pocket accept cors

2026-02-04 05:39:18 +01:00 · 2025-10-04 02:23:05 +02:00 · 2025-10-04 02:23:05 +02:00 · 134fe2e279
commit 134fe2e279
parent e70aee4ab6
10 changed files with 320 additions and 219 deletions
--- a/aliases.nix
+++ b/aliases.nix
@ -1,19 +1,27 @@
-{pkgs, ...} : {
+{ pkgs, ... }: {
  programs.fish = {
    enable = true;
    shellAliases = {
      nrb = "sudo nixos-rebuild switch --flake /etc/nixos --impure";
      ni = "nvim /etc/nixos/configuration.nix";
-      bat="upower -i /org/freedesktop/UPower/devices/battery_BAT0| grep -E 'state|percentage'";
+      bat =
-      gpu="nvidia-smi -q | grep -i 'draw.*W'";
+        "upower -i /org/freedesktop/UPower/devices/battery_BAT0| grep -E 'state|percentage'";
-      wifi="sudo nmtui";
+      gpu = "nvidia-smi -q | grep -i 'draw.*W'";
-      all="sudo chmod -R a+rwx ./*";
+      wifi = "sudo nmtui";
-      ng="cd /etc/nginx/ && sudo nvim .";
+      all = "sudo chmod -R a+rwx ./*";
-      copy="xclip -sel clip";
+      ng = "cd /etc/nginx/ && sudo nvim .";
-      pubkey="cat ~/.ssh/id_ed25519.pub | copy";
+      copy = "xclip -sel clip";
-      up="docker compose up -d";
+      pubkey = "cat ~/.ssh/id_ed25519.pub | copy";
-      down="docker compose down";
+      up = "docker compose up -d";
      down = "docker compose down -t 0";
      inspect = "nix edit nixpkgs#$1";
      fe = "nix develop";
      fed = "nvim flake.nix";
      cdn = "cd /etc/nixos";
      cpu =
        "sudo turbostat --quiet --show PkgWatt --interval 1 --num_iterations 1 | awk 'NR==2{print $1}'";
    };
    interactiveShellInit = ''
@ -26,4 +34,4 @@
            end
    '';
  };
-    }
+}
--- a/configuration.nix
+++ b/configuration.nix
@ -2,13 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
-{
+{ config, pkgs, lib, inputs, ... }:
  config,
  pkgs,
  lib,
  inputs,
  ...
 }:
 {
  imports = [
@ -26,6 +20,7 @@
    ./users.nix
    ./networking/caddy.nix
    ./modules/buildCache.nix
    # ./modules/de.nix
    ./modules/displayOff.nix
@ -72,17 +67,11 @@
    settings = {
      nix-path = lib.mapAttrsToList (n: _: "${n}=flake:${n}") inputs;
      flake-registry = ""; # optional, ensures flakes are truly self-contained
-      experimental-features = [
+      experimental-features = [ "nix-command" "flakes" "pipe-operators" ];
        "nix-command"
        "flakes"
        "pipe-operators"
      ];
    };
  };
-  services.openssh = {
+  services.openssh = { enable = true; };
    enable = true;
  };
  programs.neovim = {
    enable = true;
@ -92,9 +81,7 @@
  home-manager = {
    extraSpecialArgs = { inherit inputs; };
-    users = {
+    users = { "botserver" = import ./home.nix; };
      "botserver" = import ./home.nix;
    };
  };
  # Root uses the exact same module
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -1,27 +1,13 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules =
-    "nvme"
+    [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
    "xhci_pci"
    "ahci"
    "usbhid"
    "usb_storage"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
@ -34,38 +20,50 @@
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/1DC7-70A2";
    fsType = "vfat";
-    options = [
+    options = [ "fmask=0077" "dmask=0077" ];
      "fmask=0077"
      "dmask=0077"
    ];
  };
  fileSystems."/mnt/stolenFromSister" = {
    device = "/dev/disk/by-uuid/8f2c41c0-84bb-40ee-a3f8-b1bbd378d5d7";
    fsType = "ext4"; # or "btrfs", "xfs", etc.
-      options = [ "nofail" "x-systemd.automount"];         # don't block boot if the disk is missing
+    options = [
      "nofail"
      "x-systemd.automount"
    ]; # don't block boot if the disk is missing
  };
  fileSystems."/mnt/OtherStolenDriveFromSister" = {
    device = "/dev/disk/by-uuid/fc16759c-24fc-46d6-99fe-865068605f46";
    fsType = "ext4"; # or "btrfs", "xfs", etc.
