plumjam/nixos - Change 5CYGZZOMAR6NQP3EA7R3AT6G2GTBH3OLBLORMKVCITJC6EXAYSDQC

dendritic: Remove some old modules.

I'll be bringing them back later once everything is more finished.

Created by PlumJam on January 10, 2026

5CYGZZOMAR6NQP3EA7R3AT6G2GTBH3OLBLORMKVCITJC6EXAYSDQC

Dependencies

In channels

main

Change contents

File deletion: acme
BF:BFD[16.2] → [16.24:39]
BF:BFD[16.39] → [16.23:23]

File deletion: default.nix

BF:BFD[16.23] → [16.679:714]

BF:BFD[16.714] → [16.41:41]

B:BD[16.41] → [16.42:180]

∅:D[17.3580] → [16.240:241]

B:BD[16.240] → [16.240:241]

B:BD[16.241] → [18.1890:1896]

∅:D[18.1896] → [16.241:376]

B:BD[16.241] → [16.241:376]

∅:D[17.3646] → [16.437:678]

B:BD[16.437] → [16.437:678]

B:BD[16.376] → [17.3581:3646]

{ config, lib, ... }: let
  inherit (config.networking) domain;
  inherit (lib) mkValue;
in {
  options.security.acme.users = mkValue [];
  
  
  config.users.groups.acme.members = config.security.acme.users;
  config.security.acme = {
    acceptTerms = true;
    defaults = {
      dnsProvider     = "cloudflare";
      dnsResolver     = "1.1.1.1";
      email           = "security@${domain}";
    };
    certs.${domain} = {
      extraDomainNames = [ "*.${domain}" ];
      group            = "acme";
    };
  };
}
      environmentFile = config.age.secrets.acmeEnvironment.path;

File deletion: uptime-kuma.nix, default.nix

BF:BFD[16.2] → [14.27:66]

BF:BFD[14.66] → [19.114:114]

BFD:BFD[19.89] → [19.942:977]

BF:BFD[19.977] → [19.114:114]

B:BD[19.114] → [19.115:299]

∅:D[14.94] → [19.342:941]

B:BD[19.342] → [19.342:941]

B:BD[19.299] → [14.67:94]

{ self, config, lib, pkgs, ... }: let
  inherit (config.networking) domain;
  inherit (lib) enabled merge;
  fqdn = "uptime.${domain}";
  port = "3001"; # string for uptime-kuma
in {
  services.uptime-kuma = enabled {
    settings = {
      inherit port;
      HOST = "127.0.0.1";
    };
  };
  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
    serverAliases = [ "status.${domain}" ];
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString port}";
      proxyWebsockets = true;
      extraConfig = ''
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
      '';
    };
  };
}
  imports = [./nginx.nix];

File deletion: matrix
BF:BFD[16.2] → [20.33:50]
BF:BFD[20.50] → [20.32:32]

File deletion: cinny.nix, cinny.nix, cinny.nix

BF:BFD[20.32] → [20.89:122]

BF:BFD[20.122] → [21.316:316]

BFD:BFD[22.917] → [22.1514:1547]

BF:BFD[22.1547] → [21.316:316]

BFD:BFD[16.2] → [21.1525:1558]

BF:BFD[21.1558] → [21.316:316]

B:BD[21.316] → [21.317:757]

∅:D[23.280] → [21.785:1130]

B:BD[21.785] → [21.785:1130]

∅:D[5.709] → [21.1130:1524]

B:BD[21.1130] → [21.1130:1524]

B:BD[21.1130] → [5.60:709]

B:BD[21.757] → [23.217:280]

{ self, config, lib, pkgs, ... }: let
  inherit (config.networking) domain;
  inherit (lib) merge;
  inherit (lib.strings) toJSON;
  fqdn = "chat.${domain}";
  root = pkgs.cinny;
  cinnyConfig = {
    allowCustomHomeservers = false;
    homeserverList         = [ domain ];
    defaultHomeserver      = 0;
    hashRouter = {
      enabled  = false;
      basename = "/";
    };
    featuredCommunities = {
      openAsDefault = false;
      spaces = [ ];
      rooms = [ ];
    };
  };
in {
  imports = [ (self + /modules/nginx.nix) ];
  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
    inherit root;
    locations."= /config.json".extraConfig = /* nginx */ ''
      default_type application/json;
      return 200 '${toJSON cinnyConfig}';
    '';
    extraConfig = /* nginx */ ''
      rewrite ^/config.json$ /config.json break;
      rewrite ^/manifest.json$ /manifest.json break;
      rewrite ^/sw.js$ /sw.js break;
      rewrite ^/pdf.worker.min.js$ /pdf.worker.min.js break;
      rewrite ^/public/(.*)$ /public/$1 break;
      rewrite ^/assets/(.*)$ /assets/$1 break;
      rewrite ^(.+)$ /index.html break;
    '';
  };
}
    '';
    locations."/".extraConfig = /* nginx */ ''
      proxy_hide_header Content-Security-Policy;
      add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; img-src 'self' data: https: blob:; base-uri 'self'; frame-ancestors 'self';" always;
      add_header X-Frame-Options DENY always;
      add_header X-Content-Type-Options nosniff always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header Permissions-Policy "camera=(), geolocation=(), payment=(), usb=()" always;
      add_header Referrer-Policy no-referrer always;
      servers = [
        domain
        "matrix.org"
      ];

