diff --git a/hosts/nachtigall/apps/mastodon.nix b/hosts/nachtigall/apps/mastodon.nix index a71a521e..18299a1e 100644 --- a/hosts/nachtigall/apps/mastodon.nix +++ b/hosts/nachtigall/apps/mastodon.nix @@ -36,7 +36,6 @@ enable = true; # Different from WEB_DOMAIN in our case localDomain = "pub.solar"; - configureNginx = true; enableUnixSocket = true; # Processes used by the mastodon-streaming service. Defaults to the number # of CPU cores minus one diff --git a/hosts/nachtigall/apps/nginx-mastodon-files.nix b/hosts/nachtigall/apps/nginx-mastodon-files.nix index 1f615d49..8ca4499f 100644 --- a/hosts/nachtigall/apps/nginx-mastodon-files.nix +++ b/hosts/nachtigall/apps/nginx-mastodon-files.nix @@ -26,7 +26,7 @@ in } resolver 8.8.8.8; - proxy_set_header Host $host; + proxy_set_header Host ${objStorHost}; proxy_set_header Connection \'\'; proxy_set_header Authorization \'\'; proxy_hide_header Set-Cookie; @@ -42,8 +42,10 @@ in proxy_ignore_headers Set-Cookie; proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download; proxy_intercept_errors off; + proxy_ssl_protocols TLSv1.2 TLSv1.3; + proxy_ssl_server_name on; - proxy_cache mastodon_files; + proxy_cache cache; proxy_cache_valid 200 48h; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; diff --git a/hosts/nachtigall/apps/nginx-mastodon.nix b/hosts/nachtigall/apps/nginx-mastodon.nix new file mode 100644 index 00000000..4712a59f --- /dev/null +++ b/hosts/nachtigall/apps/nginx-mastodon.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: +let + cfg = config.services.mastodon; +in +{ + services.nginx.virtualHosts = { + "mastodon.pub.solar" = { + root = "${cfg.package}/public/"; + # mastodon only supports https, but you can override this if you offload tls elsewhere. + forceSSL = lib.mkDefault true; + enableACME = lib.mkDefault true; + + locations."/system/".alias = "/var/lib/mastodon/public-system/"; + + locations."/" = { + tryFiles = "$uri @proxy"; + }; + + locations."/auth/sign_up".extraConfig = '' + return 302 /auth/sign_in; + ''; + + locations."/auth/confirmation/new".extraConfig = '' + return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon; + ''; + + locations."/auth/password/new".extraConfig = '' + return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon; + ''; + + locations."@proxy" = { + proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}"); + proxyWebsockets = true; + }; + + locations."/api/v1/streaming/" = { + proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(cfg.streamingPort)}/"); + proxyWebsockets = true; + }; + }; + }; +} diff --git a/hosts/nachtigall/apps/nginx.nix b/hosts/nachtigall/apps/nginx.nix index 37943f05..27155837 100644 --- a/hosts/nachtigall/apps/nginx.nix +++ b/hosts/nachtigall/apps/nginx.nix @@ -12,7 +12,13 @@ in { enable = true; group = webserverGroup; enableReload = true; + proxyCachePath.cache = { + enable = true; + }; + recommendedProxySettings = true; }; + # Nginx user needs access to mastodon unix sockets + users.users.nginx.extraGroups = [ "mastodon" ]; security.acme = { acceptTerms = true; diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index f312e68e..f25f4899 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -10,6 +10,7 @@ ./nix.nix ./apps/nginx.nix + ./apps/nginx-mastodon.nix ./apps/nginx-mastodon-files.nix ./apps/nginx-website.nix ./apps/mastodon.nix