plumjam/nixos - Change ONBYJCY7FHCMAC7HNI7USLRJTY4TVKWMLACTEDTINLEVBGSSCECAC

dendritic: Migrate rebuild script and remove old nginx config.

Created by PlumJam on January 10, 2026

ONBYJCY7FHCMAC7HNI7USLRJTY4TVKWMLACTEDTINLEVBGSSCECAC

Dependencies

In channels

main

Change contents

File deletion: nginx.nix

BF:BFD[5.2] → [6.2319:2352]

BF:BFD[6.2352] → [6.3:3]

B:BD[6.3] → [6.4:118]

∅:D[7.44] → [6.156:286]

B:BD[6.156] → [6.156:286]

∅:D[8.386] → [6.286:884]

B:BD[6.286] → [6.286:884]

∅:D[2.235] → [6.1062:1237]

∅:D[7.247] → [6.1062:1237]

B:BD[6.1062] → [6.1062:1237]

∅:D[7.628] → [6.1237:1520]

B:BD[6.1237] → [6.1237:1520]

B:BD[6.1551] → [6.1551:1651]

B:BD[6.1689] → [6.1689:1947]

∅:D[3.169] → [6.1947:2038]

B:BD[6.1947] → [6.1947:2038]

∅:D[9.441] → [6.2038:2189]

B:BD[6.2038] → [6.2038:2189]

∅:D[9.558] → [6.2189:2317]

B:BD[6.2189] → [6.2189:2317]

B:BD[6.2317] → [7.629:631]

B:BD[6.2189] → [10.1342:1438]

∅:D[10.1438] → [9.442:558]

B:BD[6.2189] → [9.442:558]

B:BD[6.2038] → [10.1295:1341]

∅:D[10.1341] → [9.375:441]

B:BD[6.2038] → [9.375:441]

B:BD[6.1947] → [3.6:169]

B:BD[6.1237] → [7.248:249]

B:BD[7.298] → [7.298:628]

B:BD[6.884] → [2.4:235]

B:BD[6.286] → [8.56:386]

B:BD[6.118] → [7.4:44]

{ self, config, lib, pkgs, ... }: let
  inherit (config.networking) domain;
  inherit (lib) enabled mkConst;
in {
  options.services.nginx.sslTemplate = mkConst {
    forceSSL    = true;
    quic        = true;
    useACMEHost = domain;
  };
  options.services.nginx.headers = mkConst /* nginx */ ''
    proxy_hide_header Access-Control-Allow-Origin;
    add_header Access-Control-Allow-Origin $allow_origin always;
    ${config.services.nginx.headersNoAccessControlOrigin}
  '';
  options.services.nginx.headersNoAccessControlOrigin = mkConst /* nginx */ ''
    proxy_hide_header Access-Control-Allow-Methods;
    add_header Access-Control-Allow-Methods $allow_methods always;
    proxy_hide_header Strict-Transport-Security;
    add_header Strict-Transport-Security $hsts_header always;
    proxy_hide_header Content-Security-Policy;
    proxy_hide_header Referrer-Policy;
    add_header Referrer-Policy no-referrer always;
    proxy_hide_header X-Frame-Options;
    add_header X-Frame-Options DENY always;
  '';
  config.networking.firewall = {
    allowedTCPPorts = [ 443 80 ];
    allowedUDPPorts = [ 443 ];
  };
  config.services.prometheus.exporters.nginx = enabled {
    listenAddress = "[::]";
  };
  config.security.acme.users = [ "nginx" ];
  config.services.nginx = enabled {
    statusPage = true;
    recommendedBrotliSettings = true;
    recommendedGzipSettings   = true;
    recommendedOptimisation   = true;
    recommendedProxySettings  = true;
    recommendedTlsSettings    = true;
    commonHttpConfig = /* nginx */ ''
      map $scheme $hsts_header {
        https "max-age=31536000; includeSubdomains; preload";
      }
      map $http_origin $allow_origin {
        ~^https://(?:.+\.)?${domain}$ $http_origin;
      }
      map $http_origin $allow_methods {
        ~^https://(?:.+\.)?${domain}$ "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE";
      }
      ${config.services.nginx.headers}
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';
  };
}
        ~^https://dr-radka\.pl$ "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE";
        ~^https://awesome-technologies\.github\.io$ "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE";
        ~^https://dr-radka\.pl$ $http_origin;
        ~^https://awesome-technologies\.github\.io$ $http_origin;
      # cache only successful responses
      map $status $cache_header {
        200     "public";
        302     "public";
        default "no-cache";
      }
    proxy_hide_header X-Content-Type-Options;
    add_header X-Content-Type-Options nosniff always;
    proxy_hide_header X-XSS-Protection;
    add_header X-XSS-Protection "1; mode=block" always;
    proxy_hide_header Permissions-Policy;
    add_header Permissions-Policy "camera=(), geolocation=(), payment=(), usb=()" always;
    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; img-src 'self' data: https:; base-uri 'self'; frame-ancestors 'self';" always;
  options.services.nginx.goatCounterTemplate = mkConst /* nginx */ ''
    proxy_set_header Accept-Encoding "";
    sub_filter "</head>" '<script data-goatcounter="https://analytics.${domain}/count" async src="https://analytics.${domain}/count.js"></script></head>';
    sub_filter_last_modified on;
    sub_filter_once on;
  '';
  imports = [ (self + /modules/acme) ];

