diff --git a/hosts/best/forgejo.nix b/hosts/best/forgejo.nix index 523d541..10398ad 100644 --- a/hosts/best/forgejo.nix +++ b/hosts/best/forgejo.nix @@ -111,6 +111,10 @@ in { }; services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate { + extraConfig = '' + ${config.services.plausible.extraNginxConfigFor fqdn} + ''; + locations."/".proxyPass = "http://[::1]:${toString port}"; }; } diff --git a/hosts/best/grafana/default.nix b/hosts/best/grafana/default.nix index eded4c8..a1d2d61 100644 --- a/hosts/best/grafana/default.nix +++ b/hosts/best/grafana/default.nix @@ -77,6 +77,8 @@ in { # Grafana sets `nosniff` while not setting the content type properly, # so everything breaks with it. Unset the header. proxy_hide_header X-Content-Type-Options; + + ${config.services.plausible.extraNginxConfigFor fqdn} ''; proxyPass = "http://[::1]:${toString port}"; diff --git a/hosts/best/nextcloud/default.nix b/hosts/best/nextcloud/default.nix index aa22546..f33f17c 100644 --- a/hosts/best/nextcloud/default.nix +++ b/hosts/best/nextcloud/default.nix @@ -111,6 +111,8 @@ in { }; services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate { - extraConfig = config.services.nginx.headers; + extraConfig = '' + ${config.services.nginx.headers} + ''; }; } diff --git a/hosts/best/plausible/default.nix b/hosts/best/plausible/default.nix index 8e8674f..2ff64bc 100644 --- a/hosts/best/plausible/default.nix +++ b/hosts/best/plausible/default.nix @@ -1,6 +1,6 @@ { config, self, lib, ... }: let inherit (config.networking) domain; - inherit (lib) enabled merge; + inherit (lib) enabled merge mkConst; fqdn = "shekels.${domain}"; port = 8007; @@ -10,14 +10,14 @@ in { (self + /modules/postgresql.nix) ]; - secrets.plausibleKey = { + config.secrets.plausibleKey = { file = ./key.age; owner = "plausible"; }; - services.postgresql.ensure = [ "plausible" ]; + config.services.postgresql.ensure = [ "plausible" ]; - services.plausible = enabled { + config.services.plausible = enabled { server = { disableRegistration = true; # Setting it explicitly just in case. @@ -30,7 +30,16 @@ in { }; }; - services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate { + options.services.plausible.extraNginxConfigFor = mkConst /* nginx */ (domain: '' + proxy_set_header Accept-Encoding ""; # Substitution won't work if it is compressed. + sub_filter "" ''; + sub_filter_last_modified on; + sub_filter_once on; + ''); + + config.services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate { + extraConfig = config.services.plausible.extraNginxConfigFor fqdn; + locations."/" = { proxyPass = "http://[::1]:${toString port}"; proxyWebsockets = true; diff --git a/modules/nginx.nix b/modules/nginx.nix index 27fc846..0bf98ca 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -52,6 +52,7 @@ in { https "max-age=31536000; includeSubdomains; preload"; } + # FIXME: These two aren't working. map $http_origin $allow_origin { ~^https://.+\.${domain}$ $http_origin; } diff --git a/modules/site.nix b/modules/site.nix index 590537c..56d8434 100644 --- a/modules/site.nix +++ b/modules/site.nix @@ -2,6 +2,7 @@ inherit (config.networking) domain; inherit (lib) enabled merge; + fqdn = domain; root = "/var/www/site"; in { imports = [(self + /modules/nginx.nix)]; @@ -16,7 +17,7 @@ in { } ''; - virtualHosts.${domain} = merge config.services.nginx.sslTemplate { + virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate { inherit root; locations."/".tryFiles = "$uri $uri.html $uri/index.html =404"; @@ -29,6 +30,8 @@ in { extraConfig = /* nginx */ '' error_page 404 /404.html; + + ${config.services.plausible.extraNginxConfigFor fqdn} ''; locations."/404".extraConfig = /* nginx */ '' @@ -36,12 +39,12 @@ in { ''; }; - virtualHosts."www.${domain}" = merge config.services.nginx.sslTemplate { - locations."/".return = "301 https://${domain}$request_uri"; + virtualHosts."www.${fqdn}" = merge config.services.nginx.sslTemplate { + locations."/".return = "301 https://${fqdn}$request_uri"; }; virtualHosts._ = merge config.services.nginx.sslTemplate { - locations."/".return = "301 https://${domain}/404"; + locations."/".return = "301 https://${fqdn}/404"; }; }; }