From 81510629bd311513a96793319ed07005e7fc10fa Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 15 Oct 2024 23:19:02 +0200 Subject: [PATCH] mastodon: switch files.pub.solar from storj to garage s3 backend --- modules/mastodon/default.nix | 6 +++--- modules/nginx-mastodon-files/default.nix | 12 ++++++++---- modules/nginx/default.nix | 7 +++++++ secrets/mastodon-extra-env-secrets.age | Bin 2655 -> 2663 bytes 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/modules/mastodon/default.nix b/modules/mastodon/default.nix index 47d93f4..a813310 100644 --- a/modules/mastodon/default.nix +++ b/modules/mastodon/default.nix @@ -78,9 +78,9 @@ # S3 File storage (optional) # ----------------------- S3_ENABLED = "true"; - S3_BUCKET = "pub-solar-mastodon"; - S3_REGION = "europe-west-1"; - S3_ENDPOINT = "https://gateway.tardigradeshare.io"; + S3_BUCKET = "mastodon"; + S3_REGION = "eu-central"; + S3_ENDPOINT = "https://buckets.pub.solar"; S3_ALIAS_HOST = "files.${config.pub-solar-os.networking.domain}"; # Translation (optional) # ----------------------- diff --git a/modules/nginx-mastodon-files/default.nix b/modules/nginx-mastodon-files/default.nix index b549746..a4ddca4 100644 --- a/modules/nginx-mastodon-files/default.nix +++ b/modules/nginx-mastodon-files/default.nix @@ -1,8 +1,7 @@ { config, ... }: let - objStorHost = "link.tardigradeshare.io"; - objStorBucket = "s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon"; + objStorHost = "mastodon.web.pub.solar"; in { services.nginx.virtualHosts = { @@ -10,6 +9,12 @@ in enableACME = true; forceSSL = true; + # Use variable to force nginx to perform a DNS resolution on its value, + # the IP of the object storage provider may not always remain the same. + extraConfig = '' + set $s3_backend 'https://${objStorHost}'; + ''; + locations = { "= /" = { index = "index.html"; @@ -25,7 +30,6 @@ in deny all; } - resolver 8.8.8.8; proxy_set_header Host ${objStorHost}; proxy_set_header Connection \'\'; proxy_set_header Authorization \'\'; @@ -40,7 +44,7 @@ in proxy_hide_header x-amz-bucket-region; proxy_hide_header x-amzn-requestid; proxy_ignore_headers Set-Cookie; - proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download; + proxy_pass $s3_backend$uri; proxy_intercept_errors off; proxy_ssl_protocols TLSv1.2 TLSv1.3; proxy_ssl_server_name on; diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix index 0122164..46bec0f 100644 --- a/modules/nginx/default.nix +++ b/modules/nginx/default.nix @@ -22,6 +22,13 @@ in recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; + resolver.addresses = [ + # quad9.net + "9.9.9.9" + "149.112.112.112" + "[2620:fe::fe]" + "[2620:fe::9]" + ]; appendHttpConfig = '' # https://my.f5.com/manage/s/article/K51798430 proxy_headers_hash_bucket_size 128; diff --git a/secrets/mastodon-extra-env-secrets.age b/secrets/mastodon-extra-env-secrets.age index dba14bbec575be03cacae8976c2d0474d403a962..c78b5b57a4084f3047084aa98baa223137fd33a5 100644 GIT binary patch literal 2663 zcmZXW>+9;+kAk@Aiz!a@=ZlHDzu*H8pXd30-7vTi z?7gZln)tB4`A~)976vZ7XH?hGg}_HJ3?