 
 (define (reverse-proxy-certificate config)
   (match-record config <https-reverse-proxy-configuration> (domains)
@@ -32,7 +37,7 @@ speaks.  Set to @code{\"https\"} if you want to proxy HTTPS-to-HTTPS."))
 
 (define (reverse-proxy-nginx-server config)
   (match-record config <https-reverse-proxy-configuration>
-                (domains destination-port destination-ip)
+                (domains destination-port destination-ip extra-locations)
     (nginx-server-configuration
      (listen '("443 ssl http2"))
      (server-name domains)
@@ -40,12 +45,15 @@ speaks.  Set to @code{\"https\"} if you want to proxy HTTPS-to-HTTPS."))
      (ssl-certificate-key (string-append "/etc/letsencrypt/live/" (car domains) "/privkey.pem"))
      (server-tokens? #f)
      (locations
-      (list (nginx-location-configuration
+      (cons (nginx-location-configuration
              (uri "/")
              (body `(("proxy_pass http://" ,destination-ip ":"
                       ,(number->string destination-port) ";")
                      ;; For Grafana: https://grafana.com/tutorials/run-grafana-behind-a-proxy/#configure-nginx
-                     "proxy_set_header Host $http_host;"))))))))
+                     "proxy_set_header Host $http_host;"
+                     ;; Allow large file uploads (for Paperless).
+                     "client_max_body_size 100M;")))
+            extra-locations)))))
 
 (define (reverse-proxy-certificates configs)
   (map reverse-proxy-certificate configs))