File deletion: default.nix, default.nix, matrix.nix

BF:BFD[20.32] → [20.52:87]

BF:BFD[20.87] → [24.560:560]

BFD:BFD[22.917] → [22.1055:1090]

BF:BFD[22.1090] → [24.560:560]

BFD:BFD[16.2] → [24.3913:3947]

BF:BFD[24.3947] → [24.560:560]

B:BD[24.560] → [24.561:631]

∅:D[8.33] → [24.664:714]

B:BD[24.664] → [24.664:714]

∅:D[25.678] → [24.765:766]

∅:D[22.1194] → [24.765:766]

B:BD[24.765] → [24.765:766]

∅:D[18.435] → [24.938:939]

∅:D[22.1512] → [24.938:939]

B:BD[24.938] → [24.938:939]

B:BD[24.1159] → [24.1159:1249]

∅:D[25.858] → [24.1308:1527]

B:BD[24.1308] → [24.1308:1527]

∅:D[25.936] → [24.1611:1697]

B:BD[24.1611] → [24.1611:1697]

∅:D[25.976] → [24.1733:1734]

B:BD[24.1733] → [24.1733:1734]

∅:D[25.1444] → [24.1814:1883]

B:BD[24.1814] → [24.1814:1883]

∅:D[25.1446] → [24.1883:1918]

B:BD[24.1883] → [24.1883:1918]

∅:D[8.51] → [24.1991:2041]

B:BD[24.1991] → [24.1991:2041]

∅:D[25.1478] → [24.2062:2098]

B:BD[24.2062] → [24.2062:2098]

∅:D[3.293] → [24.2262:2313]

∅:D[25.1674] → [24.2262:2313]

B:BD[24.2262] → [24.2262:2313]

∅:D[25.1786] → [24.2482:2483]

B:BD[24.2482] → [24.2482:2483]

∅:D[25.1877] → [24.2538:2539]

B:BD[24.2538] → [24.2538:2539]

∅:D[25.1920] → [24.2600:2643]

B:BD[24.2600] → [24.2600:2643]

∅:D[21.39] → [24.2643:2686]

B:BD[24.2643] → [24.2643:2686]

∅:D[25.1949] → [24.2761:2794]

B:BD[24.2761] → [24.2761:2794]

∅:D[21.105] → [24.2896:2897]

B:BD[24.2896] → [24.2896:2897]

∅:D[25.2027] → [24.2925:3105]

B:BD[24.2925] → [24.2925:3105]

B:BD[24.3143] → [24.3143:3229]

∅:D[25.2106] → [24.3299:3377]

B:BD[24.3299] → [24.3299:3377]

∅:D[25.2185] → [24.3454:3460]

B:BD[24.3454] → [24.3454:3460]

B:BD[24.3520] → [24.3520:3608]

∅:D[25.2319] → [24.3767:3768]

B:BD[24.3767] → [24.3767:3768]

∅:D[25.2431] → [24.3905:3912]

B:BD[24.3905] → [24.3905:3912]

B:BD[24.3768] → [25.2320:2431]

B:BD[24.3608] → [25.2186:2319]

B:BD[24.3377] → [25.2107:2185]

∅:D[26.578] → [25.2028:2106]

∅:D[27.1568] → [25.2028:2106]

B:BD[24.3229] → [25.2028:2106]

B:BD[24.3229] → [26.288:309]

∅:D[28.439] → [26.570:578]

B:BD[26.570] → [26.570:578]

B:BD[26.309] → [28.388:439]

∅:D[21.175] → [25.1950:2027]

B:BD[24.2897] → [25.1950:2027]

B:BD[24.2897] → [21.106:175]

B:BD[24.2794] → [21.40:105]

B:BD[24.2686] → [25.1921:1949]

B:BD[24.2643] → [23.55:154]

∅:D[23.154] → [21.10:39]

B:BD[24.2643] → [21.10:39]

B:BD[24.2539] → [25.1878:1920]

B:BD[24.2483] → [25.1787:1877]

B:BD[24.2313] → [25.1675:1786]

B:BD[24.2098] → [25.1479:1626]

B:BD[25.1626] → [3.237:293]

B:BD[24.2041] → [25.1447:1478]

B:BD[24.1918] → [8.34:51]

B:BD[24.1883] → [25.1445:1446]

B:BD[24.1734] → [25.977:1444]

B:BD[24.1697] → [25.937:976]

B:BD[24.1527] → [25.859:936]

B:BD[24.1249] → [25.789:858]

B:BD[24.766] → [22.1195:1230]

∅:D[29.1768] → [22.1272:1389]

B:BD[22.1272] → [22.1272:1389]

∅:D[29.1838] → [22.1439:1512]

B:BD[22.1439] → [22.1439:1512]

B:BD[22.1389] → [29.1769:1838]

B:BD[22.1230] → [29.1707:1768]

B:BD[24.714] → [22.1091:1194]

B:BD[24.631] → [8.8:33]

