diff --git a/flake.lock b/flake.lock index ac9a2f2..dd59ff3 100644 --- a/flake.lock +++ b/flake.lock @@ -40,6 +40,24 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flakey-profile": { "locked": { "lastModified": 1712898590, @@ -92,9 +110,7 @@ }, "lix-module": { "inputs": { - "flake-utils": [ - "flake-utils" - ], + "flake-utils": "flake-utils", "flakey-profile": "flakey-profile", "lix": "lix", "nixpkgs": [ @@ -209,11 +225,24 @@ "type": "github" } }, + "nix-filter_2": { + "locked": { + "lastModified": 1731533336, + "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, "nix-vscode-extensions": { "inputs": { - "flake-utils": [ - "flake-utils" - ], + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ] @@ -266,12 +295,10 @@ }, "root": { "inputs": { - "flake-utils": "flake-utils", "home-manager": "home-manager", "lix-module": "lix-module", "naersk": "naersk", "niri": "niri", - "nix-filter": "nix-filter", "nix-vscode-extensions": "nix-vscode-extensions", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", @@ -302,9 +329,7 @@ "naersk": [ "naersk" ], - "nix-filter": [ - "nix-filter" - ], + "nix-filter": "nix-filter", "nixpkgs": [ "nixpkgs" ] @@ -328,9 +353,7 @@ "naersk": [ "naersk" ], - "nix-filter": [ - "nix-filter" - ], + "nix-filter": "nix-filter_2", "nixpkgs": [ "nixpkgs" ] @@ -364,6 +387,21 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "xwayland-satellite-stable": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index 1791bbb..e719f8d 100644 --- a/flake.nix +++ b/flake.nix @@ -13,7 +13,6 @@ url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"; inputs = { nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; }; }; @@ -38,7 +37,6 @@ inputs = { nixpkgs.follows = "nixpkgs"; naersk.follows = "naersk"; - nix-filter.follows = "nix-filter"; }; }; @@ -47,7 +45,6 @@ inputs = { nixpkgs.follows = "nixpkgs"; naersk.follows = "naersk"; - nix-filter.follows = "nix-filter"; }; }; @@ -55,13 +52,8 @@ url = "github:nix-community/nix-vscode-extensions"; inputs = { nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; }; }; - - # this is used to pin transitive dependencies to the same version - flake-utils.url = "github:numtide/flake-utils"; - nix-filter.url = "github:numtide/nix-filter"; }; outputs = @@ -104,42 +96,41 @@ in nixpkgs.lib.nixosSystem { inherit system specialArgs; - modules = - [ - lix-module.nixosModules.default + modules = [ + lix-module.nixosModules.default - { networking.hostName = device; } + { networking.hostName = device; } - ./modules/globalinstalls.nix - ./modules/networking.nix - ./modules/nixpkgs.nix + ./modules/globalinstalls.nix + ./modules/networking.nix + ./modules/nixpkgs.nix - ./hosts/${device}/hardware.nix - ./hosts/${device}/imports.nix - ./hosts/${device}/configuration.nix + ./hosts/${device}/hardware.nix + ./hosts/${device}/imports.nix + ./hosts/${device}/configuration.nix - { - nixpkgs.overlays = [ - overlays.unstable-packages - ]; - } - ] - ++ (nixpkgs.lib.optionals (builtins.elem device homeDevices) [ - home-manager.nixosModules.home-manager - { home-manager.extraSpecialArgs = specialArgs; } - ./modules/home-manager.nix + { + nixpkgs.overlays = [ + overlays.unstable-packages + ]; + } + ] + ++ (nixpkgs.lib.optionals (builtins.elem device homeDevices) [ + home-manager.nixosModules.home-manager + { home-manager.extraSpecialArgs = specialArgs; } + ./modules/home-manager.nix - ./modules/i18n.nix + ./modules/i18n.nix - niri.nixosModules.niri - { - nixpkgs.overlays = [ - niri.overlays.niri - overlays.servicepoint-packages - nix-vscode-extensions.overlays.default - ]; - } - ]); + niri.nixosModules.niri + { + nixpkgs.overlays = [ + niri.overlays.niri + overlays.servicepoint-packages + nix-vscode-extensions.overlays.default + ]; + } + ]); } ); diff --git a/home/vinzenz/default.nix