plumjam/nixos - Change UZUCVVZYTCBURTGFJZUQJPQCNKB43PP6LVT7ACTSMSB442GRVNYQC

dendritic: Migrate acme and nginx configs.

Created by PlumJam on January 13, 2026

UZUCVVZYTCBURTGFJZUQJPQCNKB43PP6LVT7ACTSMSB442GRVNYQC

Dependencies

In channels

main

Change contents

File move: nginx.nix → nginx.nix
BF:BFD[3.128] → [3.9953:9986]
BF:BF[3.9986] → [3.6103:6103]
[4.2]
[3.6103]
Deletion in modules/nginx.nix at line 3 [3.6103]
B:BD[3.6143] → [3.6143:6144]
Deletion in modules/nginx.nix at line 4 [3.6103]
B:BD[3.6150] → [3.6150:6162]
```
      self,
```
Replacement in modules/nginx.nix at line 10 [3.6103]
B:BD[3.6254] → [3.6254:6291]
```
      inherit (lib) enabled mkConst;
```
[3.6254]
[3.6291]
```
      inherit (lib.modules) mkConst;
```
Replacement in modules/nginx.nix at line 13 [3.6103]
B:BD[3.6304] → [3.6304:6348]
```
      imports = [ (self + /modules/acme) ];
```
[3.6304]
[3.6348]
```
      imports = [ ./acme.nix ];
```

Replacement in modules/nginx.nix at line 21 [3.6103]

B:BD[3.6488] → [3.6488:6841]

      options.services.nginx.goatCounterTemplate = mkConst /* nginx */ ''
        proxy_set_header Accept-Encoding "";
        sub_filter "</head>" '<script data-goatcounter="https://analytics.${domain}/count" async src="https://analytics.${domain}/count.js"></script></head>';
        sub_filter_last_modified on;
        sub_filter_once on;
      '';

[3.6488]

[3.6841]

      options.services.nginx.goatCounterTemplate =
        # nginx
        mkConst ''
          proxy_set_header Accept-Encoding "";
          sub_filter "</head>" '<script data-goatcounter="https://analytics.${domain}/count" async src="https://analytics.${domain}/count.js"></script></head>';
          sub_filter_last_modified on;
          sub_filter_once on;
        '';

Replacement in modules/nginx.nix at line 30 [3.6103]

B:BD[3.6842] → [3.6842:7028]

      options.services.nginx.headers = mkConst /* nginx */ ''
        proxy_hide_header Access-Control-Allow-Origin;
        add_header Access-Control-Allow-Origin $allow_origin always;

[3.6842]

[3.7028]

      options.services.nginx.headers =
        # nginx
        mkConst ''
          proxy_hide_header Access-Control-Allow-Origin;
          add_header Access-Control-Allow-Origin $allow_origin always;

Replacement in modules/nginx.nix at line 36 [3.6103]

B:BD[3.7029] → [3.7029:7101]

        ${config.services.nginx.headersNoAccessControlOrigin}
      '';

[3.7029]

[3.7101]

          ${config.services.nginx.headersNoAccessControlOrigin}
        '';

Replacement in modules/nginx.nix at line 39 [3.6103]

B:BD[3.7102] → [3.7102:7312]

      options.services.nginx.headersNoAccessControlOrigin = mkConst /* nginx */ ''
        proxy_hide_header Access-Control-Allow-Methods;
        add_header Access-Control-Allow-Methods $allow_methods always;

[3.7102]

[3.7312]

      options.services.nginx.headersNoAccessControlOrigin =
        # nginx
        mkConst ''
          proxy_hide_header Access-Control-Allow-Methods;
          add_header Access-Control-Allow-Methods $allow_methods always;

Replacement in modules/nginx.nix at line 45 [3.6103]

B:BD[3.7313] → [3.7313:7432]

        proxy_hide_header Strict-Transport-Security;
        add_header Strict-Transport-Security $hsts_header always;

[3.7313]

[3.7432]

          proxy_hide_header Strict-Transport-Security;
          add_header Strict-Transport-Security $hsts_header always;