{ self, config, lib, ... }: let
  inherit (config.networking) domain;
  fqdn = "matrix.${domain}";
  port = 8008;
in {
  systemd.services.matrix-backup = {
    description = "Backup Matrix data and database";
      mkdir -p /var/backup/matrix
      cp -r /var/lib/matrix-synapse /var/backup/matrix/$(date +%Y%m%d_%H%M%S)
      # keep only last 7 backups
      ls -1t /var/backup/matrix/ | tail -n +8 | xargs -r rm -rf
    '';
  };
  systemd.timers.matrix-backup = {
    description = "Run Matrix backup daily";
  };
  services.matrix-synapse = enabled {
    withJemalloc = true;
    configureRedisLocally = true;
      server_name = domain;
      listeners = [{
        bind_addresses = [ "::1" ];
          compress = false;
        }];
      }];
      registration_requires_token = true;
      delete_stale_devices_after = "30d";
      max_upload_size = "512M";
      registration_shared_secret = config.age.secrets.matrixRegistrationSecret.path;
      trusted_key_servers = [];
      extras = [ "url-preview" "user-search" ];
    };
  };
  services.nginx.virtualHosts.${fqdn} = lib.merge config.services.nginx.sslTemplate {
    locations."/_synapse/client".proxyPass = "http://[::1]:${toString port}";
  };
  services.nginx.virtualHosts.${domain} = lib.merge config.services.nginx.sslTemplate {
  };
}
    locations."/.well-known/matrix/server".extraConfig = ''
			return 200 '{"m.server": "${fqdn}:443"}';
		'';
    locations."/.well-known/matrix/client".extraConfig = ''
			return 200 '{"m.homeserver": {"base_url": "https://${fqdn}"}}';
		'';
    locations."/_synapse/admin".proxyPass  = "http://[::1]:${toString port}";
    locations."/_matrix".proxyPass         = "http://[::1]:${toString port}";
    extraConfig = ''
    '';
      ${config.services.nginx.goatCounterTemplate}
      signing_key_path           = config.age.secrets.matrixSigningKey.path;
      url_preview_enabled = true;
      dynamic_thumbnails  = true;
      media_store_path = "/var/lib/matrix-synapse/media_store";
      redis.enabled = true;
      allow_public_rooms_without_auth    = true;
      allow_public_rooms_over_federation = true;
      report_stats = false;
      enable_registration         = true;
      log_config     = "/var/lib/matrix-synapse/log.yaml";
			log.root.level = "WARNING";
      database.name          = "sqlite3";
			database.args.database = "/var/lib/matrix-synapse/homeserver.db";
        type           = "http";
        tls            = false;
        x_forwarded    = true; # behind reverse proxy
        resources      = [{
          names    = [ "client" "federation" "media" ];
        port           = port;
    settings = {
    timerConfig.OnCalendar = "daily";
		timerConfig.Persistent = true;
  };
  systemd.services.matrix-synapse.serviceConfig = {
    # sandboxing
    PrivateTmp    = true;
    ProtectSystem = "strict";
    ProtectHome   = true;
    # fs restrictions
    ReadWritePaths = [ "/var/lib/matrix-synapse" ];
    # network restrictions
    RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
    # misc
    NoNewPrivileges  = true;
    RestrictSUIDSGID = true;
    wantedBy    = [ "timers.target" ];
    serviceConfig.Type = "oneshot";
		serviceConfig.User = "matrix-synapse";
    after       = [ "matrix-synapse.service" ];
    script      = ''
  age.secrets.matrixSigningKey = {
    owner     = "matrix-synapse";
    group     = "matrix-synapse";
  };
  age.secrets.matrixRegistrationSecret = {
    owner     = "matrix-synapse";
    group     = "matrix-synapse";
  };
    rekeyFile = self + /secrets/plum-matrix-registration-secret.age;
    rekeyFile = self + /secrets/plum-matrix-signing-key.age;
  imports = [
    (self + /modules/nginx.nix)
  ] ++ (lib.collectNix ./. |> lib.remove ./default.nix);
  inherit (lib) enabled;

File deletion: goatcounter.nix, default.nix

BF:BFD[16.2] → [13.66:105]

BF:BFD[13.105] → [26.2142:2142]

BFD:BFD[26.2117] → [26.2732:2767]

BF:BFD[26.2767] → [26.2142:2142]

B:BD[26.2142] → [26.2143:2731]

{ self, config, lib, ... }: let
  inherit (config.networking) domain;
  inherit (lib) enabled;
  fqdn = "analytics.${domain}";
  port = 8007;
in {
  config = {
    services.goatcounter = enabled {
      inherit port;
      proxy = true;
      address = "127.0.0.1";
    };
    services.nginx.virtualHosts.${fqdn} = lib.merge config.services.nginx.sslTemplate {
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString port}";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_hide_header X-Content-Type-Options;
        '';
      };
    };
  };
}

File deletion: grafana
BF:BFD[16.2] → [30.67:85]
BF:BFD[30.85] → [30.66:66]

File deletion: default.nix, default.nix

BF:BFD[30.66] → [30.127:162]

BF:BFD[30.162] → [31.2110:2110]

BFD:BFD[31.447] → [31.3442:3477]

BF:BFD[31.3477] → [31.2110:2110]

B:BD[31.2110] → [31.2111:2181]

∅:D[29.1874] → [31.2227:2324]

B:BD[31.2227] → [31.2227:2324]

∅:D[32.207] → [31.2329:2364]

B:BD[31.2329] → [31.2329:2364]

∅:D[29.1934] → [18.11581:11608]

