From c01d25d3feecef9d2730a3baa75eed3f54e5900e Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Sun, 5 Mar 2023 23:51:30 +0100
Subject: [PATCH] sail: Update libreddit nginx config

---
 secret/hosts/sail.nix      | Bin 1479 -> 1558 bytes
 system/hosts/sail.nix      |   3 ++-
 system/nixos/libreddit.nix |  15 ++++-----------
 system/nixos/nginx.nix     |   9 +++++++++
 4 files changed, 15 insertions(+), 12 deletions(-)
 create mode 100644 system/nixos/nginx.nix

diff --git a/secret/hosts/sail.nix b/secret/hosts/sail.nix
index 6992031aa1fb4d7c749d1b21eb91645e070ab120..37dda04a01d9d37d610f23390fd45c1b6071a81e 100644
GIT binary patch
literal 1558
zcmV+x2I=_#M@dveQdv+`0AKlWDA+CaSA+>lS@$Jbz`W)HlxhneHaYZ(>`1+ZkCl)j
z=WoHyKaWk1nC1?rxMyM?M$cL*l$4m#@O?fuSwf-Eq<-c(rvblQm9TO)hv;g3e-Tn<
z2ZJYgOyZeuis~+zGO{g%i8OH+Cg&>FZmf}NKK#UcAaPD?4}Kzn-Q=>vKESxJETlYU
zDkM94l&7v1T=;F@OG$5wfG&`nmkIY3R%x&(-}=GdW$9dfARZ1in8dipfF3U7d<^vI
za?B!{pG}W+vYSiOX7v6bAcG3T*&+rilBVh>^IvdZp=Q0&Rz+EYeh(UaqJo+h!W5t0
zUTm^<_ZJ^QpQCbl1jLf-)JiqTdw$|&iAg{2MU&|oB2%s|=+G2JoXW`Jwl0x36klS!
zS|X(A9r}zNWS$+4N}R*8&WqvgPYoN*Iv8Z$3Cx^O7h>aY8$L!QMjCw5CNFm=w<x$6
z?0OF^`zjN<A=lwCLS30mOi_e4^m80g=GzyA@N5BnMa=e90jJfFj}*(2eQqP-QL0_c
zJ)zCHNF6Q>C{y}&xou)qu;34l5qiH=)=n}aO?P#?j}itnb2dB!UDM2LvYxn_lN@K?
zQuOfkO-RnFlwkm(e0k4{eWw%1BH-$2qE9$y>F$VyIKVTst?^mg`o`F2)%1Qy-h{2F
zAj1SFWu+~$f>Lfpazdh;iG>#uYh{Dn-kl>ruP|~l%IQLR7+Dzx7PL0~Gbv}de|nwn
zl$h5m1R^jXfFA6}?tQ0S<bY?7$~N2hmkq@KsY~e)9bi}-xu|E_7TxsobZ7k-{bRla
za6p(Bj06qs9rOJSyo0iOJ~HwXair8)V>1NOb4y!^-DB(0ERg@38n-TpdVZV<vloMR
z@FJpEe_ivP>Hh{xx~oXIZ-FDUPH9KY)a4<6#;3HHqs_c^WEbuD+Qn>u0+oXE+>+|J
zAtL)VlgGHnps?K6FdcvV6deSv{~HDrRu%4psiXW_2bxMbQZmKrBPz<eMeWG&cTN30
zyG7i(5~ttjv>G_OwA~M)!0l1qTLrjCB=`1I@rMJ;^p3DJ{jz<V+RGNX@>il8Ow(6m
zREXyP5Bm+TTTSL)hGALjfLD9|K!bx~NKioOe@zPuyKvsHCX9_#)66S3_T~}Hyj3CT
ziaNbwnwi=(aBP>6|En#(2Ik*zH;EeRhYE?(bqfcYzj$cL4lJKCS)2xyxI4tL3;D9;
z=&2|RMz05J6yFNFtzJxH;%`qHv2A-O+03PB-xpvNbUm+h%9cl+MQ2d3Zx<IZCmPy0
zLR(F6f#mo)>fWROnN5RX{k=8;s1PM9wT++WxH6T&rJpdt>Pre9qLF$D9qK$umQ9A;
zL~l+ceFV_i-9$|g9)1l1V#D(zTb2}b?e-d<2?D4DtZ&81>^rgPPAGwJl1Fm+VO}Fj
zRM@nHU|;+h)joFc1zbOEM=U`;5!M~3BIo*ronDak(z+7(l79~)khDn(qSjz4sW)mI
zvi~5zqLZqfB&`&o>}+IREmueOIZ#2_kwpwd{di(sY`dGl4AbFc8p1u}^KqEWGMv-@
zB$ftsJw~V<CmlUDkwCLD`n(|n12iamN@2QT47Zo8W)pN-;GeD>^$?X&;h(0TV;U{B
zsC1u6n5x!>e+<t?%LrzQzu5KvKP{Cq%8eQZmvYFPG;Tx&;k?g<O!wroH+pv`i=Xo8
zc+!+mF~X%g`<yg<=yztH$o734E`_~voEys15rp_seN;C}kG3TOXf!Tnb6HkUoWDan
z`Hjl1S0(FfrDdp?66geQ^!~5aoowvLPtOJ8_UEi!9=Sj{*j6^JRbDSv<oDx(tq~q1
zXHsJ4&^u5ai_vOx4Uc&`wr_9TjFWcrh44jm9K)+=NL3CQ7!#mEkIS@oI0Yu^h2=co
zGZj0UKcQY$h8Z#wH%9-&8)o-5ktwtFekTka0y{1X$C+>aLRa2KGWO~4yM|xaf+RNx
z*u5<IA8}`-aOpFuI4-Jf+RMYS04!DZeK~VwLQvF1&9U?BOb86|u7+ID6HSX5_3|a=
I3~&$EZ5t}~MF0Q*