Replacement in modules/nginx.nix at line 48 [3.6103]

B:BD[3.7433] → [3.7433:7719]

        proxy_hide_header Content-Security-Policy;
        add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; img-src 'self' data: https:; base-uri 'self'; frame-ancestors 'self';" always;

[3.7433]

[3.7719]

          proxy_hide_header Content-Security-Policy;
          add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; img-src 'self' data: https:; base-uri 'self'; frame-ancestors 'self';" always;

Replacement in modules/nginx.nix at line 51 [3.6103]

B:BD[3.7720] → [3.7720:7818]

        proxy_hide_header Referrer-Policy;
        add_header Referrer-Policy no-referrer always;

[3.7720]

[3.7818]

          proxy_hide_header Referrer-Policy;
          add_header Referrer-Policy no-referrer always;

Replacement in modules/nginx.nix at line 54 [3.6103]

B:BD[3.7819] → [3.7819:7910]

        proxy_hide_header X-Frame-Options;
        add_header X-Frame-Options DENY always;

[3.7819]

[3.7910]

          proxy_hide_header X-Frame-Options;
          add_header X-Frame-Options DENY always;

Replacement in modules/nginx.nix at line 57 [3.6103]

B:BD[3.7911] → [3.7911:8019]

        proxy_hide_header X-Content-Type-Options;
        add_header X-Content-Type-Options nosniff always;

[3.7911]

[3.8019]

          proxy_hide_header X-Content-Type-Options;
          add_header X-Content-Type-Options nosniff always;

Replacement in modules/nginx.nix at line 60 [3.6103]

B:BD[3.8020] → [3.8020:8124]

        proxy_hide_header X-XSS-Protection;
        add_header X-XSS-Protection "1; mode=block" always;

[3.8020]

[3.8124]

          proxy_hide_header X-XSS-Protection;
          add_header X-XSS-Protection "1; mode=block" always;

Replacement in modules/nginx.nix at line 63 [3.6103]

B:BD[3.8125] → [3.8125:8275]

        proxy_hide_header Permissions-Policy;
        add_header Permissions-Policy "camera=(), geolocation=(), payment=(), usb=()" always;
      '';

[3.8125]

[3.8275]

          proxy_hide_header Permissions-Policy;
          add_header Permissions-Policy "camera=(), geolocation=(), payment=(), usb=()" always;
        '';

Replacement in modules/nginx.nix at line 75 [3.6103]

B:BD[3.8424] → [3.8424:8485]

      config.services.prometheus.exporters.nginx = enabled {

[3.8424]

[3.8485]

      config.services.prometheus.exporters.nginx = {
        enable = true;

Replacement in modules/nginx.nix at line 82 [3.6103]

B:BD[3.8576] → [3.8576:8616]

      config.services.nginx = enabled {

[3.8576]

[3.8616]

      config.services.nginx = {
        enable = true;

Replacement in modules/nginx.nix at line 93 [3.6103]

B:BD[3.8848] → [3.8848:9005]

        commonHttpConfig = /* nginx */ ''
          map $scheme $hsts_header {
            https "max-age=31536000; includeSubdomains; preload";
          }

[3.8848]

[3.9005]

        commonHttpConfig = # nginx
          ''
            map $scheme $hsts_header {
              https "max-age=31536000; includeSubdomains; preload";
            }

Replacement in modules/nginx.nix at line 99 [3.6103]

B:BD[3.9006] → [3.9006:9192]

          # cache only successful responses
          map $status $cache_header {
            200     "public";
            302     "public";
            default "no-cache";
          }

[3.9006]

[3.9192]

            # Cache only successful responses.
            map $status $cache_header {
              200     "public";
              302     "public";
              default "no-cache";
            }

Replacement in modules/nginx.nix at line 106 [3.6103]

B:BD[3.9193] → [3.9193:9424]

          map $http_origin $allow_origin {
            ~^https://(?:.+\.)?${domain}$ $http_origin;
            ~^https://dr-radka\.pl$ $http_origin;
            ~^https://awesome-technologies\.github\.io$ $http_origin;
          }

[3.9193]