B:BD[18.11581] → [18.11581:11608]

∅:D[18.11608] → [31.2414:2991]

B:BD[31.2414] → [31.2414:2991]

∅:D[4.167] → [31.2991:3146]

B:BD[31.2991] → [31.2991:3146]

∅:D[27.5310] → [31.3146:3441]

∅:D[18.11610] → [31.3146:3441]

B:BD[31.3146] → [31.3146:3441]

B:BD[31.3146] → [26.1825:1846]

∅:D[28.1270] → [26.2107:2115]

B:BD[26.2107] → [26.2107:2115]

B:BD[26.2115] → [18.11609:11610]

B:BD[26.1846] → [28.1219:1270]

B:BD[31.2991] → [4.96:167]

B:BD[31.2364] → [29.1875:1934]

B:BD[31.2324] → [32.150:207]

B:BD[31.2181] → [29.1843:1874]

{ self, config, lib, ... }: let
  inherit (config.networking) domain;
  fqdn = "metrics.${domain}";
  port = 8000;
in {
  imports = [
    (self + /modules/nginx.nix)
  age.secrets.grafanaPassword = {
    owner     = "grafana";
  };
  systemd.services.grafana = {
    after = [ "network.target" ];
    requires = [ "network.target" ];
  };
  services.grafana = enabled {
    provision = enabled;
    settings = {
      analytics.reporting_enabled = false;
      database.type = "sqlite3";
      server.domain = fqdn;
      server.http_addr = "::1";
      server.http_port = port;
      users.default_theme = "system";
    };
    settings.security = {
      admin_email = "metrics@${domain}";
      admin_password = "$__file{${config.age.secrets.grafanaPassword.path}}";
      admin_user = "admin";
      cookie_secure = true;
      disable_gravatar = true;
    };
  };
  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
    locations."/" = {
      extraConfig = /* nginx */ ''
        # grafana sets `nosniff` without correct content type so unset the header
        proxy_hide_header X-Content-Type-Options;
      '';
      proxyPass = "http://[::1]:${toString port}";
      proxyWebsockets = true;
    };
  };
}
    extraConfig = ''
    '';
      ${config.services.nginx.goatCounterTemplate}
      disable_initial_admin_creation = true; # after initial creation
    rekeyFile = self + /secrets/plum-grafana-password.age;
  ] ++ (lib.collectNix ./. |> lib.remove ./default.nix);
  inherit (lib) enabled merge;

File deletion: prometheus.nix, prometheus.nix

BF:BFD[30.66] → [30.87:125]

BF:BFD[30.125] → [31.468:468]

BFD:BFD[31.447] → [31.1687:1725]

BF:BFD[31.1725] → [31.468:468]

B:BD[31.468] → [31.469:1686]

{ self, config, lib, ... }: let
  inherit (lib) enabled filterAttrs flatten mapAttrsToList;
in {
  services.grafana.provision.datasources.settings = {
    datasources = [{
      name = "Prometheus";
      type = "prometheus";
      url = "http://[::1]:${toString config.services.prometheus.port}";
      orgId = 1;
    }];
    deleteDatasources = [{
      name = "Prometheus";
      orgId = 1;
    }];
  };
  services.prometheus = enabled {
    listenAddress = "[::]";
    retentionTime = "1w";
    scrapeConfigs = let
      configToScrapeConfig = hostName: { config, ... }: let
        hostConfig = config;
      in hostConfig.services.prometheus.exporters
        |> filterAttrs (exporterName: exporterConfig:
          exporterName != "minio" &&
          exporterName != "unifi-poller" &&
          exporterName != "tor" &&
          exporterConfig.enable or false)
        |> mapAttrsToList (exporterName: exporterConfig: {
          job_name = "${exporterName}-${hostName}";
          static_configs = [{
            targets = [ "${hostName}:${toString exporterConfig.port}" ];
          }];
        });
    in self.nixosConfigurations
      |> mapAttrsToList configToScrapeConfig
      |> flatten;
  };
}

File deletion: ci-runners.nix, default.nix

BF:BFD[16.2] → [33.128:166]

BF:BFD[33.166] → [34.2000:2000]

BFD:BFD[34.1162] → [34.3556:3591]

BF:BFD[34.3591] → [34.2000:2000]

∅:D[33.258] → [34.2058:2063]

B:BD[34.2058] → [34.2058:2063]

∅:D[35.1344] → [34.3541:3555]

∅:D[33.2596] → [34.3541:3555]

B:BD[34.3541] → [34.3541:3555]

∅:D[33.1588] → [36.2343:2344]

B:BD[37.424] → [36.2343:2344]

∅:D[33.1629] → [36.2423:2424]

B:BD[36.2423] → [36.2423:2424]

B:BD[36.2424] → [33.1630:2596]

B:BD[36.2344] → [33.1589:1629]

∅:D[33.449] → [36.2254:2255]

∅:D[29.2031] → [36.2254:2255]

B:BD[34.2538] → [36.2254:2255]

∅:D[33.1038] → [36.2336:2342]

∅:D[29.2078] → [36.2336:2342]

B:BD[36.2336] → [36.2336:2342]

B:BD[36.2342] → [33.1039:1081]

∅:D[15.264] → [33.1081:1117]

B:BD[33.1081] → [33.1081:1117]

B:BD[33.1081] → [15.188:264]

