From 8afa5ef106fa9dc4d764fff7d527160f44e9a236 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Mon, 31 Jul 2017 13:55:27 +0200
Subject: [PATCH] Add vapid keys to template; don't cache SW

---
 .../templates/default/env.production.erb      |  4 ++
 .../templates/default/nginx_conf_mastodon.erb | 41 +++++++++++++------
 2 files changed, 32 insertions(+), 13 deletions(-)

diff --git a/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb b/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb
index a034ab8..f72cfb3 100644
--- a/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb
@@ -44,3 +44,7 @@ S3_REGION=<%= @s3_region %>
 
 # Streaming API integration
 # STREAMING_API_BASE_URL=
+
+# Web Push API
+VAPID_PRIVATE_KEY=<%= @vapid_private_key %>
+VAPID_PUBLIC_KEY=<%= @vapid_public_key %>
diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
index 7c9da59..f6b3fb6 100644
--- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
@@ -4,24 +4,20 @@ map $http_upgrade $connection_upgrade {
 }
 
 server {
-  listen 80;      # IPv4
-  listen [::]:80; #IPv6
+  listen 80;
+  listen [::]:80;
   server_name <%= @server_name %>;
 
   access_log "/var/log/nginx/mastodon.access.log";
   error_log "/var/log/nginx/mastodon.error.log";
 
-  location /.well-known {
-    root "/var/www/mastodon";
-  }
-  location / {
-    return 301 https://$host$request_uri;
-  }
+  location /.well-known/acme-challenge/ { allow all; }
+  location / { return 301 https://$host$request_uri; }
 }
 
 server {
-  listen 443 ssl http2;      #IPv4
-  listen [::]:443 ssl http2; #IPv6
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
   server_name <%= @server_name %>;
 
   access_log "/var/log/nginx/mastodon.access.log";
@@ -36,22 +32,40 @@ server {
   keepalive_timeout    70;
   sendfile             on;
   client_max_body_size 0;
-  gzip off;
 
   root <%= @mastodon_path %>/public;
 
-  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
+  gzip on;
+  gzip_disable "msie6";
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 16 8k;
+  gzip_http_version 1.1;
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+  add_header Strict-Transport-Security "max-age=31536000";
 
   location / {
     try_files $uri @proxy;
   }
 
+  location /sw.js {
+    add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
+    add_header Pragma "no-cache";
+  }
+
+  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    try_files $uri @proxy;
+  }
+
   location @proxy {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;
-
+    proxy_set_header Proxy "";
     proxy_pass_header Server;
 
     proxy_pass http://localhost:<%= @puma_port %>;
@@ -69,6 +83,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
 
     proxy_pass http://localhost:<%= @streaming_port %>;
     proxy_buffering off;