b/home/vinzenz/default.nix index db55596..6e0ff64 100644 --- a/home/vinzenz/default.nix +++ b/home/vinzenz/default.nix @@ -30,7 +30,7 @@ ./fuzzel.nix ./git.nix ./gnome.nix - ./niri.nix + #./niri.nix ./ssh.nix ./swaylock.nix ./vscode.nix diff --git a/home/vinzenz/niri.nix b/home/vinzenz/niri.nix index 7c90a93..3cb557a 100644 --- a/home/vinzenz/niri.nix +++ b/home/vinzenz/niri.nix @@ -1,7 +1,5 @@ { pkgs, - lib, - devices, config, ... }: diff --git a/hosts/hetzner-vpn2/nginx.nix b/hosts/hetzner-vpn2/nginx.nix index ff00daa..b29451a 100644 --- a/hosts/hetzner-vpn2/nginx.nix +++ b/hosts/hetzner-vpn2/nginx.nix @@ -1,4 +1,8 @@ -{ pkgs, inputs, ... }: +{ inputs, pkgs, ... }: +let + blog-domain-socket = "/run/nginx/blog.sock"; + anubis-domain-socket = "/run/anubis/anubis-blog.sock"; +in { security.acme = { acceptTerms = true; @@ -6,8 +10,16 @@ }; security.pam.services.nginx.setEnvironment = false; - systemd.services.nginx.serviceConfig = { - SupplementaryGroups = [ "shadow" ]; + systemd.services = { + nginx.serviceConfig = { + SupplementaryGroups = [ + "shadow" + "anubis" + ]; + }; + anubis-main.serviceConfig = { + SupplementaryGroups = [ "nginx" ]; + }; }; services.nginx = { @@ -58,13 +70,34 @@ "zerforschen.plus" = { addSSL = true; enableACME = true; + locations."/" = { + proxyPass = ("http://unix:" + anubis-domain-socket); + }; + }; + + "vinzenz-lpt2-in-anubis" = { root = inputs.zerforschen-plus.packages."${pkgs.system}".zerforschen-plus-content; + listen = [ + { + addr = ("unix:" + blog-domain-socket); + } + ]; }; }; - }; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; + anubis = { + instances.main = { + enable = true; + settings = { + BIND = anubis-domain-socket; + TARGET = "unix://" + blog-domain-socket; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; } diff --git a/hosts/vinzenz-lpt2/imports.nix b/hosts/vinzenz-lpt2/imports.nix index 7e9f61a..f9a0ae1 100644 --- a/hosts/vinzenz-lpt2/imports.nix +++ b/hosts/vinzenz-lpt2/imports.nix @@ -4,7 +4,7 @@ ../../modules/gaming.nix ../../modules/printing.nix ../../modules/podman.nix - ../../modules/niri.nix + #../../modules/niri.nix ../../modules/desktop-environment.nix ../../modules/desktop-hardware.nix diff --git a/hosts/vinzenz-lpt2/nginx.nix b/hosts/vinzenz-lpt2/nginx.nix index c0715f0..302a271 100644 --- a/hosts/vinzenz-lpt2/nginx.nix +++ b/hosts/vinzenz-lpt2/nginx.nix @@ -1,30 +1,66 @@ -_: { - services.nginx = { - enable = true; +{ inputs, pkgs, ... }: +let + blog-domain-socket = "/run/nginx/blog.sock"; + anubis-domain-socket = "/run/anubis/anubis-blog.sock"; +in +{ + users.groups = { + anubis.members = [ "nginx" ]; + nginx.members = [ "anubis" ]; + }; + services = { + nginx = { + enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; - virtualHosts = { - "vinzenz-lpt2" = { - locations."/" = { - proxyPass = "http://127.0.0.1:3000/"; - proxyWebsockets = true; + virtualHosts = { + #"vinzenz-lpt2" = { + # locations."/" = { + # proxyPass = "http://127.0.0.1:3000/"; + # proxyWebsockets = true; + # }; + # + # serverAliases = [ "172.23.42.96" ]; + #}; + + "vinzenz-lpt2" = { + locations."/" = { + proxyPass = ("http://unix:" + anubis-domain-socket); + }; }; - serverAliases = [ "172.23.42.96" ]; + "vinzenz-lpt2-in-anubis" = { + root = inputs.zerforschen-plus.packages."${pkgs.system}".zerforschen-plus-content; + listen = [ + { + addr = ("unix:" + blog-domain-socket); + } + ]; + }; + }; + }; + + #networking.firewall = { + # allowedTCPPorts = [ + # 80 + # 8001 + # 3000 + # ]; + # allowedUDPPorts = [ 2342 ]; + #}; + + anubis = { + instances.main = { + enable = true; + settings = { + BIND = anubis-domain-socket; + TARGET = "unix://" + blog-domain-socket; + }; }; }; }; - - networking.firewall = { - allowedTCPPorts = [ - 80 - 8001 - 3000 - ]; - allowedUDPPorts = [ 2342 ]; - }; }