B:BD[36.2255] → [33.450:1038]

∅:D[38.232] → [39.155:156]

∅:D[33.1117] → [39.155:156]

B:BD[35.1206] → [39.155:156]

∅:D[38.271] → [39.193:194]

∅:D[33.1259] → [39.193:194]

B:BD[39.193] → [39.193:194]

B:BD[39.194] → [33.1260:1444]

∅:D[15.332] → [33.1495:1588]

B:BD[33.1495] → [33.1495:1588]

B:BD[33.1444] → [15.265:332]

B:BD[39.156] → [33.1118:1259]

B:BD[34.2063] → [33.259:449]

B:BD[34.2000] → [33.167:258]

in {
    };
  };
}
        hostPackages = [
          (inputs.fenix.packages.${pkgs.stdenv.hostPlatform.system}.complete.withComponents [
            "cargo"
            "clippy"
            "miri"
            "rustc"
            "rust-analyzer"
            "rustfmt"
            "rust-std"
            "rust-src"
          ])
          inputs.claude-code.packages.${pkgs.stdenv.hostPlatform.system}.default
          pkgs.bash
          pkgs.curl
          pkgs.forgejo-cli
          pkgs.gcc
          pkgs.git
          pkgs.gnutar
          pkgs.gzip
          pkgs.just
          pkgs.jq
          pkgs.nix
          pkgs.nodejs
          pkgs.nushell
          pkgs.opencode
          pkgs.openssl
          pkgs.pkg-config
          pkgs.ripgrep
          pkgs.sqlx-cli
          pkgs.which
          pkgs.xz
        ] ++ lib.optionals config.ci-runner.withDocker [
          pkgs.docker
          pkgs.docker-compose
        ] ++ config.ci-runner.extraHostPackages;
      };
        settings.cache.enabled = false;
  };
  config = mkIf config.ci-runner.enable {
    users.groups.gitea-runner = {};
    age.secrets.forgejoRunnerToken.rekeyFile = config.ci-runner.tokenFile;
    url = mkOption {
      type = types.str;
      default = "https://git.plumj.am/";
      description = "Forgejo instance URL";
    };
    labels = mkOption {
      type = types.listOf types.str;
      default = [ "self-hosted:host" ];
      description = "Runner labels";
    };
    extraHostPackages = mkOption {
      type = types.listOf types.package;
      default = [ ];
      description = "Extra packages to add to the runner";
    };
    withDocker = mkOption {
      type = types.bool;
      default = false;
      description = "Include docker and docker-compose";
    };
    services.gitea-actions-runner = {
      package = pkgs.forgejo-runner;
      instances.${config.networking.hostName} = enabled {
        name         = config.networking.hostName;
        url          = config.ci-runner.url;
        labels       = config.ci-runner.labels;
        tokenFile    = config.age.secrets.forgejoRunnerToken.path;
    users.users.gitea-runner = {
      description  = "gitea-runner";
      isSystemUser = true;
      group        = "gitea-runner";
    };
  options.ci-runner = {
    enable = lib.mkEnableOption "forgejo CI runner";
    tokenFile = mkOption {
      type = types.path;
      description = "Path to the runner token file";
    };
{ self, config, lib, pkgs, inputs, ... }: let
  inherit (lib) enabled mkIf mkOption types;

File deletion: site.nix

BF:BFD[16.2] → [40.871:903]

BF:BFD[40.903] → [40.3:3]

B:BD[40.3] → [40.4:227]

B:BD[40.436] → [40.436:575]

∅:D[41.1307] → [40.575:710]

B:BD[40.575] → [40.575:710]

∅:D[42.1231] → [40.863:870]

B:BD[40.863] → [40.863:870]

B:BD[40.710] → [42.4:254]

∅:D[43.293] → [42.447:1071]

∅:D[7.695] → [42.447:1071]

B:BD[42.447] → [42.447:1071]

∅:D[43.295] → [42.1080:1231]

B:BD[42.1080] → [42.1080:1231]

B:BD[42.1071] → [43.294:295]

B:BD[42.254] → [7.350:695]

B:BD[40.575] → [41.4:88]

∅:D[6.33] → [41.88:249]

B:BD[41.88] → [41.88:249]

∅:D[7.349] → [41.538:1307]

B:BD[41.538] → [41.538:1307]

B:BD[41.249] → [7.4:349]

B:BD[41.88] → [6.4:33]

