infra/modules/nginx-mastodon-files/default.nix

{ config, ... }:

let
  objStorHost = "link.tardigradeshare.io";
  objStorBucket = "s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon";
in
{
  services.nginx.virtualHosts = {
    "files.${config.pub-solar-os.networking.domain}" = {
      enableACME = true;
      forceSSL = true;

      locations = {
        "= /" = {
          index = "index.html";
        };

        "/" = {
          tryFiles = "$uri @s3";
        };

        "@s3" = {
          extraConfig = ''
            limit_except GET {
              deny all;
            }

            resolver 8.8.8.8;
            proxy_set_header Host ${objStorHost};
            proxy_set_header Connection \'\';
            proxy_set_header Authorization \'\';
            proxy_hide_header Set-Cookie;
            proxy_hide_header 'Access-Control-Allow-Origin';
            proxy_hide_header 'Access-Control-Allow-Methods';
            proxy_hide_header 'Access-Control-Allow-Headers';
            proxy_hide_header x-amz-id-2;
            proxy_hide_header x-amz-request-id;
            proxy_hide_header x-amz-meta-server-side-encryption;
            proxy_hide_header x-amz-server-side-encryption;
            proxy_hide_header x-amz-bucket-region;
            proxy_hide_header x-amzn-requestid;
            proxy_ignore_headers Set-Cookie;
            proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download;
            proxy_intercept_errors off;
            proxy_ssl_protocols TLSv1.2 TLSv1.3;
            proxy_ssl_server_name on;

            proxy_cache cache;
            proxy_cache_valid 200 48h;
            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
            proxy_cache_lock on;

            expires 1y;
            add_header Cache-Control public;
            add_header 'Access-Control-Allow-Origin' '*';
            add_header X-Cache-Status $upstream_cache_status;
            add_header X-Content-Type-Options nosniff;
            add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
          '';
        };
      };
    };
  };
}
refactor: use options for config parts This works towards having reusable modules * `config.pub-solar-os.networking.domain` is used for the main domain * `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy * `config.pub-solar-os.imprintUrl` links towards the imprint * `config.pub-solar-os.auth.enable` enables the keycloak installation. This is needed because `config.pub-solar-os.auth` has to be available everywhere, but we do not want to install keycloak everywhere. * `config.pub-solar-os.auth.realm` sets the keycloak realm name 2024-05-08 17:47:47 +00:00			`{ config, ... }:`
add nginx virtual host for files.pub.solar 2023-10-28 15:21:54 +00:00
			`let`
			`objStorHost = "link.tardigradeshare.io";`
			`objStorBucket = "s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon";`
			`in`
			`{`
			`services.nginx.virtualHosts = {`
refactor: use options for config parts This works towards having reusable modules * `config.pub-solar-os.networking.domain` is used for the main domain * `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy * `config.pub-solar-os.imprintUrl` links towards the imprint * `config.pub-solar-os.auth.enable` enables the keycloak installation. This is needed because `config.pub-solar-os.auth` has to be available everywhere, but we do not want to install keycloak everywhere. * `config.pub-solar-os.auth.realm` sets the keycloak realm name 2024-05-08 17:47:47 +00:00			`"files.${config.pub-solar-os.networking.domain}" = {`
add nginx virtual host for files.pub.solar 2023-10-28 15:21:54 +00:00			`enableACME = true;`
fix: files.pub.solar force TLS, remove default site 2023-10-28 15:56:55 +00:00			`forceSSL = true;`
add nginx virtual host for files.pub.solar 2023-10-28 15:21:54 +00:00
			`locations = {`
			`"= /" = {`
			`index = "index.html";`
			`};`

			`"/" = {`
			`tryFiles = "$uri @s3";`
			`};`

			`"@s3" = {`
			`extraConfig = ''`
			`limit_except GET {`
			`deny all;`
			`}`

			`resolver 8.8.8.8;`
fix: nginx files.pub.solar proxy_pass host header 2023-10-28 20:15:40 +00:00			`proxy_set_header Host ${objStorHost};`
add nginx virtual host for files.pub.solar 2023-10-28 15:21:54 +00:00			`proxy_set_header Connection \'\';`
			`proxy_set_header Authorization \'\';`
			`proxy_hide_header Set-Cookie;`
			`proxy_hide_header 'Access-Control-Allow-Origin';`
			`proxy_hide_header 'Access-Control-Allow-Methods';`
			`proxy_hide_header 'Access-Control-Allow-Headers';`
			`proxy_hide_header x-amz-id-2;`
			`proxy_hide_header x-amz-request-id;`
			`proxy_hide_header x-amz-meta-server-side-encryption;`
			`proxy_hide_header x-amz-server-side-encryption;`
			`proxy_hide_header x-amz-bucket-region;`
			`proxy_hide_header x-amzn-requestid;`
			`proxy_ignore_headers Set-Cookie;`
			`proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download;`
			`proxy_intercept_errors off;`
fix: nginx tls connection to upstream 2023-10-28 20:52:57 +00:00			`proxy_ssl_protocols TLSv1.2 TLSv1.3;`
			`proxy_ssl_server_name on;`
add nginx virtual host for files.pub.solar 2023-10-28 15:21:54 +00:00
fix: missing nginx proxy cache zone 2023-10-28 19:12:33 +00:00			`proxy_cache cache;`
add nginx virtual host for files.pub.solar 2023-10-28 15:21:54 +00:00			`proxy_cache_valid 200 48h;`
			`proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;`
			`proxy_cache_lock on;`

			`expires 1y;`
			`add_header Cache-Control public;`
			`add_header 'Access-Control-Allow-Origin' '*';`
			`add_header X-Cache-Status $upstream_cache_status;`
			`add_header X-Content-Type-Options nosniff;`
			`add_header Content-Security-Policy "default-src 'none'; form-action 'none'";`
			`'';`
			`};`
			`};`
			`};`
			`};`
			`}`