nix-infra/config/hosts/mastodon/nginx.nix

{ config, ... }:
{
  services.nginx = {
    enable = true;
    group = "mastodon";
    virtualHosts."social.nekover.se" = {
      forceSSL = true;
      enableACME = true;
      listen = [
        {
          addr = "0.0.0.0";
          port = 80;
        }
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          extraParameters = [ "proxy_protocol" ];
        }
      ];

      root = "${config.services.mastodon.package}/public/";

      locations = {
        "/" = {
          tryFiles = "$uri @proxy";
        };

        "/system/".alias = "/var/lib/mastodon/public-system/";

        "^~ /api/v1/streaming" = {
          proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
          proxyWebsockets = true;
        };

        "@proxy" = {
          proxyPass = "http://unix:/run/mastodon-web/web.socket";
          proxyWebsockets = true;
        };
      };

      extraConfig = ''
        set_real_ip_from 10.202.41.100;
        real_ip_header proxy_protocol;
      '';
    };
  };
}