{ self, config, lib, ... }: let
  inherit (config.networking) domain;
  inherit (lib) enabled merge;
  fqdn = domain;
  root = "/var/www/site";
in {
  imports = [(self + /modules/nginx.nix)];
  services.nginx = enabled {
    virtualHosts."www.${fqdn}" = merge config.services.nginx.sslTemplate {
      locations."/".return = "301 https://${fqdn}$request_uri";
    };
    virtualHosts._ = merge config.services.nginx.sslTemplate {
      locations."/".return = "301 https://${fqdn}/404";
    };
  };
}
    virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
      inherit root;
      locations."/" = {
        tryFiles = "$uri $uri.html $uri/index.html =404";
        extraConfig = ''
          proxy_hide_header Content-Security-Policy;
          add_header X-Frame-Options DENY always;
          add_header X-Content-Type-Options nosniff always;
          add_header X-XSS-Protection "1; mode=block" always;
          add_header Permissions-Policy "camera=(), geolocation=(), payment=(), usb=()" always;
          add_header Referrer-Policy no-referrer always;
        '';
      };
      locations."~ ^/assets/(fonts|icons|images)/".extraConfig = /* nginx */ ''
        expires max;
        ${config.services.nginx.headers}
        add_header Cache-Control $cache_header always;
      '';
      extraConfig = /* nginx */ ''
        error_page 404 /404.html;
        ${config.services.nginx.goatCounterTemplate}
      '';
      locations."/404".extraConfig = /* nginx */ ''
        internal;
      '';
    };
          add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain} kit.fontawesome.com https://kit.fontawesome.com; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain} kit.fontawesome.com https://kit.fontawesome.com; img-src 'self' data: https: ghchart.rshah.org;" always;
    };
    virtualHosts."nerd.${fqdn}" = merge config.services.nginx.sslTemplate {
      locations."/" = {
        tryFiles = "$uri $uri.html $uri/index.html =404";
        extraConfig = ''
          proxy_hide_header Content-Security-Policy;
          add_header X-Frame-Options DENY always;
          add_header X-Content-Type-Options nosniff always;
          add_header X-XSS-Protection "1; mode=block" always;
          add_header Permissions-Policy "camera=(), geolocation=(), payment=(), usb=()" always;
          add_header Referrer-Policy no-referrer always;
        '';
      };
      locations."~ ^/assets/(fonts|icons|images)/".extraConfig = /* nginx */ ''
        expires max;
        ${config.services.nginx.headers}
        add_header Cache-Control $cache_header always;
      '';
      extraConfig = /* nginx */ ''
        error_page 404 /404.html;
        ${config.services.nginx.goatCounterTemplate}
      '';
      locations."/404".extraConfig = /* nginx */ ''
        internal;
      '';
          add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain} kit.fontawesome.com https://kit.fontawesome.com; script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain} kit.fontawesome.com https://kit.fontawesome.com; img-src 'self' data: https: ghchart.rshah.org;" always;
      root = "${root}/nerd";

File deletion: cache.nix

BF:BFD[16.2] → [44.1355:1388]

BF:BFD[44.1388] → [44.128:128]

B:BD[44.128] → [44.129:908]

∅:D[15.446] → [44.908:978]

B:BD[44.908] → [44.908:978]

∅:D[15.506] → [44.1028:1354]

B:BD[44.1028] → [44.1028:1354]

B:BD[44.978] → [15.447:506]

B:BD[44.908] → [15.334:446]

{ self, config, lib, pkgs, ... }: let
  inherit (lib) enabled merge mkIf mkOption types;
  inherit (config.networking) domain;
in {
  imports = [(self + /modules/nginx.nix)];
  options.cache = {
    enable = lib.mkEnableOption "nix-serve cache server";
    fqdn = lib.mkOption {
      type = types.str;
      example = "cache1.example.com";
      description = "Fully qualified domain name for the cache";
    };
    port = lib.mkOption {
      type = types.port;
      default = 8006;
      description = "Port for nix-serve to listen on";
    };
    secretKeyFile = lib.mkOption {
      type = types.path;
      example = "/run/agenix/nixServeKey";
      description = "Path to the secret key file for signing the cache";
    };
  };
  config = mkIf config.cache.enable {
    services.nix-serve = enabled {
      package = pkgs.nix-serve-ng;
      bindAddress = "127.0.0.1";
      port = config.cache.port;
    };
    services.nginx.virtualHosts.${config.cache.fqdn} = merge config.services.nginx.sslTemplate {
      locations."= /".return = "301 https://${domain}/404";
      locations."/".proxyPass = "http://127.0.0.1:${toString config.cache.port}";
    };
  };
}
      secretKeyFile = config.age.secrets.nixServeKey.path;
    age.secrets.nixServeKey = {
      rekeyFile = config.cache.secretKeyFile;
      owner     = "root";
    };

File deletion: default.nix, forgejo.nix

BFD:BFD[45.156] → [45.230:265]

BF:BFD[45.265] → [47.3:3]

BF:BFD[16.2] → [47.1775:1810]

BF:BFD[47.1810] → [47.3:3]

∅:D[10.192] → [47.36:74]

B:BD[47.36] → [47.36:74]

∅:D[17.90] → [47.99:160]

B:BD[47.99] → [47.99:160]

∅:D[46.118] → [47.192:197]

∅:D[48.2386] → [47.192:197]

B:BD[47.192] → [47.192:197]

∅:D[17.411] → [47.248:249]

B:BD[47.248] → [47.248:249]

∅:D[17.535] → [49.586:587]

B:BD[49.586] → [49.586:587]

∅:D[17.642] → [49.776:777]

B:BD[49.776] → [49.776:777]

∅:D[17.725] → [49.906:907]

B:BD[49.906] → [49.906:907]

∅:D[17.844] → [49.1019:1020]

B:BD[49.1019] → [49.1019:1020]

∅:D[17.918] → [47.290:297]

∅:D[49.1105] → [47.290:297]

B:BD[47.290] → [47.290:297]

B:BD[47.297] → [17.919:924]

∅:D[17.924] → [47.297:298]

B:BD[47.297] → [47.297:298]

∅:D[34.72] → [49.1230:1231]

∅:D[17.975] → [49.1230:1231]

