fix: basecamp headers

hosts/AZ-CLD-1/services/containers/baserow.nix

@@ -8,11 +8,19 @@
   servicePort = portUtils.getPort serviceName "AZ-CLD-1";
 in {
   virtualisation.oci-containers.containers.${serviceName} = {
-    image = "docker.io/baserow/baserow:2.1.0";
+    image = "docker.io/baserow/baserow:2.1.6";
     environment = {
       BASEROW_AMOUNT_OF_GUNICORN_WORKERS = "4";
       BASEROW_AMOUNT_OF_WORKERS = "2";
       DATABASE_CONN_MAX_AGE = "60";
+      # Proxy: tell Django the connection is HTTPS so cookies get Secure flag
+      BASEROW_ENABLE_SECURE_PROXY_SSL_HEADER = "yes";
+      # Published apps run on different origins — allow cross-origin cookie delivery
+      BASEROW_FRONTEND_SAME_SITE_COOKIE = "none";
+      # Valid base domain for published app subdomains
+      BASEROW_BUILDER_DOMAINS = "az-gruppe.com";
+      # Disable Caddy's on_demand TLS — Traefik handles TLS termination
+      BASEROW_CADDY_GLOBAL_CONF = "auto_https off";
     };
     environmentFiles = [config.age.secrets.baserow-env.path];
     ports = ["127.0.0.1:${toString servicePort}:80"];
@@ -28,6 +36,13 @@ in {
       }
     ];
 
+    middlewares."${serviceName}-headers".headers = {
+      customRequestHeaders = {
+        X-Forwarded-Proto = "https";
+        X-Forwarded-Port = "443";
+      };
+    };
+
     routers.${serviceName} = {
       rule = "Host(`br.az-gruppe.com`)";
       tls = {
@@ -35,6 +50,7 @@ in {
       };
       service = serviceName;
       entrypoints = "websecure";
+      middlewares = ["${serviceName}-headers"];
     };
 
     routers.azubi = {
@@ -44,6 +60,7 @@ in {
       };
       service = serviceName;
       entrypoints = "websecure";
+      middlewares = ["${serviceName}-headers"];
     };
     routers.ausbilder = {
       rule = "Host(`ausbilder.az-gruppe.com`)";
@@ -52,6 +69,7 @@ in {
       };
       service = serviceName;
       entrypoints = "websecure";
+      middlewares = ["${serviceName}-headers"];
     };
   };
 }