From 94ae6c93029f47e684eb1837bf87cb3940fdf896 Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Tue, 16 Jan 2024 18:18:07 +0100
Subject: [PATCH 1/2] fix(mastodon): use working unix sockets for streaming api

The streaming API is currently unusable because we still pass traffic
to the old unix socket path.
Since https://github.com/NixOS/nixpkgs/commit/c82195d9e82b28147e9a960f6d47ca9200228452#diff-157b1ef68573bbec951d6e551513a555e2d1ca7a161a68f1978b11d39a0bef1eR789-R803
there are multiple unix sockets involved.
---
 hosts/nachtigall/apps/nginx-mastodon.nix | 71 ++++++++++++++----------
 1 file changed, 42 insertions(+), 29 deletions(-)

diff --git a/hosts/nachtigall/apps/nginx-mastodon.nix b/hosts/nachtigall/apps/nginx-mastodon.nix
index 4712a59..668c296 100644
--- a/hosts/nachtigall/apps/nginx-mastodon.nix
+++ b/hosts/nachtigall/apps/nginx-mastodon.nix
@@ -3,40 +3,53 @@ let
   cfg = config.services.mastodon;
 in
 {
-  services.nginx.virtualHosts = {
-    "mastodon.pub.solar" = {
-      root = "${cfg.package}/public/";
-      # mastodon only supports https, but you can override this if you offload tls elsewhere.
-      forceSSL = lib.mkDefault true;
-      enableACME = lib.mkDefault true;
+  services.nginx = {
+    virtualHosts = {
+      "mastodon.pub.solar" = {
+        root = "${cfg.package}/public/";
+        # mastodon only supports https, but you can override this if you offload tls elsewhere.
+        forceSSL = lib.mkDefault true;
+        enableACME = lib.mkDefault true;
 
-      locations."/system/".alias = "/var/lib/mastodon/public-system/";
+        locations."/auth/sign_up".extraConfig = ''
+          return 302 /auth/sign_in;
+        '';
 
-      locations."/" = {
-        tryFiles = "$uri @proxy";
+        locations."/auth/confirmation/new".extraConfig = ''
+          return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
+        '';
+
+        locations."/auth/password/new".extraConfig = ''
+          return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
+        '';
+
+        locations."/system/".alias = "/var/lib/mastodon/public-system/";
+
+        locations."/" = {
+          tryFiles = "$uri @proxy";
+        };
+
+        locations."@proxy" = {
+          proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}");
+          proxyWebsockets = true;
+        };
+
+        locations."/api/v1/streaming/" = {
+          proxyPass = "http://mastodon-streaming";
+          proxyWebsockets = true;
+        };
       };
+    };
 
-      locations."/auth/sign_up".extraConfig = ''
-        return 302 /auth/sign_in;
+    upstreams.mastodon-streaming = {
+      extraConfig = ''
+        least_conn;
       '';
-
-      locations."/auth/confirmation/new".extraConfig = ''
-        return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
-      '';
-
-      locations."/auth/password/new".extraConfig = ''
-        return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
-      '';
-
-      locations."@proxy" = {
-        proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}");
-        proxyWebsockets = true;
-      };
-
-      locations."/api/v1/streaming/" = {
-        proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-streaming/streaming.socket" else "http://127.0.0.1:${toString(cfg.streamingPort)}/");
-        proxyWebsockets = true;
-      };
+      servers = builtins.listToAttrs
+        (map (i: {
+          name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket";
+          value = { };
+        }) (lib.range 1 cfg.streamingProcesses));
     };
   };
 }

From ffdf55993fb7afa798069926e0dba90c062ca95d Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Wed, 17 Jan 2024 15:16:06 +0100
Subject: [PATCH 2/2] fix(nginx): [warn] could not build optimal
 proxy_headers_hash

nginx: [warn] could not build optimal proxy_headers_hash, you should
increase either proxy_headers_hash_max_size: 2048 or
proxy_headers_hash_bucket_size: 64; ignoring
proxy_headers_hash_bucket_size
---
 hosts/nachtigall/apps/nginx.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hosts/nachtigall/apps/nginx.nix b/hosts/nachtigall/apps/nginx.nix
index 5dd659c..d1f5a3f 100644
--- a/hosts/nachtigall/apps/nginx.nix
+++ b/hosts/nachtigall/apps/nginx.nix
@@ -20,8 +20,8 @@ in {
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
     appendHttpConfig = ''
-      # https://nginx.org/en/docs/hash.html
-      proxy_headers_hash_max_size 1024;
+      # https://my.f5.com/manage/s/article/K51798430
+      proxy_headers_hash_bucket_size 128;
     '';
   };