From 1d68ed73c33264a312f5993e2abc38ea550baa16 Mon Sep 17 00:00:00 2001 From: Hendrik Sokolowski Date: Sat, 28 Oct 2023 17:21:54 +0200 Subject: [PATCH 1/2] add nginx virtual host for files.pub.solar --- .../nachtigall/apps/nginx-mastodon-files.nix | 62 +++++++++++++++++++ hosts/nachtigall/default.nix | 1 + 2 files changed, 63 insertions(+) create mode 100644 hosts/nachtigall/apps/nginx-mastodon-files.nix diff --git a/hosts/nachtigall/apps/nginx-mastodon-files.nix b/hosts/nachtigall/apps/nginx-mastodon-files.nix new file mode 100644 index 00000000..4ad7e5c3 --- /dev/null +++ b/hosts/nachtigall/apps/nginx-mastodon-files.nix @@ -0,0 +1,62 @@ +{ ... }: + +let + objStorHost = "link.tardigradeshare.io"; + objStorBucket = "s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon"; +in +{ + services.nginx.virtualHosts = { + "files.pub.solar" = { + default = true; + enableACME = true; + + locations = { + "= /" = { + index = "index.html"; + }; + + "/" = { + tryFiles = "$uri @s3"; + }; + + "@s3" = { + extraConfig = '' + limit_except GET { + deny all; + } + + resolver 8.8.8.8; + proxy_set_header Host $host; + proxy_set_header Connection \'\'; + proxy_set_header Authorization \'\'; + proxy_hide_header Set-Cookie; + proxy_hide_header 'Access-Control-Allow-Origin'; + proxy_hide_header 'Access-Control-Allow-Methods'; + proxy_hide_header 'Access-Control-Allow-Headers'; + proxy_hide_header x-amz-id-2; + proxy_hide_header x-amz-request-id; + proxy_hide_header x-amz-meta-server-side-encryption; + proxy_hide_header x-amz-server-side-encryption; + proxy_hide_header x-amz-bucket-region; + proxy_hide_header x-amzn-requestid; + proxy_ignore_headers Set-Cookie; + proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download; + proxy_intercept_errors off; + + proxy_cache mastodon_files; + proxy_cache_valid 200 48h; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + proxy_cache_lock on; + + expires 1y; + add_header Cache-Control public; + add_header 'Access-Control-Allow-Origin' '*'; + add_header X-Cache-Status $upstream_cache_status; + add_header X-Content-Type-Options nosniff; + add_header Content-Security-Policy "default-src 'none'; form-action 'none'"; + ''; + }; + }; + }; + }; +} diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 57535d45..f312e68e 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -10,6 +10,7 @@ ./nix.nix ./apps/nginx.nix + ./apps/nginx-mastodon-files.nix ./apps/nginx-website.nix ./apps/mastodon.nix ./apps/opensearch.nix From d4ab1756b393d7ce2e1f2096a4a70882cffe035c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 28 Oct 2023 17:56:55 +0200 Subject: [PATCH 2/2] fix: files.pub.solar force TLS, remove default site --- hosts/nachtigall/apps/nginx-mastodon-files.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/nachtigall/apps/nginx-mastodon-files.nix b/hosts/nachtigall/apps/nginx-mastodon-files.nix index 4ad7e5c3..1f615d49 100644 --- a/hosts/nachtigall/apps/nginx-mastodon-files.nix +++ b/hosts/nachtigall/apps/nginx-mastodon-files.nix @@ -7,8 +7,8 @@ in { services.nginx.virtualHosts = { "files.pub.solar" = { - default = true; enableACME = true; + forceSSL = true; locations = { "= /" = {