hswaw/beyondspace: fix https redirect pollution for local non-https services

Change-Id: I86505b571695e1bbcfccf869817f627140d7b596
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1786
Reviewed-by: informatic <informatic@hackerspace.pl>

hswaw/machines/customs.hackerspace.pl/beyondspace.nix

@@ -39,13 +39,19 @@ in with lib; {
     '';
 
   services.nginx.virtualHosts."beyond.waw.hackerspace.pl" = {
-    forceSSL = true;
+    # NOTE: we *can't* use forceSSL here for services that do not use HTTPS in
+    # local network setups, since this will pollute browser's redirect cache...
+    addSSL = true;
     enableACME = true;
 
     serverAliases = attrNames beyondspaceDomains;
 
     locations."/oauth2/" = {
       extraConfig = ''
+        if ($scheme != https) {
+          return 302 https://$host$request_uri;
+        }
+
         proxy_pass       http://127.0.0.1:4180;
         proxy_set_header Host                    $host;
         proxy_set_header X-Real-IP               $remote_addr;
@@ -56,6 +62,10 @@ in with lib; {
 
     locations."= /oauth2/auth" = {
       extraConfig = ''
+        if ($scheme != https) {
+          return 302 https://$host$request_uri;
+        }
+
         proxy_pass       http://127.0.0.1:4180;
         proxy_set_header Host             $host;
         proxy_set_header X-Real-IP        $remote_addr;
@@ -69,6 +79,10 @@ in with lib; {
 
     locations."/" = {
       extraConfig = ''
+        if ($scheme != https) {
+          return 302 https://$host$request_uri;
+        }
+
         auth_request /oauth2/auth;
         error_page 401 = /oauth2/sign_in;