Nope, nope wrong config.

2026-02-14 12:17:49 +01:00 · 2026-02-14 12:17:49 +01:00 · c5bf309d5b
commit c5bf309d5b
parent 9b7d1ca52d
1 changed files with 15 additions and 14 deletions
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@ -64,22 +64,22 @@ in {
            PUBLIC_URL = "https://anubis.prg-radio.org";

            # Cookie domain for proper scoping
-            COOKIE_DOMAIN = ".prg-radio.org,prg-radio.org";
+            COOKIE_DOMAIN = ".prg-radio.org";

            # Difficulty level
            DIFFICULTY = 7;
            #ALGOTIHM = "slow";

-            # This prevents Anubis from looping
-            # See: https://github.com/TecharoHQ/anubis/issues/970
-            JWT_RESTRICTION_HEADER = "CF-Connecting-IP";
-
            # Optional: serve robots.txt
            SERVE_ROBOTS_TXT = true;

            # Optional: webmaster email for error pages
            WEBMASTER_EMAIL = "dtu.prg@gmail.com";

+            # Prevents infinite loop of doom:
+            #
+            JWT_RESTRICTION_HEADER="CF-Connecting-IP,X-Real-IP";
+
            # Metrics on separate port
            METRICS_BIND_NETWORK = "tcp";
            METRICS_BIND = "127.0.0.1:8091";
@ -90,6 +90,7 @@ in {
            COOKIE_SAME_SITE = "None"; # Only if Secure=true and you need cross-site
          };
        };
+
      };
    };

@ -173,9 +174,9 @@ in {
          anubis = {
            rule = "Host(`anubis.prg-radio.org`)";
            service = "anubis";
-            entryPoints = ["websecure"];
+            entryPoints = [ "websecure" ];
            tls = {
-              certresolver = "acme";
+                certresolver = "acme";
            };
          };

@ -183,16 +184,16 @@ in {
          forgejo = {
            rule = "Host(`git.prg-radio.org`)";
            service = "forgejo";
-            entryPoints = ["websecure"];
+            entryPoints = [ "websecure" ];
            tls = {};
-            middlewares = ["anubisForwardAuth"];
+            middlewares = [ "anubisForwardAuth" ];
          };

          # Matrix HTTP router for client requests (Element etc.)
          matrix = {
            rule = "Host(`lgbtq.prg-radio.org`)";
            service = "matrix";
-            entryPoints = ["websecure"];
+            entryPoints = [ "websecure" ];
            tls = {};
          };

@ -200,7 +201,7 @@ in {
          wavelog = {
            rule = "Host(`wavelog.prg-radio.org`)";
            service = "wavelog";
-            entryPoints = ["websecure"];
+            entryPoints = [ "websecure" ];
            tls = {};
          };

@ -208,9 +209,9 @@ in {
          partdb = {
            rule = "Host(`partdb.prg-radio.org`)";
            service = "partdb";
-            entryPoints = ["websecure"];
+            entryPoints = [ "websecure" ];
            tls = {};
-            middlewares = ["anubisForwardAuth"];
+            middlewares = [ "anubisForwardAuth" ];
          };
        };