B:BD[49.1230] → [49.1230:1231]

∅:D[17.1017] → [49.1319:1327]

B:BD[49.1319] → [49.1319:1327]

B:BD[49.1327] → [2.4:5]

B:BD[49.1231] → [17.976:1017]

B:BD[47.298] → [17.925:956]

∅:D[10.291] → [17.956:975]

B:BD[17.956] → [17.956:975]

B:BD[17.975] → [34.48:72]

B:BD[17.956] → [10.193:291]

∅:D[2.5] → [47.298:317]

∅:D[49.1327] → [47.298:317]

B:BD[47.298] → [47.298:317]

∅:D[50.118] → [47.358:796]

B:BD[47.358] → [47.358:796]

∅:D[11.195] → [47.828:1457]

B:BD[47.828] → [47.828:1457]

∅:D[34.171] → [47.1480:1768]

B:BD[47.1480] → [47.1480:1768]

B:BD[47.1773] → [49.1328:1330]

B:BD[47.1768] → [17.1018:1024]

B:BD[48.2425] → [48.2425:2511]

∅:D[26.872] → [48.2511:2574]

∅:D[27.1700] → [48.2511:2574]

B:BD[48.2511] → [48.2511:2574]

B:BD[48.2574] → [51.4:9]

B:BD[48.2511] → [26.582:603]

∅:D[28.566] → [26.864:872]

B:BD[26.864] → [26.864:872]

B:BD[26.603] → [28.515:566]

B:BD[47.1457] → [34.73:171]

B:BD[47.796] → [11.164:195]

B:BD[47.317] → [50.75:118]

B:BD[49.1020] → [17.845:918]

B:BD[49.907] → [17.726:844]

B:BD[49.777] → [17.643:725]

B:BD[49.587] → [17.536:642]

B:BD[47.249] → [17.412:535]

∅:D[34.47] → [17.230:411]

∅:D[18.478] → [17.230:411]

B:BD[47.198] → [17.230:411]

∅:D[45.378] → [49.416:417]

B:BD[47.197] → [49.416:417]

B:BD[49.417] → [17.91:147]

∅:D[12.438] → [17.228:229]

B:BD[17.228] → [17.228:229]

B:BD[17.147] → [12.349:438]

B:BD[47.197] → [45.266:306]

∅:D[29.2140] → [45.346:378]

B:BD[45.346] → [45.346:378]

B:BD[45.306] → [29.2081:2140]

B:BD[47.160] → [46.102:118]

B:BD[47.74] → [17.57:90]

B:BD[47.3] → [10.154:192]

  inherit (config.networking) domain;
  fqdn = "git.${domain}";
  port = 8001;
in {
  imports = [
  ];
    };
  };
    };
    database = {
      type = "sqlite3";
  services.forgejo = enabled {
    lfs = enabled;
    user  = "forgejo";
    package = pkgs.forgejo; # The service version is ~11 so better to specify and get the latest.
    settings = let
    in {
      default.APP_NAME = description;
      attachment.ALLOWED_TYPES = "*/*";
      cache.ENABLED = true;
      # archive cleanup cron job
      "cron.archive_cleanup" = let
        interval = "4h";
      in {
        SCHEDULE   = "@every ${interval}";
        OLDER_THAN =           interval;
      };
      other = {
        SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
        SHOW_FOOTER_VERSION            = false;
      };
      repository = {
        DEFAULT_BRANCH      = "master";
        DEFAULT_MERGE_STYLE = "rebase-merge";
        DEFAULT_REPO_UNITS  = "repo.code, repo.issues, repo.pulls";
        DEFAULT_PUSH_CREATE_PRIVATE = false;
        ENABLE_PUSH_CREATE_ORG      = true;
        ENABLE_PUSH_CREATE_USER     = true;
        DISABLE_STARS = true;
      };
      "repository.upload" = {
        FILE_MAX_SIZE = 100;
        MAX_FILES     = 10;
      };
      server = {
        DOMAIN       = domain;
        ROOT_URL     = "https://${fqdn}/";
        LANDING_PAGE = "/explore";
        HTTP_ADDR = "::1";
        HTTP_PORT = port;
        DISABLE_ROUTER_LOG = true;
      };
      service.DISABLE_REGISTRATION = true;
      session = {
        COOKIE_SECURE = true;
        SAME_SITE     = "strict";
      };
      "ui.meta" = {
        AUTHOR      = description;
        DESCRIPTION = description;
      };
    };
}
  };
  services.nginx.virtualHosts.${fqdn} = lib.merge config.services.nginx.sslTemplate {
    locations."/".proxyPass = "http://[::1]:${toString port}";
  };
    extraConfig = ''
    '';
      ${config.services.nginx.goatCounterTemplate}
        SSH_DOMAIN       = fqdn;
        SSH_PORT         = 22;
        START_SSH_SERVER = false;
      packages.ENABLED = true;
      description = "PlumJam's Git Forge";
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
  systemd.timers.forgejo-backup = {
    description = "Run Forgejo backup daily";
    wantedBy = [ "timers.target" ];
    serviceConfig = {
      Type = "oneshot";
      User = "forgejo";
    };
  };
      # keep only last 7 backups
      ls -1t /var/backup/forgejo/ | tail -n +8 | xargs -r rm -rf
    '';
    script = ''
      mkdir -p /var/backup/forgejo
      cp -r /var/lib/forgejo /var/backup/forgejo/$(date +%Y%m%d_%H%M%S)
  # backup configuration for sqlite database and data
  systemd.services.forgejo-backup = {
    description = "Backup Forgejo data and database";
    after = [ "forgejo.service" ];
  # combine AcceptEnv settings for SSH and Git protocol
  services.openssh.settings.AcceptEnv = mkForce [ "SHELLS" "COLORTERM" "GIT_PROTOCOL" ];
  age.secrets.forgejoAdminPassword = {
    owner     = "forgejo";
  };
    rekeyFile = self + /secrets/plum-forgejo-password.age;
    ./nginx.nix
  inherit (lib) enabled mkForce;
{ pkgs, self, config, lib, ... }: let

