From 199ccd4034cfacb631b1ae38345c36c8590a1de0 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom.hubrecht@dgnum.eu>
Date: Fri, 12 Apr 2024 16:38:15 +0200
Subject: [PATCH] feat(kanidm): Update allowed domains for the CORS

---
 machines/compute01/kanidm/default.nix | 34 +++++++++++++++++++--------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/machines/compute01/kanidm/default.nix b/machines/compute01/kanidm/default.nix
index 162345f..33acdd4 100644
--- a/machines/compute01/kanidm/default.nix
+++ b/machines/compute01/kanidm/default.nix
@@ -1,18 +1,32 @@
-{ config, nixpkgs, ... }:
+{
+  config,
+  lib,
+  nixpkgs,
+  ...
+}:
 
 let
+  inherit (lib) escapeRegex concatStringsSep;
+
   domain = "sso.dgnum.eu";
 
   cert = config.security.acme.certs.${domain};
 
-  allowedSubDomains = [
-    "cloud"
-    "git"
-    "videos"
-    "social"
-    "demarches"
-    "netbird"
-  ];
+  allowedDomains = builtins.map escapeRegex (
+    (builtins.map (s: "${s}.dgnum.eu") [
+      # DGNum subdomains
+      "cloud"
+      "git"
+      "videos"
+      "social"
+      "demarches"
+      "netbird"
+    ])
+    ++ [
+      # Extra domains
+      "netbird-beta.hubrecht.ovh"
+    ]
+  );
 in
 {
   services.kanidm = {
@@ -53,7 +67,7 @@ in
 
           set $origin $http_origin;
 
-          if ($origin !~ '^https?://(${builtins.concatStringsSep "|" allowedSubDomains})\.dgnum\.eu$') {
+          if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
               set $origin 'https://${domain}';
           }