-      options = [ "nofail" "x-systemd.automount"];         # don't block boot if the disk is missing
+    options = [
      "nofail"
      "x-systemd.automount"
    ]; # don't block boot if the disk is missing
  };
  fileSystems."/mnt/disk3" = {
    device = "/dev/disk/by-partuuid/54084a5e-2c7f-4ec9-8ee7-9ede76c79f40";
    fsType = "ext4";
    options = [ "nofail" "x-systemd.automount" ];
  };
  fileSystems."/mnt/disk4" = {
    device = "/dev/disk/by-partuuid/9df16012-ef2f-4091-aa24-632d98e6be51";
    fsType = "ext4";
    options = [ "nofail" "x-systemd.automount" ];
  };
  # fileSystems."/mnt/disk5" = {
  #   device = "/dev/disk/by-partuuid/3610155d-6d3d-4be1-9e50-7a638ccbf98c";
  #   fsType = "ext4";
  #   options = [ "nofail" "x-systemd.automount" ];
  # };
  systemd.tmpfiles.rules = [
    "d /mnt/stolenFromSister/jelly/ 0755 starr starr -"
    "d /mnt/OtherStolenDriveFromSister/downloads/ 0755 starr starr -"
  ];
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@ -77,5 +75,6 @@
  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode =
    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/home.nix
+++ b/home.nix
@ -1,9 +1,4 @@
-{
+{ pkgs, lib, ... }: {
  pkgs,
  lib,
  ...
 }:
 {
  imports = [ ./modules/nvim.nix ];
  # packages only for this user
--- a/modules/buildCache.nix
+++ b/modules/buildCache.nix
@ -0,0 +1,38 @@
 { pkgs, ... }: {
  services.harmonia = {
    enable = true;
    signKeyPaths = [ "/var/lib/secrets/harmonia.secret" ];
    settings = {
      bind = "0.0.0.0:5444";
      workers = 4;
    };
  };
  imports = [ ./../networking/networkSetup.nix ];
  services.caddy = {
    enable = true;
    virtualHosts."cache.deprived.dev" = {
      extraConfig = ''
        reverse_proxy localhost:5444
        header {
          # Cache control for nix store paths
          Cache-Control "public, max-age=31536000, immutable"
          # CORS headers if needed
          Access-Control-Allow-Origin "*"
          Access-Control-Allow-Methods "GET, HEAD, OPTIONS"
        }
        # Optional: Enable compression
        encode gzip
        # Optional: Logging
        log {
          output file /var/log/caddy/cache.log
        }
      '';
    };
  };
 }
--- a/modules/customPackages/shreddit/shreddit.nix
+++ b/modules/customPackages/shreddit/shreddit.nix
@ -0,0 +1,25 @@
 { lib, pkgs, rustPlatform }:
 rustPlatform.buildRustPackage rec {
  pname = "shreddit";
  version = "1.1.1"; # pick the crate version you want
  src = pkgs.fetchCrate {
    inherit pname version;
    sha256 =
      "sha256-ERcQZ7LLR9kfI1WMCr70EopmuPmK4Y7eXnhM7djvEI4="; # fill after first build
  };
  cargoHash =
    "sha256-9s6wmB4YqKmyHKDS2b5keEYFDBerpdQxtNY1wVqGDxg="; # fill after first build
  nativeBuildInputs = [ pkgs.pkg-config ];
  buildInputs = [ pkgs.openssl ];
  meta = with lib; {
    description = "Shreddit CLI (Rust crate)";
    license = licenses.mit; # adjust if needed
    mainProgram = "shreddit";
  };
 }
--- a/modules/nvim.nix
+++ b/modules/nvim.nix
@ -1,9 +1,4 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 with lib;
 let
@ -56,8 +51,7 @@ let
    "NIX_LD_LIBRARY_PATH=${config.home.profileDirectory}/lib/nvim-depends/lib"
    "PKG_CONFIG_PATH=${config.home.profileDirectory}/lib/nvim-depends/pkgconfig"
  ];
-in
+in {
 {
  home.packages = with pkgs; [
    patchelf
    nvim-depends-include
@ -65,11 +59,9 @@ in
    nvim-depends-pkgconfig
    ripgrep
  ];
-  home.extraOutputsToInstall = ["nvim-depends"];
+  home.extraOutputsToInstall = [ "nvim-depends" ];
-  home.shellAliases.nvim =
+  home.shellAliases.nvim = (concatStringsSep " " buildEnv)
-    (concatStringsSep " " buildEnv)
+    + " SQLITE_CLIB_PATH=${pkgs.sqlite.out}/lib/libsqlite3.so " + "nvim";
    + " SQLITE_CLIB_PATH=${pkgs.sqlite.out}/lib/libsqlite3.so "
    + "nvim";
  programs.neovim = {
    enable = true;
@ -97,12 +89,12 @@ in
    extraLuaPackages = ls: with ls; [ luarocks ];
