From 08e220cb55f4e27bf865d02bebd452b707c3b5ea Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Sat, 8 Jul 2023 19:25:29 +0200
Subject: [PATCH] Upgrade to version 2023.07.07 (#133)

* Upgrade to v2023.07.07

* Auto-update README

* Update nginx.conf

---------

Co-authored-by: yunohost-bot <yunohost-bot@users.noreply.github.com>
Co-authored-by: yunohost-bot <yunohost@yunohost.org>
Co-authored-by: Tagada <36127788+Tagadda@users.noreply.github.com>
---
 README.md       |   2 +-
 README_fr.md    |   2 +-
 conf/app.src    |   6 +--
 conf/nginx.conf | 105 ++++++++++++++++++++++++++++++++++--------------
 manifest.json   |   2 +-
 5 files changed, 80 insertions(+), 37 deletions(-)

diff --git a/README.md b/README.md
index a8f9580..7d974c8 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 See more [on the documentation](https://glitch-soc.github.io/docs/).
 
 
-**Shipped version:** 2023.07.06~ynh1
+**Shipped version:** 2023.07.07~ynh1
 ## Disclaimers / important information
 
 ⚠️ Glitch-Soc is beta software, and under active development. Use at your own risk!
diff --git a/README_fr.md b/README_fr.md
index fde4986..bff94c9 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -43,7 +43,7 @@ Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) po
 Voir plus [sur la documentation](https://glitch-soc.github.io/docs/) (en anglais).
 
 
-**Version incluse :** 2023.07.06~ynh1
+**Version incluse :** 2023.07.07~ynh1
 ## Avertissements / informations importantes
 
 Glitch-Soc est en constant développement, fournis avec les dernières fonctionnalités (incluant les derniers bugs).
diff --git a/conf/app.src b/conf/app.src
index 2181499..affde1e 100644
--- a/conf/app.src
+++ b/conf/app.src
@@ -1,7 +1,7 @@
-SOURCE_URL=https://github.com/glitch-soc/mastodon/archive/c25ba31e95148fb1d1809720b9060a0c1891a23b.tar.gz
-SOURCE_SUM=a8c86ee7850cc52fb3a1ba02e8334c4d2946442c9c179805d1544a0ac7317fe9
+SOURCE_URL=https://github.com/glitch-soc/mastodon/archive/a40529fa79c6882eb1929014e5f9324d8e81ae49.tar.gz
+SOURCE_SUM=342e828972f015557322465a3f103f32b3e61e885049f3c18612cdaef2525903
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true
-SOURCE_FILENAME=c25ba31e95148fb1d1809720b9060a0c1891a23b.tar.gz
+SOURCE_FILENAME=a40529fa79c6882eb1929014e5f9324d8e81ae49.tar.gz
 SOURCE_EXTRACT=true
diff --git a/conf/nginx.conf b/conf/nginx.conf
index 19c2c01..4b1f76b 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,7 +1,5 @@
-# upload max size
-client_max_body_size 100M;
+client_max_body_size 99m;
 
-# add to v1.4 assets
 root __FINALPATH__/live/public;
 
 location / {
@@ -13,23 +11,86 @@ location / {
   include conf.d/yunohost_panel.conf.inc;
 }
 
-location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
-  more_set_headers "Cache-Control: public, max-age=31536000, immutable";
-  more_set_headers "Strict-Transport-Security: max-age=31536000";
-  try_files $uri @proxy;
+location ~ /sw.js {
+  more_set_headers "Cache-Control: public, max-age=604800, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
 }
 
-location /sw.js {
-  more_set_headers "Cache-Control: public, max-age=0";
-  more_set_headers "Strict-Transport-Security: max-age=31536000";
-  try_files $uri @proxy;
+location ~ ^/assets/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/avatars/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/emoji/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/headers/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/packs/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/shortcuts/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/sounds/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/system/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, immutable";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  more_set_headers "X-Content-Type-Option: nosniff";
+  more_set_headers "Content-Security-Policy: default-src 'none'; form-action 'none'";
+  try_files $uri =404;
+}
+
+location ^~ /api/v1/streaming {
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header Proxy "";
+
+  proxy_pass http://127.0.0.1:__PORT_STREAM__;
+  proxy_buffering off;
+  proxy_redirect off;
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $connection_upgrade;
+
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+
+  tcp_nodelay on;
 }
 
 location @proxy {
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto https;
+  proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header Proxy "";
   proxy_pass_header Server;
 
@@ -38,31 +99,13 @@ location @proxy {
   proxy_redirect off;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "upgrade";
+  proxy_set_header Connection $connection_upgrade;
 
   #proxy_cache CACHE;
   proxy_cache_valid 200 7d;
   proxy_cache_valid 410 24h;
   proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
   more_set_headers "X-Cached: $upstream_cache_status";
-  more_set_headers "Strict-Transport-Security: max-age=31536000";
-
-  tcp_nodelay on;
-}
-
-location /api/v1/streaming {
-  proxy_set_header Host $host;
-  proxy_set_header X-Real-IP $remote_addr;
-  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto https;
-  proxy_set_header Proxy "";
-
-  proxy_pass http://127.0.0.1:__PORT_STREAM__;
-  proxy_buffering off;
-  proxy_redirect off;
-  proxy_http_version 1.1;
-  proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "upgrade";
 
   tcp_nodelay on;
 }
diff --git a/manifest.json b/manifest.json
index 953e470..e733810 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
         "en": "Libre and federated social network, fork of Mastodon",
         "fr": "Réseau social libre et fédéré, scission de Mastodon"
     },
-    "version": "2023.07.06~ynh1",
+    "version": "2023.07.07~ynh1",
     "url": "https://github.com/glitch-soc/mastodon",
     "upstream": {
         "license": "AGPL-3.0-or-later",