surtr: ...

2 files changed, 39 insertions, 9 deletions

diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index 6b516b00..c70eb8f8 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -24,16 +24,20 @@
         access_log syslog:server=unix:/dev/log main;
         error_log syslog:server=unix:/dev/log info;
 
-        client_body_temp_path /run/nginx-client-bodies;
+        client_body_temp_path /run/nginx-client-bodies 2 2;
+        proxy_temp_path /run/nginx-proxy-bodies 2 2;
       '';
       additionalModules = with pkgs.nginxModules; [ pam ];
+      eventsConfig = ''
+        worker_connections 2048;
+      '';
     };
     systemd.services.nginx = {
       preStart = lib.mkForce config.services.nginx.preStart;
       serviceConfig = {
         SupplementaryGroups = [ "shadow" ];
         ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-        RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
+        RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" "nginx-proxy-bodies" ];
         RuntimeDirectoryMode = "0750";
       };
     };
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index fcebf9c1..7a1b968e 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -141,6 +141,9 @@ with lib;
       recommendedProxySettings = true;
 
       upstreams."matrix-synapse" = {
+        extraConfig = ''
+          keepalive 64;
+        '';
         servers = {
           "127.0.0.1:8008" = {};
         };
@@ -175,7 +178,11 @@ with lib;
           proxyPass = "http://matrix-synapse";
           extraConfig = ''
             client_max_body_size 500M;
+
             proxy_pass_header Server;
+
+            proxy_http_version 1.1;
+            proxy_set_header "Connection" "";
           '';
         }) ["/_matrix" "/_synapse/client" "/_synapse/admin"]) // {
           "= /.well-known/matrix/server" = {
@@ -201,7 +208,16 @@ with lib;
         };
       };
 
-      virtualHosts."element.synapse.li" = {
+      virtualHosts."element.synapse.li" = let
+        headerDirectives = ''
+          add_header Strict-Transport-Security "max-age=63072000" always;
+
+          add_header X-Frame-Options SAMEORIGIN always;
+          add_header X-Content-Type-Options nosniff always;
+          add_header X-XSS-Protection "1; mode=block" always;
+          add_header Content-Security-Policy "frame-ancestors 'self'" always;
+        '';
+      in {
         forceSSL = true;
         kTLS = true;
         http3 = true;
@@ -209,12 +225,7 @@ with lib;
         sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem";
         sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
         extraConfig = ''
-          add_header Strict-Transport-Security "max-age=63072000" always;
-
-          add_header X-Frame-Options SAMEORIGIN;
-          add_header X-Content-Type-Options nosniff;
-          add_header X-XSS-Protection "1; mode=block";
-          add_header Content-Security-Policy "frame-ancestors 'self'";
+          error_page  500 502 503 504  /50x.html;
         '';
 
         root = pkgs.element-web.override {
@@ -225,6 +236,21 @@ with lib;
             };
           };
         };
+
+        locations = {
+          "= /index.html".extraConfig = ''
+            ${headerDirectives}
+            add_header Cache-Control "no-cache" always;
+          '';
+          "= /version".extraConfig = ''
+            ${headerDirectives}
+            add_header Cache-Control "no-cache" always;
+          '';
+          "/config".extraConfig = ''
+            ${headerDirectives}
+            add_header Cache-Control "no-cache" always;
+          '';
+        };
       };
     };