feat: add blog and fix double redirect real ip

2024-09-22 01:57:37 +02:00 · 2024-09-22 01:57:37 +02:00 · 4cbbd2f871
commit 4cbbd2f871
parent c30ec709a7
2 changed files with 30 additions and 21 deletions
--- a/hosts/sentinel/blog.nix
+++ b/hosts/sentinel/blog.nix
@ -1,33 +1,38 @@
-{
-  globals,
-  pkgs,
-  ...
-}: {
+{globals, ...}: {
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/blog";
+      mode = "0750";
+      user = "nginx";
+      group = "nginx";
+    }
+  ];
+
  services.nginx.virtualHosts.${globals.domains.me} = {
    forceSSL = true;
    useACMEWildcardHost = true;
-    locations."/".root = pkgs.runCommand "index.html" {} ''
-      mkdir -p $out
-      cat > $out/index.html <<EOF
-      <html>
-        <head>
-        	<script defer data-api="/api/event" data-domain="oddlama.org" src="/js/script.js"></script>
-        </head>
-        <body>Not empty soon TM. Until then please go here: <a href="https://github.com/oddlama">oddlama</a></body>
-      </html>
-      EOF
-    '';
+    locations."/".root = "/var/lib/blog";
    # Don't use the proxyPass option because we don't want the recommended proxy headers
    locations."= /js/script.js".extraConfig = ''
      proxy_pass https://${globals.services.plausible.domain}/js/script.js;
-      proxy_set_header Host ${globals.services.plausible.domain};
      proxy_ssl_server_name on;
+      proxy_set_header Host ${globals.services.plausible.domain};
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Server $host;
    '';
    locations."= /api/event".extraConfig = ''
      proxy_pass https://${globals.services.plausible.domain}/api/event;
      proxy_http_version 1.1;
-      proxy_set_header Host ${globals.services.plausible.domain};
      proxy_ssl_server_name on;
+      proxy_set_header Host ${globals.services.plausible.domain};
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Server $host;
    '';
  };
 }
--- a/nix/rage-decrypt-and-cache.sh
+++ b/nix/rage-decrypt-and-cache.sh
@ -31,10 +31,14 @@ mkdir -p "$(dirname "$out")"
 if [[ ! -e "$out" ]]; then
 	args=()
 	for i in "${identities[@]}"; do
-		args+=("-i" "$i")
+		args+=("--identity" "$i")
 	done
-	rage -d "${args[@]}" -o "$out" "$file"
+	rage --decrypt "${args[@]}" --output "$out" "$file"
 fi

 # Print out path or decrypted content
-[[ "$print_out_path" == true ]] && echo "$out" || cat "$out"
+if [[ "$print_out_path" == true ]]; then
+	echo "$out"
+else
+	cat "$out"
+fi