From 878134dd4bfabe5fe9e1715b9c09765cc8e16051 Mon Sep 17 00:00:00 2001 From: Andrew Bryant Date: Mon, 25 May 2026 19:09:49 -0400 Subject: [PATCH] nixos-module/invoiceninja.nix: update nginx to work with Invoice Ninja --- nixos-module/invoiceninja.nix | 47 ++++++++++++++++++++++------------- 1 file changed, 30 insertions(+), 17 deletions(-) diff --git a/nixos-module/invoiceninja.nix b/nixos-module/invoiceninja.nix index a3e7fe5..23817ca 100644 --- a/nixos-module/invoiceninja.nix +++ b/nixos-module/invoiceninja.nix @@ -498,28 +498,42 @@ in addSSL = lib.mkForce (if (cfg.hostname == "localhost") then false else true); enableACME = lib.mkForce (if (cfg.hostname == "localhost") then false else true); locations = { + # Handle Laravel Routes "/".tryFiles = "$uri $uri/ /index.php?$query_string"; - "/".extraConfig = '' - if (!-e $request_filename) { - rewrite ^(.+)$ /index.php?q=$1 last; - } - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' '*'; - add_header 'Access-Control-Max-Age' 0; - add_header 'Content-Length' 0; - add_header 'Access-Control-Allow-Headers' 'X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Disposition,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'; - add_header 'Access-Control-Expose-Headers' 'X-APP-VERSION,X-MINIMUM-CLIENT-VERSION,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'; - add_header 'Access-Control-Allow-Credentials' false; - ''; - "~ \\.php$".extraConfig = "return 403;"; - "= /index.php".extraConfig = '' + + # PHP Processing + "~ \\.php$".extraConfig = '' + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${config.services.phpfpm.pools.invoiceninja.socket}; + fastcgi_index index.php; ''; + + # Security: Deny access to hidden files "~ /\\.ht".extraConfig = "deny all;"; + + # Static Files Caching + "~* \\.(jpg|jpeg|png|gif|ico|css|js)$".extraConfig = '' + expires 1y; + add_header Cache-Control "public, immutable"; + ''; }; extraConfig = '' - index index.html index.htm index.php; + index index.php index.html index.htm; error_page 404 /index.php; + + if (!-e $request_filename) { + rewrite ^(.+)$ /index.php?q= last; + } + + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' '*'; + add_header 'Access-Control-Max-Age' 0; + add_header 'Content-Length' 0; + add_header 'Access-Control-Allow-Headers' 'X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Disposition,Content-Type,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'; + add_header 'Access-Control-Expose-Headers' 'X-APP-VERSION,X-MINIMUM-CLIENT-VERSION,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE'; + add_header 'Access-Control-Allow-Credentials' false; ''; } (lib.mkIf (cfg.hostname != "localhost") { @@ -553,9 +567,8 @@ in hostName = lib.mkForce proto_hostname; extraConfig = '' encode zstd gzip - root * ${invoiceninja}/public + root ${invoiceninja}/public php_fastcgi unix/${config.services.phpfpm.pools.invoiceninja.socket} - try_files {path} /index.html header { Access-Control-Allow-Origin "*" Access-Control-Allow-Methods "*"