feat: add blog and fix double redirect real ip

hosts/sentinel/blog.nix

@@ -1,33 +1,38 @@
-{
+{globals, ...}: {
-  globals,
+  environment.persistence."/persist".directories = [
-  pkgs,
+    {
-  ...
+      directory = "/var/lib/blog";
-}: {
+      mode = "0750";
+      user = "nginx";
+      group = "nginx";
+    }
+  ];
+
   services.nginx.virtualHosts.${globals.domains.me} = {
     forceSSL = true;
     useACMEWildcardHost = true;
-    locations."/".root = pkgs.runCommand "index.html" {} ''
+    locations."/".root = "/var/lib/blog";
-      mkdir -p $out
-      cat > $out/index.html <<EOF
-      <html>
-        <head>
-        	<script defer data-api="/api/event" data-domain="oddlama.org" src="/js/script.js"></script>
-        </head>
-        <body>Not empty soon TM. Until then please go here: <a href="https://github.com/oddlama">oddlama</a></body>
-      </html>
-      EOF
-    '';
     # Don't use the proxyPass option because we don't want the recommended proxy headers
     locations."= /js/script.js".extraConfig = ''
       proxy_pass https://${globals.services.plausible.domain}/js/script.js;
-      proxy_set_header Host ${globals.services.plausible.domain};
       proxy_ssl_server_name on;
+      proxy_set_header Host ${globals.services.plausible.domain};
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Server $host;
     '';
     locations."= /api/event".extraConfig = ''
       proxy_pass https://${globals.services.plausible.domain}/api/event;
       proxy_http_version 1.1;
-      proxy_set_header Host ${globals.services.plausible.domain};
       proxy_ssl_server_name on;
+      proxy_set_header Host ${globals.services.plausible.domain};
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Server $host;
     '';
   };
 }

nix/rage-decrypt-and-cache.sh

@@ -31,10 +31,14 @@ mkdir -p "$(dirname "$out")"
 if [[ ! -e "$out" ]]; then
 	args=()
 	for i in "${identities[@]}"; do
-		args+=("-i" "$i")
+		args+=("--identity" "$i")
 	done
-	rage -d "${args[@]}" -o "$out" "$file"
+	rage --decrypt "${args[@]}" --output "$out" "$file"
 fi
 
 # Print out path or decrypted content
-[[ "$print_out_path" == true ]] && echo "$out" || cat "$out"
+if [[ "$print_out_path" == true ]]; then
+	echo "$out"
+else
+	cat "$out"
+fi