diff --git a/common.opts b/common.opts
line changes: +2/-2
index 6875b78..85418ff
--- a/common.opts
+++ b/common.opts

@@ -1,4 +1,4 @@
-FREEBSD_RELEASE=14.0-RELEASE
+FREEBSD_RELEASE=14.3-RELEASE
 RUBY_SOURCE=ruby-3.2.3.tar.gz # currently unused
 
 # mainline

@@ -15,4 +15,4 @@ RUBY_SOURCE=ruby-3.2.3.tar.gz # currently unused
 
 # Awesome Garden Hometown
 MASTODON_REPO="chip@yomiko:git/hometown.git"
-MASTODON_VERSION="awesome-garden-main-9"
+MASTODON_VERSION="awesome-garden-main-10"

diff --git a/mastodon/nginx.conf.tmpl b/mastodon/nginx.conf.tmpl
line changes: +27/-25
index 243e87a..a2e61ac
--- a/mastodon/nginx.conf.tmpl
+++ b/mastodon/nginx.conf.tmpl

@@ -27,13 +27,8 @@ http {
     #                  '"$http_user_agent" "$http_x_forwarded_for"';
 
     #access_log  logs/access.log  main;
-
     sendfile        on;
-    #tcp_nopush     on;
-
-    #keepalive_timeout  0;
     keepalive_timeout  65;
-
     #gzip  on;
 
     map $http_upgrade $connection_upgrade {

@@ -70,63 +65,70 @@ http {
       gzip_http_version 1.1;
       gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
 
-      add_header Strict-Transport-Security "max-age=31536000" always;
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
       location / {
         try_files $uri @proxy;
       }
 
-      location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
-        add_header Cache-Control "public, max-age=31536000, immutable";
-        add_header Strict-Transport-Security "max-age=31536000" always;
+      location /sw.js {
+        add_header Cache-Control "public, max-age=604800, must-revalidate";
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
         try_files $uri @proxy;
       }
 
-      location /sw.js {
-        add_header Cache-Control "public, max-age=0";
-        add_header Strict-Transport-Security "max-age=31536000" always;
+      location ~ ^/(assets|avatars|emoji|headers|packs|shortcuts|sounds)/ {
+        add_header Cache-Control "public, max-age=2419200, must-revalidate";
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
         try_files $uri @proxy;
       }
 
-      location @proxy {
+      location ~ ^/system/ {
+        add_header Cache-Control "public, max-age=2419200, immutable";
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+        try_files $uri @proxy;
+      }
+
+      location ^~ /api/v1/streaming {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $http_x_real_ip;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
         proxy_set_header Proxy "";
-        proxy_pass_header Server;
 
-        proxy_pass http://backend;
-        proxy_buffering on;
+        proxy_pass http://streaming;
+        proxy_buffering off;
         proxy_redirect off;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
 
-        proxy_cache CACHE;
-        proxy_cache_valid 200 7d;
-        proxy_cache_valid 410 24h;
-        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
-        add_header X-Cached $upstream_cache_status;
-        add_header Strict-Transport-Security "max-age=31536000" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
         tcp_nodelay on;
       }
 
-      location /api/v1/streaming {
+      location @proxy {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $http_x_real_ip;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
         proxy_set_header Proxy "";
+        proxy_pass_header Server;
 
-        proxy_pass http://streaming;
-        proxy_buffering off;
+        proxy_pass http://backend;
+        proxy_buffering on;
         proxy_redirect off;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
 
+        proxy_cache CACHE;
+        proxy_cache_valid 200 7d;
+        proxy_cache_valid 410 24h;
+        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+        add_header X-Cached $upstream_cache_status;
+
         tcp_nodelay on;
       }
 

diff --git a/pkglist-mastodon.txt b/pkglist-mastodon.txt
line changes: +1/-1
index e81565d..8b1a9cc
--- a/pkglist-mastodon.txt
+++ b/pkglist-mastodon.txt

@@ -18,7 +18,7 @@ npm-node18
 postgresql15-client
 protobuf
 readline
-ruby
+ruby32
 ruby32-gems
 rubygem-bundler
 yarn-node18

diff --git a/postgres/Bastillefile b/postgres/Bastillefile
line changes: +11/-5
index 667b933..33570cc
--- a/postgres/Bastillefile
+++ b/postgres/Bastillefile

@@ -1,13 +1,19 @@
 PKG postgresql15-server postgresql15-contrib
 SYSRC postgresql_enable=YES
 SYSRC postgres_exporter_enable=YES
-SERVICE postgresql initdb
-CP postgresql.conf var/db/postgres/data15/
-CP pg_hba.conf var/db/postgres/data15/
+MOUNT /mastodon/postgres var/db/postgres nullfs rw 0 0
+
+# If creating a fresh DB
+#SERVICE postgresql initdb
+#CP postgresql.conf var/db/postgres/data15/
+#CP pg_hba.conf var/db/postgres/data15/
+
 CMD chown postgres:postgres /var/db/postgres/data15/*.conf
 SERVICE postgresql start
-CMD su postgres -c 'createuser -l -g pg_monitor postgres_exporter'
-CMD su postgres -c "psql -c \"CREATE USER mastodon CREATEDB PASSWORD 'mastodon';\""
+
+# If creating a fresh DB
+#CMD su postgres -c 'createuser -l -g pg_monitor postgres_exporter'
+#CMD su postgres -c "psql -c \"CREATE USER mastodon CREATEDB PASSWORD 'mastodon';\""
 
 CP postgres_exporter/cmd/postgres_exporter/postgres_exporter usr/local/bin/
 CP rc.d/postgres_exporter usr/local/etc/rc.d/