ctucx.git: nixfiles

machines/briefkasten/gotosocial: add caching for webfinger and main-key endpoints, serve media files directly with nginx

diff --git a/machines/briefkasten/gotosocial.nix b/machines/briefkasten/gotosocial.nix
@@ -61,14 +61,70 @@ in {
     };
   };
 
+  services.nginx.appendHttpConfig = ''
+    proxy_cache_path /var/cache/nginx keys_zone=gotosocial_ap_public_responses:10m inactive=1w;
+  '';
+
   services.nginx.virtualHosts."fedi.home.ctu.cx" = {
     enableACME = lib.mkIf config.networking.usePBBUplink true;
     forceSSL   = lib.mkIf config.networking.usePBBUplink true;
     kTLS       = lib.mkIf config.networking.usePBBUplink true;
     locations  = {
-      "/.well-known/host-meta".extraConfig = ''return 200 '<?xml version="1.0" encoding="UTF-8"?><XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"><Link rel="lrdd" template="https://fedi.home.ctu.cx/.well-known/webfinger?resource={uri}" type="application/xrd+xml" /></XRD>';'';
       "= /".return    = "307 /@leah";
 
+      "@backend".extraConfig = ''
+        proxy_pass http://127.0.0.1:8085;
+
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+      '';
+
+      "~ /.well-known/(webfinger|host-meta)$".extraConfig = ''
+        proxy_pass http://127.0.0.1:8085;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_cache gotosocial_ap_public_responses;
+        proxy_cache_background_update on;
+        proxy_cache_key $scheme://$host$uri$is_args$query_string;
+        proxy_cache_valid 200 10m;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
+        proxy_cache_lock on;
+
+        add_header X-Cache-Status $upstream_cache_status;
+      '';
+
+      "~ ^\/users\/(?:[a-z0-9_\.]+)\/main-key$".extraConfig = ''
+        proxy_pass http://127.0.0.1:8085;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_cache gotosocial_ap_public_responses;
+        proxy_cache_background_update on;
+        proxy_cache_key $scheme://$host$uri;
+        proxy_cache_valid 200 604800s;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_429;
+        proxy_cache_lock on;
+
+        add_header X-Cache-Status $upstream_cache_status;
+      '';
+
+      "/fileserver/".extraConfig = ''
+        alias ${config.services.gotosocial.settings.storage-local-base-path}/;
+        add_header Cache-Control "public, immutable";
+        expires max;
+
+        autoindex off;
+        try_files $uri @fileserver;
+      '';
+
       "/assets/".extraConfig = ''
         alias ${config.services.gotosocial.package}/share/web/assets/;
         autoindex off;

@@ -76,20 +132,12 @@ in {
         add_header Cache-Control "public, immutable";
       '';
 
-      # "/fileserver/".extraConfig = ''
-        # alias ${config.services.gotosocial.settings.storage-local-base-path}/;
-        # autoindex off;
-        # expires max;
-        # add_header Cache-Control "public, immutable";
-      # '';
-
       "/".extraConfig = ''
         proxy_pass http://127.0.0.1:8085/;
 
         proxy_set_header Host $host;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
-      '' + lib.optionalString config.networking.usePBBUplink ''
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;
       '';