Mastodon nginx: make it mostly work

installation/mastodon.conf

@@ -1,14 +1,19 @@
+# Nginx configuration for Soapbox on Mastodon.
+# Adapted from: https://github.com/mastodon/mastodon/blob/b4d373a3df2752d9f8bdc0d7f02350528f3789b2/dist/nginx.conf
+#
+# Edit this file to change occurences of "example.com" to your own domain.
+
 map $http_upgrade $connection_upgrade {
   default upgrade;
   ''      close;
 }
 
 upstream backend {
-    server 127.0.0.1:3000 fail_timeout=0;
+  server 127.0.0.1:3000 fail_timeout=0;
 }
 
 upstream streaming {
-    server 127.0.0.1:4000 fail_timeout=0;
+  server 127.0.0.1:4000 fail_timeout=0;
 }
 
 proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
@@ -17,7 +22,7 @@ server {
   listen 80;
   listen [::]:80;
   server_name example.com;
-  root /home/mastodon/live/public;
+  root /opt/soapbox/static;
   location /.well-known/acme-challenge/ { allow all; }
   location / { return 301 https://$host$request_uri; }
 }
@@ -41,7 +46,7 @@ server {
   sendfile             on;
   client_max_body_size 80m;
 
-  root /home/mastodon/live/public;
+  root /opt/soapbox/static;
 
   gzip on;
   gzip_disable "msie6";
@@ -54,22 +59,55 @@ server {
 
   add_header Strict-Transport-Security "max-age=31536000" always;
 
+  # Fallback route.
+  # Everything not routed should fall back to the SPA.
   location / {
-    try_files $uri @proxy;
+    try_files /index.html /dev/null;
   }
 
-  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
+  # Mastodon backend routes.
+  # These are routes to Mastodon's API and important rendered pages.
+  location ~ ^/(api|oauth|auth|admin|.well-known/webfinger) {
+    try_files /dev/null @proxy;
+  }
+
+  # # Mastodon ActivityPub routes.
+  # # Conditionally send to Mastodon by Accept header.
+  # if ($http_accept = "application/activity+json" || $http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
+  #   location ~ ^/(inbox|outbox|users|@) {
+  #     try_files /dev/null @proxy;
+  #   }
+  # }
+
+  # Mastodon public files.
+  # https://github.com/mastodon/mastodon/tree/main/public
+  # Take only what we need for Soapbox.
+  location ~ ^/(favicon.ico|browserconfig.xml|embed.js|android-chrome-192x192.png|apple-touch-icon.png|avatars/original/missing.png|headers/original/missing.png) {
+    root /home/mastodon/live/public;
     add_header Cache-Control "public, max-age=31536000, immutable";
     add_header Strict-Transport-Security "max-age=31536000" always;
-    try_files $uri @proxy;
   }
 
-  location /sw.js {
+  # Soapbox build files.
+  # New builds produce hashed filenames, so these should be cached heavily.
+  location ~ ^/(packs|emoji) {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    add_header Strict-Transport-Security "max-age=31536000" always;
+  }
+
+  # Soapbox configuration files.
+  # Enable CORS so we can fetch them.
+  location /instance {
+    add_header Access-Control-Allow-Origin "*";
+  }
+
+  # Soapbox ServiceWorker.
+  location = /sw.js {
     add_header Cache-Control "public, max-age=0";
     add_header Strict-Transport-Security "max-age=31536000" always;
-    try_files $uri @proxy;
   }
 
+  # Proxy to Mastodon's Ruby on Rails backend.
   location @proxy {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
@@ -95,6 +133,7 @@ server {
     tcp_nodelay on;
   }
 
+  # Mastodon's Node.js streaming server.
   location /api/v1/streaming {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;