diff --git a/hosts/hetzner-vm/containers/mail/mail.nix b/hosts/hetzner-vm/containers/mail/mail.nix index dc953a3..a986f06 100644 --- a/hosts/hetzner-vm/containers/mail/mail.nix +++ b/hosts/hetzner-vm/containers/mail/mail.nix @@ -69,6 +69,7 @@ in { profiles.base inputs.home-manager-unstable.nixosModules.home-manager + profiles.nginx modules.nixos.secrets users.root diff --git a/hosts/hetzner-vm/containers/piped/piped.nix b/hosts/hetzner-vm/containers/piped/piped.nix index b2692f9..88b4ada 100644 --- a/hosts/hetzner-vm/containers/piped/piped.nix +++ b/hosts/hetzner-vm/containers/piped/piped.nix @@ -18,6 +18,11 @@ "piped_restic_env" "piped_restic_password" ]; + + containerName = "piped"; + pipedSocketForComponent = ( + component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock" + ); in { imports = with tree; [ # needed so can get nginx defaults for proxy @@ -54,6 +59,7 @@ in { inputs.home-manager-unstable.nixosModules.home-manager profiles.sshd + #profiles.nginx modules.nixos.secrets @@ -88,11 +94,16 @@ in { }; }; - services.nginx.virtualHosts."piped.owo.monster" = { + services.nginx.virtualHosts."piped.owo.monster" = let + backendDomain = "backend.piped.owo.monster"; + frontend-package = pkgs.piped-frontend.override { + inherit backendDomain; + }; + in { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://unix:/var/lib/nixos-containers/piped/var/sockets/piped-proxy.sock"; + proxyPass = "http://unix:${pipedSocketForComponent "frontend"}"; }; }; @@ -100,7 +111,7 @@ in { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://unix:/var/lib/nixos-containers/piped/var/sockets/piped-backend.sock"; + proxyPass = "http://unix:${pipedSocketForComponent "backend"}"; }; }; @@ -108,7 +119,7 @@ in { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://unix:/var/lib/nixos-containers/piped/var/sockets/piped-proxy.sock"; + proxyPass = "http://unix:${pipedSocketForComponent "proxy"}"; extraConfig = config.services.piped.proxyNginxExtraConfig; }; }; diff --git a/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix b/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix index de90473..f8ede7b 100644 --- a/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix +++ b/hosts/hetzner-vm/containers/social/profiles/gotosocial.nix @@ -1,4 +1,8 @@ -{...}: { +{...}: let + container-addresses = import ../../../data/container-addresses.nix {}; + hostIP = container-addresses.host; + containerIP = container-addresses.containers.social; +in { services.gotosocial = { enable = true; setupPostgresqlDB = true; @@ -7,9 +11,16 @@ host = "gts-01.owo.monster"; bind-address = "0.0.0.0"; - log-level = "info"; + log-level = "verbose"; log-client-ip = false; + trusted-proxies = [ + "127.0.0.1/32" + "::1" + hostIP + containerIP + ]; + port = 8080; letsencrypt-enabled = false; diff --git a/hosts/hetzner-vm/containers/social/social.nix b/hosts/hetzner-vm/containers/social/social.nix index 8ccb544..c3c4e7e 100644 --- a/hosts/hetzner-vm/containers/social/social.nix +++ b/hosts/hetzner-vm/containers/social/social.nix @@ -87,11 +87,10 @@ in { proxyPass = "http://${containerIP}:8080"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + # uncomment if running nginx without recommendedProxySettings + # proxy_set_header Host $host; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; ''; }; extraConfig = '' diff --git a/profiles/nginx.nix b/profiles/nginx.nix index b482e65..4c554cc 100644 --- a/profiles/nginx.nix +++ b/profiles/nginx.nix @@ -33,6 +33,7 @@ in { commonHttpConfig = ""; clientMaxBodySize = lib.mkDefault "512m"; serverNamesHashBucketSize = 1024; + mapHashMaxSize = 512; }; services.logrotate.settings.nginx = {