@f0D05TIwnTx4l|6>2uqGnI7YRk zCP^0(&by>H#Y}az4}sO*TWcoTOm_M>=4fR>umZ`s?KnExE)=#wqa72_+D3l*|Fom+ zv2r)^a{lCqL7DS`EJo~#%b12eVO=Z<&!!+R#0?h)%!!c~k(wSBv1urw>*&)y&RPo3Im=QLoi5}Y6-H>wpHCX7whjintjqY5`QcBGOM zJvafmJ<>|5xi<5KKv>C+b`QylX}uNK0&zWdyrOiBp;y8ax-J;s999_T$-#UnSoWbY z6L2l`6;zj1TdE=2;k{##VpJ(g!A3x|!YTtBc2>M$X{4J*yU9U!C6)|}VP4^UwBB=a zwb0x-y|OsL3b2d!5;CC=wT$ni~&W!-kIs;3fWD@yUJT-@k28=8{>e7g?o)X17S41I+#^FP&gkyvES2-kzuq(3dQVM#q1AVRn^rKG>LW8#z6;aq8)3R}( z#C$l2E)@)ip-Mf_uC}yj{imNV-B6oTS9Lg=AHi`slml&sWp#+~4Nv%yNsz?qPy~T+ zI?Y3$nDV|B*TBZ3ww%ag>T?pZ010%B46*vhvHfhq$7cRWwrtvjYgTE+to>|uql4nM1Rr87jToh-vC zlpic*Gs8km*}9WrW3~(iy^Ka1b+1t)I-Sh1Sp&-TR`qsy?qvS7cP+0lHAwYE2ga5( zo=fvN-vL6)EQ0_#mSc?38Ds)DI@!^ZHF1h zfPz`9hd$6Lg>6%Mx!s{bj$<|C8B6!TTji+(5)opKOWk8r+}BIPn$NnN)v1|0<(qEd zaO5uIi=Ammle2H+!iABR%DqzXRVPEvuHrCF1$QKQ@b=QAAyK$z1;W(avQHfXc;s_W zUq1JnJ8ovqf9o5+yZpHG{&TlXZhhU&zx?K_Cjb2SVeu90>#u+A?&AwBas~S2;*Hmz zzw6rjEEKsUEhhi`i^tn zJs+Nr9{c%Me|Y!(?|bE?{BM)rKlm5%-W$NTe)j6~x848Ihrx^L#iyPap7{uN{#~D^ zul?SYOSk{&4=w%TQ|GR_5qj>1XP^H5<+oQqy?*tWcJ8LDuA8i0^V*O7`A0#0+k3Bp WZ+P~(E4RMczvZDHJjUE7UH2~|W0Z#g literal 2655 zcmZ9N`RgC92 zMW~RJqIeV{`9nk+rU^c1i9{HvLFx}mClqQFef{AP@-KMt`MfVT@Xz?!w(5&RlxNrE zRRA?GaOR6Abse7ZJp{+$@kzwVaT}a;B!@u+j$pCvh_EwVqQ_Dusfk=9)Z7^CWmH6- z0SQh&2QnAjce>Z>Eodp!L5g!Br!YH|sFVu{Q*=$Qs4B-Pgye&?qrK&n_5_vOVCS|9 zku_MNk;a(Zr(}+^R49xOy~H^S3!xY$X4x9ZWgKVqi7BO9*=$xcH6!g{As5|&MPwB; zOAQNloh+y%eU4Vu?#T|aM%+}>J5O!OZ1OdeqYln8W6%y^WvZt_gNoM9i^Z8tlp`$fpFmHDPck;fBoJpA%h_%)ctxMwl*gS{| zJa`4M6|77yqj_Jq+zMEG&;X)MCg9$%-mvrxVm&1M$KNG!4nZ<6G%wL zi&2xP?LIcbZm3W|Sc%#wDyfF!aC0|WGdn31^>oAP8|={M*}?9kDh$c4p}Jtbj;Lc@ zK*(UTFs^SQRR^lX0~?~$6vOC*c-<>~G3}#lpnH8kSbIX7?S**_sYFB2eumR?IE5Fb zJh)&vkd!3?n@P`bbPkfo?y##i6tb4wqie2%V6mio4b5PknmAR_={YTINu^y9+koca zGRrzr50(ILY}5_C=xQ1#Qps1$dL_rZXkv|0QWE18@4FJJOJ$gj7nC|ynQFc*y*->C z9g;RzE+D#Ymd{g^o3u{obg^9G7UU20l9U;BFKJ zUhb&C;FTE^#4~{!71kjM*Xay4XDhSN&0|N$Q>RK6BpYQQ_I_&K^Kl|@>WBuG%+Xug z*h2OaXPVX=F?QFrU`6eWHt{Kp$>fe4uSXcUNysT>@@TP8AU-R2w^thno&s_KCWn1W z>wOf1_;Ks#5F^g>sRl`94@;bX!4f&xwL!7tGi>A-;VvqeXtq$SU2C?kK}@&J$muYuR^0#zS#!^%`Rtaea zRl%Ks!4imQI zJ#-b5$%1IJ!LSFWo#c(UFDsaX^)G!8lbw|k@7Xa#rOY4Mo5#Lw}NZJn7(J$np zBrws%l~(Xw!UU&CY{2YxJTn4ct*V7YEkgnxhhQH9LODkwrjAF~pMW#_gk(PO;r z4t$+pyMwJOr)@P(_ytu})lr$m0Uk`CLec|DNNbA$~W@g~O@v4(KW z7geg6_%vf%5CybV>MZt!8;rSb5sUn(F>QHoDsxa3aZ*emLR_KUoMW~BXANZuMW?Jn znfqx;(vCyHR;?Mc#tzgR#d~XI^>DqSMF}a*$xNDufFaTgW>_EAgj%Of$W#dx6USQ7 zDu$g?2I(oLEmX=7i0|j~+=kkMx~PMb1y~))VFcq|sHc1+cQKKe^q%ogKQ8*-xI3*T zWmOMRzXC7^4sz2;=Nu0A9lzmD2eE?kUIzS^(OX8gwxiLp?OTvh zcx$H6E4QyPiJ2|!DfU4cW7NGypG?ey%i!B;>FulyZQGuRjle|RdGyv&W{t5{ku2dg z-!w*mk?$RO*UckRqt_0|$Wep_Ryg(WQbGB^#N{TB(8U3pyuaAzZUa#RNmnP!nS`$V zxZsdg=`IhYvC;iXEahD9(Ro=UTI{I0k}DgP2HdrEG;Mm)Xqu6$9HF*rHXp~Z?L=MS z1c!#q6=umMrN;wj&YU@!?{=;)gaS8ewS_z+V7ZC?ow}YPO?z|!F!>Ec(YfA_b4|GQ7W{Eh!ybqV*Or`|h2fBD&x0b8NYVh!v(Rq Y^rqFLFTMu+>()2ky72jD?)~=oe|wRVg#Z8m