File deletion: dr-radka.nix

BF:BFD[16.2] → [52.3262:3298]

BF:BFD[52.3298] → [52.83:83]

B:BD[52.83] → [52.84:378]

∅:D[18.483] → [52.519:1535]

B:BD[52.519] → [52.519:1535]

∅:D[53.44] → [52.1535:1608]

B:BD[52.1535] → [52.1535:1608]

∅:D[9.245] → [52.1608:1679]

B:BD[52.1608] → [52.1608:1679]

B:BD[27.1721] → [27.1721:1744]

∅:D[28.621] → [27.2204:2215]

B:BD[27.2204] → [27.2204:2215]

B:BD[27.1744] → [28.568:621]

∅:D[27.2215] → [52.1679:2216]

B:BD[52.1679] → [52.1679:2216]

∅:D[54.663] → [52.2829:3261]

∅:D[53.679] → [52.2829:3261]

∅:D[55.787] → [52.2829:3261]

B:BD[52.2829] → [52.2829:3261]

∅:D[26.1764] → [55.698:787]

∅:D[27.2961] → [55.698:787]

B:BD[55.698] → [55.698:787]

B:BD[52.2216] → [26.1032:1764]

B:BD[52.1608] → [9.48:245]

B:BD[52.1535] → [53.8:44]

B:BD[52.378] → [18.480:483]

{ self, config, lib, pkgs, ... }: let
  inherit (config.networking) domain;
  inherit (lib) enabled merge;
  app_port = 3000;
  app_user = "dr-radka";
  app_group = "dr-radka";
  app_dir = "/var/lib/dr-radka";
  build_dir = "${app_dir}/build";
in {
  imports = [(self + /modules/nginx.nix)];
  users.users.${app_user} = {
    isSystemUser = true;
    group = app_group;
    home = app_dir;
    createHome = true;
  };
  users.groups.${app_group} = {};
  systemd.services.dr-radka = {
    description = "Dr. Radka SvelteKit Application";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "simple";
      User = app_user;
      Group = app_group;
      WorkingDirectory = build_dir;
      ExecStart = "${pkgs.bun}/bin/bun run ./index.js";
      Restart = "always";
      RestartSec = 5;
      EnvironmentFile = config.age.secrets.dr-radka-environment.path;
      # hardening
      NoNewPrivileges = true;
      ProtectSystem = "strict";
      ProtectHome = true;
      ReadWritePaths = [ app_dir ];
      PrivateTmp = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
    };
    environment = {
      NODE_ENV = "production";
      PORT = toString app_port;
      HOST = "127.0.0.1";
    };
    path = with pkgs; [ bun ];
  };
  services.nginx = enabled {
    virtualHosts.${domain} = merge config.services.nginx.sslTemplate {
      extraConfig = ''
      '';
        ${config.services.nginx.goatCounterTemplate}
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString app_port}";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_cache_bypass $http_upgrade;
          # override csp for built app requirements and maintain security headers
          proxy_hide_header Content-Security-Policy;
          add_header X-Frame-Options DENY always;
          add_header X-Content-Type-Options nosniff always;
          add_header X-XSS-Protection "1; mode=block" always;
          add_header Permissions-Policy "camera=(), geolocation=(), payment=(), usb=()" always;
          add_header Referrer-Policy no-referrer always;
        '';
      };
    };
  };
  environment.systemPackages = with pkgs; [
    nodejs_22
    bun
  ];
}
          # need to fix because I can't access nested routes in sanity presentation mode
          add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain} cdn.jsdelivr.net unpkg.com *.posthog.com *.sanity.io *.googletagmanager.com *.google-analytics.com analytics.plumj.am; object-src 'self' ${domain} *.${domain}; base-uri 'self'; frame-ancestors 'self' dr-radka.sanity.studio *.sanity.io; form-action 'self' ${domain} *.${domain}; font-src 'self' ${domain} *.${domain} cdn.jsdelivr.net; connect-src 'self' ${domain} *.${domain} unpkg.com *.posthog.com *.sanity.io *.googletagmanager.com *.google-analytics.com analytics.plumj.am; img-src 'self' ${domain} *.${domain} unpkg.com *.tile.openstreetmap.org *.sanity.io cdn.sanity.io www.googletagmanager.com data:;" always;
    # Redirect www.dr-radka.pl to dr-radka.pl
    virtualHosts."www.${domain}" = merge config.services.nginx.sslTemplate {
      locations."/".return = "301 https://${domain}$request_uri";
    };
      ORIGIN = "https://${domain}";