fixed piped frontend, nginx module for all and gotosocial trusted-proxies

hosts/hetzner-vm/containers/mail/mail.nix

@@ -69,6 +69,7 @@ in {
           profiles.base
           inputs.home-manager-unstable.nixosModules.home-manager
 
+          profiles.nginx
           modules.nixos.secrets
 
           users.root

hosts/hetzner-vm/containers/piped/piped.nix

@@ -18,6 +18,11 @@
     "piped_restic_env"
     "piped_restic_password"
   ];
+
+  containerName = "piped";
+  pipedSocketForComponent = (
+    component: "/var/lib/nixos-containers/${containerName}/var/sockets/piped-${component}.sock"
+  );
 in {
   imports = with tree; [
     # needed so can get nginx defaults for proxy
@@ -54,6 +59,7 @@ in {
           inputs.home-manager-unstable.nixosModules.home-manager
 
           profiles.sshd
+          #profiles.nginx
 
           modules.nixos.secrets
 
@@ -88,11 +94,16 @@ in {
     };
   };
 
-  services.nginx.virtualHosts."piped.owo.monster" = {
+  services.nginx.virtualHosts."piped.owo.monster" = let
+    backendDomain = "backend.piped.owo.monster";
+    frontend-package = pkgs.piped-frontend.override {
+      inherit backendDomain;
+    };
+  in {
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = "http://unix:/var/lib/nixos-containers/piped/var/sockets/piped-proxy.sock";
+      proxyPass = "http://unix:${pipedSocketForComponent "frontend"}";
     };
   };
 
@@ -100,7 +111,7 @@ in {
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = "http://unix:/var/lib/nixos-containers/piped/var/sockets/piped-backend.sock";
+      proxyPass = "http://unix:${pipedSocketForComponent "backend"}";
     };
   };
 
@@ -108,7 +119,7 @@ in {
     forceSSL = true;
     enableACME = true;
     locations."/" = {
-      proxyPass = "http://unix:/var/lib/nixos-containers/piped/var/sockets/piped-proxy.sock";
+      proxyPass = "http://unix:${pipedSocketForComponent "proxy"}";
       extraConfig = config.services.piped.proxyNginxExtraConfig;
     };
   };

hosts/hetzner-vm/containers/social/profiles/gotosocial.nix

@@ -1,4 +1,8 @@
-{...}: {
+{...}: let
+  container-addresses = import ../../../data/container-addresses.nix {};
+  hostIP = container-addresses.host;
+  containerIP = container-addresses.containers.social;
+in {
   services.gotosocial = {
     enable = true;
     setupPostgresqlDB = true;
@@ -7,9 +11,16 @@
       host = "gts-01.owo.monster";
       bind-address = "0.0.0.0";
 
-      log-level = "info";
+      log-level = "verbose";
       log-client-ip = false;
 
+      trusted-proxies = [
+        "127.0.0.1/32"
+        "::1"
+        hostIP
+        containerIP
+      ];
+
       port = 8080;
       letsencrypt-enabled = false;
 

hosts/hetzner-vm/containers/social/social.nix

@@ -87,11 +87,10 @@ in {
       proxyPass = "http://${containerIP}:8080";
       proxyWebsockets = true;
       extraConfig = ''
-        proxy_set_header Host $host;
+        # uncomment if running nginx without recommendedProxySettings
-        proxy_set_header Upgrade $http_upgrade;
+        # proxy_set_header Host $host;
-        proxy_set_header Connection "upgrade";
+        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-For $remote_addr;
+        # proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Proto $scheme;
       '';
     };
     extraConfig = ''

profiles/nginx.nix

@@ -33,6 +33,7 @@ in {
       commonHttpConfig = "";
       clientMaxBodySize = lib.mkDefault "512m";
       serverNamesHashBucketSize = 1024;
+      mapHashMaxSize = 512;
     };
 
     services.logrotate.settings.nginx = {