From c5bf309d5bca3d8b5827e576ca46e5d7b0b9a5f2 Mon Sep 17 00:00:00 2001
From: Christine Elisabeth Koppel <kuutruu@posteo.net>
Date: Sat, 14 Feb 2026 12:17:49 +0100
Subject: [PATCH] Nope, nope wrong config.

---
 nix-system-configs/modules/system/traefik.nix | 29 ++++++++++---------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix
index 3b020d8..a05369d 100644
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@@ -64,22 +64,22 @@ in {
             PUBLIC_URL = "https://anubis.prg-radio.org";
 
             # Cookie domain for proper scoping
-            COOKIE_DOMAIN = ".prg-radio.org,prg-radio.org";
+            COOKIE_DOMAIN = ".prg-radio.org";
 
             # Difficulty level
             DIFFICULTY = 7;
             #ALGOTIHM = "slow";
 
-            # This prevents Anubis from looping
-            # See: https://github.com/TecharoHQ/anubis/issues/970
-            JWT_RESTRICTION_HEADER = "CF-Connecting-IP";
-
             # Optional: serve robots.txt
             SERVE_ROBOTS_TXT = true;
 
             # Optional: webmaster email for error pages
             WEBMASTER_EMAIL = "dtu.prg@gmail.com";
 
+            # Prevents infinite loop of doom:
+            #
+            JWT_RESTRICTION_HEADER="CF-Connecting-IP,X-Real-IP";
+
             # Metrics on separate port
             METRICS_BIND_NETWORK = "tcp";
             METRICS_BIND = "127.0.0.1:8091";
@@ -90,6 +90,7 @@ in {
             COOKIE_SAME_SITE = "None"; # Only if Secure=true and you need cross-site
           };
         };
+
       };
     };
 
@@ -173,9 +174,9 @@ in {
           anubis = {
             rule = "Host(`anubis.prg-radio.org`)";
             service = "anubis";
-            entryPoints = ["websecure"];
+            entryPoints = [ "websecure" ];
             tls = {
-              certresolver = "acme";
+                certresolver = "acme";
             };
           };
 
@@ -183,16 +184,16 @@ in {
           forgejo = {
             rule = "Host(`git.prg-radio.org`)";
             service = "forgejo";
-            entryPoints = ["websecure"];
+            entryPoints = [ "websecure" ];
             tls = {};
-            middlewares = ["anubisForwardAuth"];
+            middlewares = [ "anubisForwardAuth" ];
           };
 
           # Matrix HTTP router for client requests (Element etc.)
           matrix = {
             rule = "Host(`lgbtq.prg-radio.org`)";
             service = "matrix";
-            entryPoints = ["websecure"];
+            entryPoints = [ "websecure" ];
             tls = {};
           };
 
@@ -200,7 +201,7 @@ in {
           wavelog = {
             rule = "Host(`wavelog.prg-radio.org`)";
             service = "wavelog";
-            entryPoints = ["websecure"];
+            entryPoints = [ "websecure" ];
             tls = {};
           };
 
@@ -208,9 +209,9 @@ in {
           partdb = {
             rule = "Host(`partdb.prg-radio.org`)";
             service = "partdb";
-            entryPoints = ["websecure"];
+            entryPoints = [ "websecure" ];
             tls = {};
-            middlewares = ["anubisForwardAuth"];
+            middlewares = [ "anubisForwardAuth" ];
           };
         };
 
@@ -343,4 +344,4 @@ in {
 
     system.stateVersion = "25.11";
   };
-}
+}
\ No newline at end of file