[3.9424]

            map $http_origin $allow_origin {
              ~^https://(?:.+\.)?${domain}$ $http_origin;
              ~^https://dr-radka\.pl$ $http_origin;
              ~^https://awesome-technologies\.github\.io$ $http_origin;
            }

Replacement in modules/nginx.nix at line 112 [3.6103]

B:BD[3.9425] → [3.9425:9807]

          map $http_origin $allow_methods {
            ~^https://(?:.+\.)?${domain}$ "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE";
            ~^https://dr-radka\.pl$ "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE";
            ~^https://awesome-technologies\.github\.io$ "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE";
          }

[3.9425]

[3.9807]

            map $http_origin $allow_methods {
              ~^https://(?:.+\.)?${domain}$ "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE";
              ~^https://dr-radka\.pl$ "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE";
              ~^https://awesome-technologies\.github\.io$ "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE";
            }

Replacement in modules/nginx.nix at line 118 [3.6103]

B:BD[3.9808] → [3.9808:9851]

          ${config.services.nginx.headers}

[3.9808]

[3.9851]

            ${config.services.nginx.headers}

Replacement in modules/nginx.nix at line 120 [3.6103]

B:BD[3.9852] → [3.9852:9934]

          proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
        '';

[3.9852]

[3.9934]

            proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
          '';

File move: acme.nix → acme.nix
BF:BFD[3.128] → [3.34754:34786]
BF:BF[3.34786] → [3.34169:34169]
[4.2]
[3.34169]
Deletion in modules/acme.nix at line 1 [3.34169]
B:BD[3.34169] → [2.17345:17371]
∅:D[2.17371] → [3.34196:34259]
B:BD[3.34196] → [3.34196:34259]
B:BD[3.34259] → [2.17372:17375]
```
{ config, lib, ... }:
let
  inherit (config.networking) domain;
  inherit (lib) mkValue;
in
```

Replacement in modules/acme.nix at line 2 [3.34169]

B:BD[2.17377] → [2.17377:17422]

  options.security.acme.users = mkValue [ ];

[2.17377]

[3.34310]

  config.flake.modules.nixos.acme =
    { config, lib, ... }:
    let
      inherit (config.network) domain;
      inherit (lib) mkValue;
    in
    {
      options.security.acme.users = mkValue [ ];

Replacement in modules/acme.nix at line 11 [3.34169]

B:BD[3.34311] → [3.34311:34376]

  config.users.groups.acme.members = config.security.acme.users;

[3.34311]

[3.34376]

      config.users.groups.acme.members = config.security.acme.users;

Replacement in modules/acme.nix at line 13 [3.34169]

B:BD[3.34377] → [3.34377:34428]

  config.security.acme = {
    acceptTerms = true;

[3.34377]

[3.34428]

      config.security.acme = {
        acceptTerms = true;

Replacement in modules/acme.nix at line 16 [3.34169]

B:BD[3.34429] → [3.34429:34511]

B:BD[3.34511] → [2.17423:17524]

∅:D[2.17524] → [3.34630:34637]

B:BD[3.34630] → [3.34630:34637]

    defaults = {
      environmentFile = config.age.secrets.acmeEnvironment.path;
      dnsProvider = "cloudflare";
      dnsResolver = "1.1.1.1";
      email = "security@${domain}";
    };

[3.34429]

[3.34637]

        defaults = {
          environmentFile = config.age.secrets.acmeEnvironment.path;
          dnsProvider = "cloudflare";
          dnsResolver = "1.1.1.1";
          email = "security@${domain}";
        };

Replacement in modules/acme.nix at line 23 [3.34169]

B:BD[3.34638] → [3.34638:34706]

B:BD[3.34706] → [2.17525:17547]

    certs.${domain} = {
      extraDomainNames = [ "*.${domain}" ];
      group = "acme";

[3.34638]

[3.34739]

        certs.${domain} = {
          extraDomainNames = [ "*.${domain}" ];
          group = "acme";
        };
      };

Deletion in modules/acme.nix at line 29 [3.34169]
B:BD[3.34746] → [3.34746:34751]
```
  };
```