literal 1479
zcmV;&1vvTuM@dveQdv+`0J321*{)zA!MwUR!M<k=`fh%)fX{BdEk(fc3YWe>L(mL_
z8gA{gLVEV_d;e?S%-NSj{S|s_rtE^W@F{X{#2d>F8ljLV3{&uKsviviXCd!%qI(8=
zAtgiDD(Gj>9PV}QSR!&cT2jqkDP*C3QWW)N7AI1$<&@4N!$C@jKm2ppmP`o`4EtF+
z4<g*Te<U9`37_Ukfs<H(HJe|Fzszp`0a5y5o>_+AB3|-*PJ$?2A)y;R8z)|FMv=##
z8s@OD_OH<t_JR`$D<5@XB!K)Om1?4=r9q(U;ZRZ3BP82t|E>i8;$1Nna@MIltmDAV
zYRpg?EowsnQ&F?r7&xwuuyvn?ZmZFk>}{Bv&RRcgNal7&S`3N2R?+&t^Y*;L1i|&F
zYGnn-0UnSYr{jwE9@MldTCO%N<NSSWm9IVa2{uSsWjDyG#D=ChhQA^j!r^_nIX4=Y
zq0H4!Ey|IH(Mz;F_p-+{HoCIFy7#sGk|QY?Evj)D30VRsBGMI$9LjgIbw<3Tuy1E=
zHx;#;;bb3kEQTC|lQ&A?`(OWVx#l-|d!TRStR>D@%ht9p-s(b^$9<cNQX(8qPfeYg
z6N)WYFV_JIOhv3q+vEY)*WyFNT}0kbr)A%bZq1Y%#b$(Rel+{<3wmm%ppGtH?#QBx
zKV!2&00Ky5`;q)$qFQrxhNt&UCC|OTOha_gNNX}IDJrN!^%Pa9Lr576-VnT0@%Cjc
zE^rxbs;I%ijw^zL^9h?(5OIW*esSkvaf^5Z)TFd{iwK#XWTq8#Y%>PF0VD+|WwetW
z`Goj|(FR)ah5y1|o6E_SD9XbqIS^AhRZMV9C`6VDXoONj<>(LVg+*SclC1sQwh*&C
z-o&R7Ma=`f;(*_JQaj*)z-tsC5X#BFO<3E^KBwaI=K@Pq`HfUHt=4f!*!?lX#m#YS
zz4zyYq_LzM*KrB&rJATZL%Ig@1aToYP0jlhok!wr!yARF>gzmc@s6D$5jS-3P5=je
zc1(`FPR-trmbW3i0pe+oM(&(KF!eTvHn{jiS7^Sm1V)F&?n<fecuJYM1ba<x`SMLW
zfKdT68uaECFYT`RV+ckjb=t0LAt4FY>VT=Aj+-p7uBZZB@H`tA=}S)7!c1`;W^V0|
z>_6h;(`>~I-x4_^1Zah8kjw20lXe06nTB%i2HeSwD;f2%8lM7I(;@9;nVX0iQ`06T
zE8>zs&M;FmzAPrL)>uHjPKmilpw_uxb}=J6I2X4g?!YVvGwL34u3Q<$d(Ea&E`km_
z?=XY<$)_g2xX{aAqS%;9Dfb$6-8Q}m(b9Ab4Nef{y4;P-H?(^4xKyAb?*ubuJ#~+a
zCmy~_*vW&pRWmm~DD_*PT{|8ym_ky5?6P1jF@v1+0{WPC<61aikkl4@!H$+RqQYI`
z$4;?YibEiN4lT-y#lfC+Ri2E&yv;-(&Gqg+=r^(^NObwcFnn%=w*yq`I4|XAhh|Ws
zy;KSE#hj*%`^B6>zVbUrrdbcT-g`MNB;(1lO@~4PFdR2TqekL1#jv2huZr}>l4jg_
z9Lw;3rN_4gXp40)YBKW9^WeoFCVJ-HV65|W3R+>z!_TDIMtOv$8w^rI)&jCpLPwqN
z{(DRB`j!Hvh>6}o5+C*F7T(J;^Xi`St*S1H%c>i}v8)vbySz{lD@RpCV&!HCH$)_C
zsn3|iYHl`Ko%`{wAOZ*g<}1XUiBxL`N><?%IHfm>tl&duUv~cu8rhw{QVhlTLWs*B
z-N-K3#*Y^}7{O;_;ahA^EpDxKZ>?vxDRU)cL4PB_!}`^YlILF|ng#(HqfngF;rj6D
zj-Bh8eFEewx1L$K57rE?&5D`cR&@h?ERPtfOZ(aXwebHsw=1s)kjtMCttuL{8xD49
hXl~&*DE8W_w%s-w-2g%M^QMwr_3gS>ldOMotExbj+l>GK

