Merge pull request #605 from genebean/plausible-via-opencode

Enable HTTPS for genebean.me with Let's Encrypt HTTP-01 challenge

modules/hosts/nixos/hetznix02/post-install/nginx.nix

@@ -1,8 +1,6 @@
 
-{ config, pkgs, ... }: let
+{ pkgs, ... }: let
   domain = "genebean.me";
-  http_port = 80;
-  https_port = 443;
 in {
   environment.etc.nginx-littlelinks = {
     # Info generated via
@@ -10,16 +8,14 @@ in {
     source = pkgs.fetchFromGitHub {
       owner = "genebean";
       repo = "littlelink";
-      rev = "genebean-1.0.1";
+      rev = "genebean-1.0.2";
-      hash = "sha256-r7cvcKdlivQ2MA1UhypwdJrg7CREzTZE5fiNA9AWY/0=";
+      hash = "sha256-Fr1Qt/YaXNoDI4WHUuI2s852ENte8GjOmJrtEpq/SfY=";
     };
   };
 
   security.acme.certs."${domain}" = {
     email = "lets-encrypt@technicalissues.us";
     inheritDefaults = false;
-    listenHTTP = ":80";
-    # uncomment below for testing
     # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
   };
 
@@ -28,7 +24,7 @@ in {
     recommendedBrotliSettings = true;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
-    recommendedProxySettings = true;
+    #recommendedProxySettings = true;
     recommendedTlsSettings = true;
     appendHttpConfig = ''
       # Add HSTS header with preloading to HTTPS requests.
@@ -45,12 +41,9 @@ in {
         ];
         default = true;
         enableACME = true;
-        acmeRoot = null;
         forceSSL = true;
-        locations = {
-          "/" = {
         root = "/etc/nginx-littlelinks";
-          };
+        locations = {
           "/.well-known/lnurlp/genebean" = {
             return = ''
               200 '{"status":"OK","tag":"payRequest","commentAllowed":255,"callback":"https://getalby.com/lnurlp/genebean/callback","metadata":"[[\\"text/identifier\\",\\"genebean@getalby.com\\"],[\\"text/plain\\",\\"Sats for GeneBean\\"]]","minSendable":1000,"maxSendable":10000000000,"payerData":{"name":{"mandatory":false},"email":{"mandatory":false},"pubkey":{"mandatory":false}},"nostrPubkey":"79f00d3f5a19ec806189fcab03c1be4ff81d18ee4f653c88fac41fe03570f432","allowsNostr":true}'
@@ -73,14 +66,28 @@ in {
           };
           "/api/event" = {
             proxyPass = "https://stats.technicalissues.us/api/event";
-            proxyWebsockets = true;
+            extraConfig = ''
+              proxy_http_version 1.1;
+              proxy_set_header Host stats.technicalissues.us;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_buffering off;
+            '';
           };
           "/github" = {
             return = "301 https://github.com/genebean";
           };
-          "/js/script.outbound-links.js" = {
+          "/js/script.hash.outbound-links.js" = {
-            proxyPass = "https://stats.technicalissues.us/js/script.outbound-links.js";
+            proxyPass = "https://stats.technicalissues.us/js/script.hash.outbound-links.js";
-            proxyWebsockets = true;
+            extraConfig = ''
+              proxy_http_version 1.1;
+              proxy_set_header Host stats.technicalissues.us;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_buffering off;
+            '';
           };
           "/mastodon" = {
             return = "302 https://fosstodon.org/@genebean";
@@ -88,6 +95,13 @@ in {
           "/nostr" = {
             return = "302 https://primal.net/p/npub1mwsk3ly4lk7efdqqjm62dkc699kqapwyyvdley3xljjm0lxruh9qzvu46p";
           };
+          "/server_status" = {
+            extraConfig = ''
+              stub_status;
+              allow 127.0.0.1;
+              deny all;
+            '';
+          };
         };
       }; # end bare domain
     }; # end virtualHosts