Replacement in modules/rebuild.nix at line 1 [4.42448]

B:BD[4.42448] → [4.42449:42503]

{ pkgs, config, lib, ... }: let
  inherit (lib) mkIf;

[4.42448]

[4.42503]

{
  config.flake.modules.nixos.rebuild =
    { pkgs, ... }:
    let
      rebuildScript = pkgs.writeScriptBin "rebuild" /* nu */ ''
        #!${pkgs.nushell}/bin/nu

Replacement in modules/rebuild.nix at line 8 [4.42448]

B:BD[4.42504] → [4.42504:42593]

  rebuildScript = pkgs.writeScriptBin "rebuild" /* nu */ ''
    #!${pkgs.nushell}/bin/nu

[4.42504]

[4.42593]

        def print-notify [message: string, progress: int = -1] {
          print $"(ansi purple)[Rebuilder](ansi rst) ($message)"

Replacement in modules/rebuild.nix at line 11 [4.42448]

B:BD[4.42594] → [4.42594:42716]

    def print-notify [message: string, progress: int = -1] {
      print $"(ansi purple)[Rebuilder](ansi rst) ($message)"

[4.42594]

[4.42716]

          let is_error = ($message | str downcase | str contains "error")
          let urgency = if $is_error { "critical" } else { "normal" }

Replacement in modules/rebuild.nix at line 14 [4.42448]

B:BD[4.42717] → [4.42717:42853]

      let is_error = ($message | str downcase | str contains "error")
      let urgency = if $is_error { "critical" } else { "normal" }

[4.42717]

[4.42853]

          let timeout = 5000

Replacement in modules/rebuild.nix at line 16 [4.42448]

B:BD[4.42854] → [4.42854:42879]

      let timeout = 5000

[4.42854]

[4.42879]

          let args = if $progress >= 0 and $progress < 100 {
            ["--hint" $"int:value:($progress)"]
          } else {
            []
          }

Replacement in modules/rebuild.nix at line 22 [4.42448]

B:BD[4.42880] → [4.42880:43861]

      let args = if $progress >= 0 and $progress < 100 {
        ["--hint" $"int:value:($progress)"]
      } else {
        []
      }
      ^${pkgs.libnotify}/bin/notify-send ...$args --urgency=($urgency) --expire-time=($timeout) "Rebuilder" $"($message)"
    }
    def --wrapped main [
      host: string = ""            # The host to build.
      --remote                     # Deploy to remote host using --target-host.
      --rollback                   # Rollback.
      --quiet (-q)                 # Run without output (for theme toggling).
      --try_attempts (-t): int = 0 # How many times to try the same rebuild.
      ...arguments                 # Extra arguments to pass to rebuild commands.
    ]: nothing -> nothing {
      let host = if ($host | is-not-empty) {
        if $host != (hostname) and not $remote {
          if not $quiet { print-notify $"Error: Building local configuration for hostname that does not match the local machine." }
          exit 1

[4.42880]

[4.43861]

          ^${pkgs.libnotify}/bin/notify-send ...$args --urgency=($urgency) --expire-time=($timeout) "Rebuilder" $"($message)"