diff --git a/system/hosts/sail.nix b/system/hosts/sail.nix
index f6417e9..b3e228a 100644
--- a/system/hosts/sail.nix
+++ b/system/hosts/sail.nix
@@ -17,6 +17,7 @@ in
     ../nixos/cloudflared.nix
 
     ../nixos/acme-sail.nix
+    ../nixos/nginx.nix
 
     ../nixos/atuin-sync.nix
 
@@ -24,7 +25,7 @@ in
 
     (import ../nixos/freshrss.nix (args // { inherit secret; }))
 
-    ../nixos/libreddit.nix
+    (import ../nixos/libreddit.nix (args // { inherit secret; }))
 
     (import ../nixos/mastodon.nix (args // { inherit secret; }))
 
diff --git a/system/nixos/libreddit.nix b/system/nixos/libreddit.nix
index ef511a5..7fd0347 100644
--- a/system/nixos/libreddit.nix
+++ b/system/nixos/libreddit.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, secret, ... }:
 
 {
   services.libreddit = {
@@ -9,16 +9,9 @@
   };
 
   services.nginx = {
-    virtualHosts."libreddit.only.internal" = {
-      listen = [
-        {
-          addr = "127.0.0.1";
-          port = 80;
-        }
-      ];
-
-      forceSSL = false;
-      enableACME = false;
+    virtualHosts."${secret.nginx.hostnames.libreddit}" = {
+      forceSSL = true;
+      useACMEHost = "daniel.sx";
       basicAuthFile = config.age.secrets.libreddit-auth.path;
 
       locations."/" = {
diff --git a/system/nixos/nginx.nix b/system/nixos/nginx.nix
new file mode 100644
index 0000000..60dee73
--- /dev/null
+++ b/system/nixos/nginx.nix
@@ -0,0 +1,9 @@
+{
+  services.nginx = {
+    enable = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
+    recommendedTlsSettings = true;
+  };
+}