  };
-  # Screw declarative here
+  # # Screw declarative here
-  xdg.configFile."nvim".source = builtins.fetchGit {
+  # xdg.configFile."nvim".source = builtins.fetchGit {
-    url = "https://github.com/MagicBOTAlex/NVimConfigs";
+  #   url = "https://github.com/MagicBOTAlex/NVimConfigs";
-    ref = "master";   # change if the default branch is different
+  #   ref = "master";   # change if the default branch is different
-    # submodules = true;  # uncomment if needed
+  #   # submodules = true;  # uncomment if needed
-  };
+  # };
  # xdg.configFile."nvim".source = pkgs.fetchFromGitHub {
  #   owner = "MagicBOTAlex";
--- a/networking/caddy.nix
+++ b/networking/caddy.nix
@ -1,7 +1,5 @@
-{pkgs, ... } : {
+{ pkgs, ... }: {
-  imports = [
+  imports = [ ./networkSetup.nix ];
    ./networkSetup.nix
  ];
  services.caddy.virtualHosts."immich.deprived.dev" = {
    extraConfig = ''
@ -9,7 +7,6 @@
    '';
  };
  services.caddy.virtualHosts."ha.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 127.0.0.1:8123
@ -22,78 +19,68 @@
    '';
  };
  services.caddy.virtualHosts."pocket.deprived.dev" = {
    extraConfig = ''
        reverse_proxy * 127.0.0.1:5500
    '';
  };
  services.caddy.virtualHosts."seer.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 127.0.0.1:5055
    '';
  };
-  services.caddy.virtualHosts."development.deprived.dev" = {
+  services.caddy.virtualHosts."penpot.deprived.dev" = {
    extraConfig = ''
-        reverse_proxy * 127.0.0.1:5550
+      reverse_proxy * 127.0.0.1:5544
    '';
  };
-services.caddy.virtualHosts."spotify.api.deprived.dev" = {
+  services.caddy.virtualHosts."api.deprived.dev" = {
    extraConfig = ''
-    encode zstd gzip
+      reverse_proxy * 127.0.0.1:6333
    '';
  };
-    # --- CORS: preflight (OPTIONS) ---
+  services.caddy.virtualHosts."pocket.deprived.dev" = {
-    @preflight {
+    extraConfig = ''
-      method OPTIONS
+      # Match allowed origins
-      header Origin *
+      @allowedOrigin header_regexp Origin ^https?://(localhost(:[0-9]+)?|deprived\.dev|([a-z0-9-]+\.)*deprived\.dev)$
-      header Access-Control-Request-Method *
+      @preflight method OPTIONS
-    }
+
      # Preflight: answer directly
      handle @preflight {
        header {
          -Access-Control-Allow-Origin
          -Access-Control-Allow-Methods
          -Access-Control-Allow-Headers
          -Access-Control-Allow-Credentials
          -Vary
        }
        header @allowedOrigin {
          Access-Control-Allow-Origin "{http.request.header.Origin}"
-        Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+          Access-Control-Allow-Methods "GET,POST,PUT,PATCH,DELETE,OPTIONS"
-        Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
+          Access-Control-Allow-Headers "*"
          Access-Control-Allow-Credentials "true"
        Access-Control-Max-Age "600"
          Vary "Origin"
        }
        respond 204
      }
-    # --- Auth: protect everything except OPTIONS ---
+      # Actual requests: proxy, strip upstream CORS, then set ours
-    @protected {
+      handle {
-      not method OPTIONS
+        reverse_proxy 127.0.0.1:3433 {
    }
    basicauth @protected {
      alice $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG
    }
    # --- Reverse proxy: strip upstream CORS so we don't end up with duplicates ---
    reverse_proxy 127.0.0.1:6666 {
          header_down -Access-Control-Allow-Origin
          header_down -Access-Control-Allow-Methods
          header_down -Access-Control-Allow-Headers
          header_down -Access-Control-Allow-Credentials
          header_down -Vary
        }
-
+        header @allowedOrigin {
    # --- CORS: set headers on actual responses (only when Origin is present) ---
    @cors header Origin *
    header @cors {
          Access-Control-Allow-Origin "{http.request.header.Origin}"
