From 5c819eca1e1bfa6bc0aac5abbd87e28e636998bb Mon Sep 17 00:00:00 2001 From: Gene Liverman Date: Fri, 7 Nov 2025 07:56:21 -0500 Subject: [PATCH] Enable HTTPS for genebean.me with Let's Encrypt HTTP-01 challenge - Configure ACME with HTTP-01 challenge for Let's Encrypt cert - Add manual proxy config for Plausible analytics (stats.technicalissues.us) - Fix issue where recommendedProxySettings caused upstream redirect by explicitly setting Host header to stats.technicalissues.us instead of passing the genebean.me host --- .../nixos/hetznix02/post-install/nginx.nix | 46 ++++++++++++------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/modules/hosts/nixos/hetznix02/post-install/nginx.nix b/modules/hosts/nixos/hetznix02/post-install/nginx.nix index 6f2ad9f..bd91204 100644 --- a/modules/hosts/nixos/hetznix02/post-install/nginx.nix +++ b/modules/hosts/nixos/hetznix02/post-install/nginx.nix @@ -1,8 +1,6 @@ -{ config, pkgs, ... }: let +{ pkgs, ... }: let domain = "genebean.me"; - http_port = 80; - https_port = 443; in { environment.etc.nginx-littlelinks = { # Info generated via @@ -10,16 +8,14 @@ in { source = pkgs.fetchFromGitHub { owner = "genebean"; repo = "littlelink"; - rev = "genebean-1.0.1"; - hash = "sha256-r7cvcKdlivQ2MA1UhypwdJrg7CREzTZE5fiNA9AWY/0="; + rev = "genebean-1.0.2"; + hash = "sha256-Fr1Qt/YaXNoDI4WHUuI2s852ENte8GjOmJrtEpq/SfY="; }; }; security.acme.certs."${domain}" = { email = "lets-encrypt@technicalissues.us"; inheritDefaults = false; - listenHTTP = ":80"; - # uncomment below for testing # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; @@ -28,7 +24,7 @@ in { recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; - recommendedProxySettings = true; + #recommendedProxySettings = true; recommendedTlsSettings = true; appendHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. @@ -45,12 +41,9 @@ in { ]; default = true; enableACME = true; - acmeRoot = null; forceSSL = true; + root = "/etc/nginx-littlelinks"; locations = { - "/" = { - root = "/etc/nginx-littlelinks"; - }; "/.well-known/lnurlp/genebean" = { return = '' 200 '{"status":"OK","tag":"payRequest","commentAllowed":255,"callback":"https://getalby.com/lnurlp/genebean/callback","metadata":"[[\\"text/identifier\\",\\"genebean@getalby.com\\"],[\\"text/plain\\",\\"Sats for GeneBean\\"]]","minSendable":1000,"maxSendable":10000000000,"payerData":{"name":{"mandatory":false},"email":{"mandatory":false},"pubkey":{"mandatory":false}},"nostrPubkey":"79f00d3f5a19ec806189fcab03c1be4ff81d18ee4f653c88fac41fe03570f432","allowsNostr":true}' @@ -73,14 +66,28 @@ in { }; "/api/event" = { proxyPass = "https://stats.technicalissues.us/api/event"; - proxyWebsockets = true; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Host stats.technicalissues.us; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + ''; }; "/github" = { return = "301 https://github.com/genebean"; }; - "/js/script.outbound-links.js" = { - proxyPass = "https://stats.technicalissues.us/js/script.outbound-links.js"; - proxyWebsockets = true; + "/js/script.hash.outbound-links.js" = { + proxyPass = "https://stats.technicalissues.us/js/script.hash.outbound-links.js"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Host stats.technicalissues.us; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + ''; }; "/mastodon" = { return = "302 https://fosstodon.org/@genebean"; @@ -88,6 +95,13 @@ in { "/nostr" = { return = "302 https://primal.net/p/npub1mwsk3ly4lk7efdqqjm62dkc699kqapwyyvdley3xljjm0lxruh9qzvu46p"; }; + "/server_status" = { + extraConfig = '' + stub_status; + allow 127.0.0.1; + deny all; + ''; + }; }; }; # end bare domain }; # end virtualHosts