Deletion in modules/rebuild.nix at line 24 [4.42448]

B:BD[4.43871] → [4.43871:44062]

        $host
      } else if $remote {
        if not $quiet { print-notify "Error: Hostname not specified for remote deployment." }
        exit 1
      } else {
        (hostname)
      }

Replacement in modules/rebuild.nix at line 25 [4.42448]

B:BD[4.44063] → [4.44063:44229]

      # Build locally (always).
      let os = (uname | get kernel-name)
      let config_path = if $os == "Darwin" { "/Users/jam/nixos" } else { "/home/jam/nixos" }

[4.44063]

[4.44229]

        def --wrapped main [
          host: string = ""            # The host to build.
          --remote                     # Deploy to remote host using --target-host.
          --rollback                   # Rollback.
          --quiet (-q)                 # Run without output (for theme toggling).
          --try_attempts (-t): int = 0 # How many times to try the same rebuild.
          ...arguments                 # Extra arguments to pass to rebuild commands.
        ]: nothing -> nothing {
          let host = if ($host | is-not-empty) {
            if $host != (hostname) and not $remote {
              if not $quiet { print-notify $"Error: Building local configuration for hostname that does not match the local machine." }
              exit 1
            }
            $host
          } else if $remote {
            if not $quiet { print-notify "Error: Hostname not specified for remote deployment." }
            exit 1
          } else {
            (hostname)
          }

Replacement in modules/rebuild.nix at line 46 [4.42448]

B:BD[4.44230] → [4.44230:44600]

      # nh os/darwin switch [flake_path] --hostname [host] -- [nix_args]
      let base_args = [
        "switch"
        $config_path
        "--hostname" yuzu-dendritic # TODO: Change back to $host.
        "--accept-flake-config" # Avoid asking for y/n approval for all settings.
        "--fallback" # Build locally if substituters fail.
      ] | append $arguments

[4.44230]

[4.44600]

          # Build locally (always).
          let os = (uname | get kernel-name)
          let config_path = if $os == "Darwin" { "/Users/jam/nixos" } else { "/home/jam/nixos" }

Replacement in modules/rebuild.nix at line 50 [4.42448]

B:BD[4.44601] → [4.44601:44789]

      # Add target-host for remote deployments.
      let final_args = if $remote {
        $base_args | append ["--target-host" $"root@($host)"]
      } else {
        $base_args
      }

[4.44601]

[4.44789]

          # nh os/darwin switch [flake_path] --hostname [host] -- [nix_args]
          let base_args = [
            "switch"
            $config_path
            "--hostname" $host
            "--accept-flake-config" # Avoid asking for y/n approval for all settings.
            "--fallback" # Build locally if substituters fail.
          ] | append $arguments

Replacement in modules/rebuild.nix at line 59 [4.42448]

B:BD[4.44790] → [4.44790:44921]

      let command = if $rollback {
        "rollback"
      } else {
        if $os == "Darwin" { "darwin" } else { "os" }
      }

[4.44790]

[4.44921]

          # Add target-host for remote deployments.
          let final_args = if $remote {
            $base_args | append ["--target-host" $"root@($host)"]
          } else {
            $base_args
          }

Replacement in modules/rebuild.nix at line 66 [4.42448]

B:BD[4.44922] → [4.44922:45039]

      let final_args = if $rollback {
        [$host] | append $arguments
      } else {
        $final_args
      }

[4.44922]

[4.45039]

          let command = if $rollback {
            "rollback"
          } else {
            if $os == "Darwin" { "darwin" } else { "os" }
          }

Replacement in modules/rebuild.nix at line 72 [4.42448]

B:BD[4.45040] → [4.45040:45323]

      # Execute final command.
      let action = if $remote { $"Deploying to: ($host)" } else { "Building locally:" }
      let platform = if $os == "Darwin" { "Darwin" } else { "NixOS" }
      if not $quiet { print-notify $"($action) ($platform). Configuration for: ($host)." 50 }

[4.45040]

[4.45323]

          let final_args = if $rollback {
            [$host] | append $arguments
          } else {
            $final_args
          }
          # Execute final command.
          let action = if $remote { $"Deploying to: ($host)" } else { "Building locally:" }
          let platform = if $os == "Darwin" { "Darwin" } else { "NixOS" }
          if not $quiet { print-notify $"($action) ($platform). Configuration for: ($host)." 50 }

