#
# Default relayd.conf file for Pleroma on OpenBSD
# Simple installation instructions:
# 1. Place in /etc
# 2. Replace <ipaddr> with your public IPv4 address
# 3. If using IPv6, uncomment IPv6 lines and replace <ip6addr> with your public IPv6 address
# 4. Replace all occurrences of example.tld with your instance's domain
# 5. Check file using 'doas relayd -n'
# 6. Reload/start relayd
#      # doas rcctl enable relayd
#      # doas rcctl start relayd
#

ext_inet="<ipaddr>"
#ext_inet6="<ip6addr>"

table <pleroma_server> { 127.0.0.1 }

# Uncomment when you want to serve other services than Pleroma.
# In this example tables are used only as way to differentiate between Pleroma and other services.
# Feel free to rename "httpd_server" everywhere to fit your setup.
#table <httpd_server> { 127.0.0.1 }

http protocol pleroma { # Protocol for upstream Pleroma server
    #tcp { nodelay, sack, socket buffer 65536, backlog 128 } # Uncomment and adjust as you see fit
    tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
    tls ecdhe "X25519,P-256,P-384,secp521r1" # relayd default+secp521r1

    return error

    # When serving multiple services with different certificates, specify multiple "tls keypair" keywords
    # and add forwards to those services before the block keyword near the bottom of the protocol and relay configurations.
    # The string in quotes must match the fullchain certificate file created by acme-client without the extension.
    # For example:
    # tls keypair "pleroma.example.tld"
    # tls keypair "example.tld"
    tls keypair "example.tld"

    match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
    match request header append "Connection" value "upgrade"

    # When hosting Pleroma on a subdomain, replace example.tld accordingly (not the base domain).
    # From the above example, "example.tld" should be replaced with "pleroma.example.tld" instead.
    pass request quick header "Host" value "example.tld" forward to <pleroma_server>

    # Uncomment when serving media uploads on a different (sub)domain.
    # Keep media proxy disabled, as it will NOT work under relayd/httpd. If you want to also setup media proxy, use nginx instead.
    #pass request quick header "Host" value "media.example.tld" forward to <pleroma_server>

    # When serving multiple services, add the forwards here.
    # Example:
    #pass request quick header "Host" value "example.tld" forward to <httpd_server>

    block
}

relay wwwtls {
    listen on $ext_inet port https tls # Comment to disable listening on IPv4
    #listen on $ext_inet6 port https tls # Comment to disable listening on IPv6

    protocol pleroma

    forward to <pleroma_server> port 4000 check tcp timeout 500 # Adjust timeout accordingly when relayd returns 502 while Pleroma is running without problems.

    # When serving multiple services, add the forwards here.
    # Example:
    #forward to <httpd_server> port 8080
}