diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix index 8b3b97d..33427e7 100644 --- a/system/machines/server/modules/nginx/default.nix +++ b/system/machines/server/modules/nginx/default.nix @@ -78,6 +78,14 @@ in recommendedGzipSettings = true; eventsConfig = "worker_connections 4096;"; + # CORS origin allowlist for MCP servers + commonHttpConfig = '' + map $http_origin $mcp_cors_origin { + default ""; + "https://ai.${domain}" "https://ai.${domain}"; + } + ''; + # Catch-all default - friendly error for unknown subdomains virtualHosts."_" = { default = true; @@ -148,6 +156,23 @@ in proxyWebsockets = true; extraConfig = '' include ${config.sops.templates."nginx-mcp-auth.conf".path}; + + # CORS — $mcp_cors_origin is set by the http-level map + # and is empty for disallowed origins + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin $mcp_cors_origin always; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always; + add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key" always; + add_header Access-Control-Allow-Credentials "true" always; + add_header Access-Control-Max-Age 86400 always; + return 204; + } + + add_header Access-Control-Allow-Origin $mcp_cors_origin always; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always; + add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key" always; + add_header Access-Control-Allow-Credentials "true" always; + proxy_read_timeout 300s; proxy_send_timeout 300s; ''; diff --git a/system/machines/server/system.nix b/system/machines/server/system.nix index 43b75f6..1ceac33 100644 --- a/system/machines/server/system.nix +++ b/system/machines/server/system.nix @@ -40,7 +40,7 @@ nginx = { enable = true; }; - sandpack.enable = true; + sandpack.enable = false; forgejo.enable = true; frigate.enable = true; immich.enable = true;