Replacement in modules/rebuild.nix at line 83 [4.42448]

B:BD[4.45324] → [4.45324:45835]

      if $remote {
        for attempts in 1..($try_attempts + 1) {
          try {
            NH_BYPASS_ROOT_CHECK=true NH_NO_CHECKS=true nh $command ...$final_args
            break
          } catch { |e|
            if $attempts < $try_attempts {
              print-notify $"First attempt failed, retrying... (attempt ($attempts) of ($try_attempts))"
            } else {
              print-notify $"Error: Rebuild failed after ($try_attempts) attempts, run manually in a terminal."
              exit 1

[4.45324]

[4.45835]

          if $remote {
            for attempts in 1..($try_attempts + 1) {
              try {
                NH_BYPASS_ROOT_CHECK=true NH_NO_CHECKS=true nh $command ...$final_args
                break
              } catch { |e|
                if $attempts < $try_attempts {
                  print-notify $"First attempt failed, retrying... (attempt ($attempts) of ($try_attempts))"
                } else {
                  print-notify $"Error: Rebuild failed after ($try_attempts) attempts, run manually in a terminal."
                  exit 1
                }
              }
            }
          } else {
            for attempts in 1..($try_attempts + 1) {
              try {
                sudo NH_BYPASS_ROOT_CHECK=true NH_NO_CHECKS=true nh $command ...$final_args
                break
              } catch { |e|
                if $attempts < $try_attempts {
                  print-notify $"First attempt failed, retrying... (attempt ($attempts) of ($try_attempts))"
                } else {
                  print-notify $"Error: Rebuild failed after ($try_attempts) attempts, run manually in a terminal."
                  exit 1
                }
              }

Replacement in modules/rebuild.nix at line 112 [4.42448]

B:BD[4.45861] → [4.45861:46397]

        }
      } else {
        for attempts in 1..($try_attempts + 1) {
          try {
            sudo NH_BYPASS_ROOT_CHECK=true NH_NO_CHECKS=true nh $command ...$final_args
            break
          } catch { |e|
            if $attempts < $try_attempts {
              print-notify $"First attempt failed, retrying... (attempt ($attempts) of ($try_attempts))"
            } else {
              print-notify $"Error: Rebuild failed after ($try_attempts) attempts, run manually in a terminal."
              exit 1
            }

[4.45861]

[4.46397]


          if $rollback {
            if not $quiet { print-notify $"Rollback for ($host) succeeded." 100 }
          } else {
            if not $quiet { print-notify $"Rebuild for ($host) succeeded." 100 }

Replacement in modules/rebuild.nix at line 119 [4.42448]

B:BD[4.46419] → [4.46419:47496]

      }
      if $rollback {
        if not $quiet { print-notify $"Rollback for ($host) succeeded." 100 }
      } else {
        if not $quiet { print-notify $"Rebuild for ($host) succeeded." 100 }
      }
    }
  '';
in {
  # home-manager.sharedModules = mkIf config.isDesktopNotWsl [{
  #   xdg.desktopEntries.rebuild = {
  #     name     = "Rebuild";
  #     icon     = "system-run";
  #     exec     = ''rebuild'';
  #     terminal = false;
  #   };
  #   xdg.desktopEntries.rebuild-plum = {
  #     name     = "Rebuild plum";
  #     icon     = "system-run";
  #     exec     = ''rebuild --remote plum'';
  #     terminal = false;
  #   };
  #   xdg.desktopEntries.rebuild-kiwi = {
  #     name     = "Rebuild kiwi";
  #     icon     = "system-run";
  #     exec     = ''rebuild --remote kiwi'';
  #     terminal = false;
  #   };
  #   xdg.desktopEntries.rollback = {
  #     name     = "Rollback";
  #     icon     = "folder";
  #     exec     = ''rebuild rollback'';
  #     terminal = false;
  #   };
  # }];
  environment.systemPackages = [
    rebuildScript
  ];

[4.46419]

[4.47496]

      '';
    in
    {
      environment.systemPackages = [
        pkgs.nh
        pkgs.nix-output-monitor
        rebuildScript
      ];
    };