          Access-Control-Allow-Credentials "true"
      # Optionally expose any headers your frontend needs to read:
      # Access-Control-Expose-Headers "Content-Type, Content-Length, Date"
          Vary "Origin"
        }
      }
    '';
-};
+  };
-
+  services.caddy.virtualHosts."spotify.playing.deprived.dev" = {
 services.caddy.virtualHosts."spotify.playing.deprived.dev" = {
    extraConfig = ''
      encode zstd gzip
@ -125,11 +112,65 @@ services.caddy.virtualHosts."spotify.playing.deprived.dev" = {
        Vary "Origin"
      }
    '';
-};
+  };
  services.caddy.virtualHosts."lyrics.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 127.0.0.1:7444
    '';
  };
  services.caddy.virtualHosts."zhenss.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 127.0.0.1:8388
    '';
  };
  services.caddy.virtualHosts."direct.stream.deprived.dev" = {
    extraConfig = ''
      @allowKey {
        query key=0c156f3d-dc1d-489f-866e-69e306249e92
      }
      route {
        handle @allowKey {
          reverse_proxy http://127.0.0.1:3344
        }
        respond "Forbidden" 403
      }
    '';
  };
  services.caddy.virtualHosts."development.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 127.0.0.1:5173
    '';
  };
  services.caddy.virtualHosts."internal.deprived.dev" = {
    extraConfig = ''
      # Only allow GET + POST
      @not_allowed {
        not method GET POST
      }
      respond @not_allowed 405
      # Auth (same as before): require auth for non-POST (i.e., GET)
      @protected {
        not method POST
      }
      basicauth @protected {
        git $2a$14$VlDba5ipUmRYKPYmjPql8.pa8vO7cYsmUf26cXzTk.MbHoRA/ZKJy
      }
      # /backup → 127.0.0.1:3435
      @backup path /backup*
      reverse_proxy @backup 127.0.0.1:3435
      # everything else → 127.0.0.1:3322
      reverse_proxy * 127.0.0.1:3322
    '';
  };
 }
--- a/programs.nix
+++ b/programs.nix
@ -1,4 +1,4 @@
-{pkgs,...} : {
+{ pkgs, ... }: {
  environment.systemPackages = with pkgs; [
    neovim
    wget
@ -13,6 +13,17 @@
    nixfmt-tree
    ffmpeg-full
    borgbackup
    p7zip
    vtk
    immich-cli
    parted
    toybox
    gitoxide
    (pkgs.callPackage ./modules/customPackages/shreddit/shreddit.nix { })
    busybox
    linuxKernel.packages.linux_6_12.turbostat
    linuxKernel.packages.linux_6_12.cpupower
  ];
  programs.starship.enable = true;
--- a/users.nix
+++ b/users.nix
@ -1,14 +1,10 @@
-{pkgs, ...}: {
+{ pkgs, ... }: {
  users.users.botserver = {
    isNormalUser = true;
    description = "botserver";
-    extraGroups = [
+    extraGroups = [ "networkmanager" "wheel" "docker" "starr" ];
-      "networkmanager"
+    packages = with pkgs;
-      "wheel"
+      [
      "docker"
      "starr"
    ];
    packages = with pkgs; [
        #  thunderbird
      ];
@ -19,16 +15,25 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfQLOKUnOARUAs8X1EL1GRHoCQ0oMun0vzL7Z78yOsM nixos@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJw1ckvXz78ITeqANrWSkJl6PJo2AMA4myNrRMBAB7xW zhentao2004@gmail.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0K0fj9fJAgBrajHQJWRe0lKkmyjOUAjVn5S5zsVAQL redux@solituboks"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhcUZbIMX0W27l/FMF5WijpdsJAK329/P008OEAfcyz botmain@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyZOZlcQBmqSPxjaGgE2tP+K7LYziqjFUo3EX12rGtf botlap@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3J4vGo2eWzwXU2K6kaom8pmElX+PaAuasH5BWQ9v7 root@nixos"
    ];
  };
  users.motd = "Server DEPRIVED of good internet";
  users.users.starr = {
    isNormalUser = true;
    description = "For jellyfin";
-      extraGroups = [
+    extraGroups = [ "starr" ];
          "starr"
        ];
  };
-  users.groups."starr" = {};
+  users.users.builder = {
    isNormalUser = true;
    description = "For test case building and such";
    extraGroups = [ "docker" ];
  };
  users.groups."starr" = { };
 }