anubis for blog

flake.lock

@@ -40,6 +40,24 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "flakey-profile": {
       "locked": {
         "lastModified": 1712898590,
@@ -92,9 +110,7 @@
     },
     "lix-module": {
       "inputs": {
-        "flake-utils": [
+        "flake-utils": "flake-utils",
-          "flake-utils"
-        ],
         "flakey-profile": "flakey-profile",
         "lix": "lix",
         "nixpkgs": [
@@ -209,11 +225,24 @@
         "type": "github"
       }
     },
+    "nix-filter_2": {
+      "locked": {
+        "lastModified": 1731533336,
+        "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=",
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "rev": "f7653272fd234696ae94229839a99b73c9ab7de0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-filter",
+        "type": "github"
+      }
+    },
     "nix-vscode-extensions": {
       "inputs": {
-        "flake-utils": [
+        "flake-utils": "flake-utils_2",
-          "flake-utils"
-        ],
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -266,12 +295,10 @@
     },
     "root": {
       "inputs": {
-        "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "lix-module": "lix-module",
         "naersk": "naersk",
         "niri": "niri",
-        "nix-filter": "nix-filter",
         "nix-vscode-extensions": "nix-vscode-extensions",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
@@ -302,9 +329,7 @@
         "naersk": [
           "naersk"
         ],
-        "nix-filter": [
+        "nix-filter": "nix-filter",
-          "nix-filter"
-        ],
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -328,9 +353,7 @@
         "naersk": [
           "naersk"
         ],
-        "nix-filter": [
+        "nix-filter": "nix-filter_2",
-          "nix-filter"
-        ],
         "nixpkgs": [
           "nixpkgs"
         ]
@@ -364,6 +387,21 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "xwayland-satellite-stable": {
       "flake": false,
       "locked": {

flake.nix

@@ -13,7 +13,6 @@
       url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz";
       inputs = {
         nixpkgs.follows = "nixpkgs";
-        flake-utils.follows = "flake-utils";
       };
     };
 
@@ -38,7 +37,6 @@
       inputs = {
         nixpkgs.follows = "nixpkgs";
         naersk.follows = "naersk";
-        nix-filter.follows = "nix-filter";
       };
     };
 
@@ -47,7 +45,6 @@
       inputs = {
         nixpkgs.follows = "nixpkgs";
         naersk.follows = "naersk";
-        nix-filter.follows = "nix-filter";
       };
     };
 
@@ -55,13 +52,8 @@
       url = "github:nix-community/nix-vscode-extensions";
       inputs = {
         nixpkgs.follows = "nixpkgs";
-        flake-utils.follows = "flake-utils";
       };
     };
-
-    # this is used to pin transitive dependencies to the same version
-    flake-utils.url = "github:numtide/flake-utils";
-    nix-filter.url = "github:numtide/nix-filter";
   };
 
   outputs =
@@ -104,8 +96,7 @@
         in
         nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
-          modules =
+          modules = [
-            [
             lix-module.nixosModules.default
 
             { networking.hostName = device; }

home/vinzenz/default.nix

@@ -30,7 +30,7 @@
       ./fuzzel.nix
       ./git.nix
       ./gnome.nix
-      ./niri.nix
+      #./niri.nix
       ./ssh.nix
       ./swaylock.nix
       ./vscode.nix

home/vinzenz/niri.nix

@@ -1,7 +1,5 @@
 {
   pkgs,
-  lib,
-  devices,
   config,
   ...
 }:

hosts/hetzner-vpn2/nginx.nix

@@ -1,4 +1,8 @@
-{ pkgs, inputs, ... }:
+{ inputs, pkgs, ... }:
+let
+  blog-domain-socket = "/run/nginx/blog.sock";
+  anubis-domain-socket = "/run/anubis/anubis-blog.sock";
+in
 {
   security.acme = {
     acceptTerms = true;
@@ -6,8 +10,16 @@
   };
 
   security.pam.services.nginx.setEnvironment = false;
-  systemd.services.nginx.serviceConfig = {
+  systemd.services = {
-    SupplementaryGroups = [ "shadow" ];
+    nginx.serviceConfig = {
+      SupplementaryGroups = [
+        "shadow"
+        "anubis"
+      ];
+    };
+    anubis-main.serviceConfig = {
+      SupplementaryGroups = [ "nginx" ];
+    };
   };
 
   services.nginx = {
@@ -58,7 +70,27 @@
         "zerforschen.plus" = {
           addSSL = true;
           enableACME = true;
+          locations."/" = {
+            proxyPass = ("http://unix:" + anubis-domain-socket);
+          };
+        };
+
+        "vinzenz-lpt2-in-anubis" = {
           root = inputs.zerforschen-plus.packages."${pkgs.system}".zerforschen-plus-content;
+          listen = [
+            {
+              addr = ("unix:" + blog-domain-socket);
+            }
+          ];
+        };
+      };
+
+    anubis = {
+      instances.main = {
+        enable = true;
+        settings = {
+          BIND = anubis-domain-socket;
+          TARGET = "unix://" + blog-domain-socket;
         };
       };
     };
@@ -67,4 +99,5 @@
       80
       443
     ];
+  };
 }

hosts/vinzenz-lpt2/imports.nix

@@ -4,7 +4,7 @@
     ../../modules/gaming.nix
     ../../modules/printing.nix
     ../../modules/podman.nix
-    ../../modules/niri.nix
+    #../../modules/niri.nix
     ../../modules/desktop-environment.nix
     ../../modules/desktop-hardware.nix
 

hosts/vinzenz-lpt2/nginx.nix

@@ -1,5 +1,15 @@
-_: {
+{ inputs, pkgs, ... }:
-  services.nginx = {
+let
+  blog-domain-socket = "/run/nginx/blog.sock";
+  anubis-domain-socket = "/run/anubis/anubis-blog.sock";
+in
+{
+  users.groups = {
+    anubis.members = [ "nginx" ];
+    nginx.members = [ "anubis" ];
+  };
+  services = {
+    nginx = {
       enable = true;
 
       recommendedProxySettings = true;
@@ -8,23 +18,49 @@ _: {
       recommendedOptimisation = true;
 
       virtualHosts = {
+        #"vinzenz-lpt2" = {
+        #  locations."/" = {
+        #    proxyPass = "http://127.0.0.1:3000/";
+        #    proxyWebsockets = true;
+        #  };
+        #
+        #  serverAliases = [ "172.23.42.96" ];
+        #};
+
         "vinzenz-lpt2" = {
           locations."/" = {
-          proxyPass = "http://127.0.0.1:3000/";
+            proxyPass = ("http://unix:" + anubis-domain-socket);
-          proxyWebsockets = true;
-        };
-
-        serverAliases = [ "172.23.42.96" ];
-      };
           };
         };
 
-  networking.firewall = {
+        "vinzenz-lpt2-in-anubis" = {
-    allowedTCPPorts = [
+          root = inputs.zerforschen-plus.packages."${pkgs.system}".zerforschen-plus-content;
-      80
+          listen = [
-      8001
+            {
-      3000
+              addr = ("unix:" + blog-domain-socket);
+            }
           ];
-    allowedUDPPorts = [ 2342 ];
+        };
+      };
+    };
+
+    #networking.firewall = {
+    #  allowedTCPPorts = [
+    #    80
+    #    8001
+    #    3000
+    #  ];
+    #  allowedUDPPorts = [ 2342 ];
+    #};
+
+    anubis = {
+      instances.main = {
+        enable = true;
+        settings = {
+          BIND = anubis-domain-socket;
+          TARGET = "unix://" + blog-domain-socket;
+        };
+      };
+    };
   };
 }