From 4cbbd2f87164254c0ec26a1fa678d392a69325d8 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sun, 22 Sep 2024 01:57:37 +0200
Subject: [PATCH] feat: add blog and fix double redirect real ip

---
 hosts/sentinel/blog.nix       | 41 ++++++++++++++++++++---------------
 nix/rage-decrypt-and-cache.sh | 10 ++++++---
 2 files changed, 30 insertions(+), 21 deletions(-)

diff --git a/hosts/sentinel/blog.nix b/hosts/sentinel/blog.nix
index be0badf..935199f 100644
--- a/hosts/sentinel/blog.nix
+++ b/hosts/sentinel/blog.nix
@@ -1,33 +1,38 @@
-{
-  globals,
-  pkgs,
-  ...
-}: {
+{globals, ...}: {
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/blog";
+      mode = "0750";
+      user = "nginx";
+      group = "nginx";
+    }
+  ];
+
   services.nginx.virtualHosts.${globals.domains.me} = {
     forceSSL = true;
     useACMEWildcardHost = true;
-    locations."/".root = pkgs.runCommand "index.html" {} ''
-      mkdir -p $out
-      cat > $out/index.html <<EOF
-      <html>
-        <head>
-        	<script defer data-api="/api/event" data-domain="oddlama.org" src="/js/script.js"></script>
-        </head>
-        <body>Not empty soon TM. Until then please go here: <a href="https://github.com/oddlama">oddlama</a></body>
-      </html>
-      EOF
-    '';
+    locations."/".root = "/var/lib/blog";
     # Don't use the proxyPass option because we don't want the recommended proxy headers
     locations."= /js/script.js".extraConfig = ''
       proxy_pass https://${globals.services.plausible.domain}/js/script.js;
-      proxy_set_header Host ${globals.services.plausible.domain};
       proxy_ssl_server_name on;
+      proxy_set_header Host ${globals.services.plausible.domain};
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Server $host;
     '';
     locations."= /api/event".extraConfig = ''
       proxy_pass https://${globals.services.plausible.domain}/api/event;
       proxy_http_version 1.1;
-      proxy_set_header Host ${globals.services.plausible.domain};
       proxy_ssl_server_name on;
+      proxy_set_header Host ${globals.services.plausible.domain};
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Server $host;
     '';
   };
 }
diff --git a/nix/rage-decrypt-and-cache.sh b/nix/rage-decrypt-and-cache.sh
index b812ab7..0634093 100755
--- a/nix/rage-decrypt-and-cache.sh
+++ b/nix/rage-decrypt-and-cache.sh
@@ -31,10 +31,14 @@ mkdir -p "$(dirname "$out")"
 if [[ ! -e "$out" ]]; then
 	args=()
 	for i in "${identities[@]}"; do
-		args+=("-i" "$i")
+		args+=("--identity" "$i")
 	done
-	rage -d "${args[@]}" -o "$out" "$file"
+	rage --decrypt "${args[@]}" --output "$out" "$file"
 fi
 
 # Print out path or decrypted content
-[[ "$print_out_path" == true ]] && echo "$out" || cat "$out"
+if [[ "$print_out_path" == true ]]; then
+	echo "$out"
+else
+	cat "$out"
+fi