From 44957eb1a496e4a8683c00109d1839d3db77ccd2 Mon Sep 17 00:00:00 2001 From: BOTAlex Date: Thu, 11 Dec 2025 15:16:47 +0100 Subject: [PATCH] sync --- aliases.nix | 1 + configuration.nix | 1 + hardware-configuration.nix | 2 + modules/pigs.nix | 5 ++ networking/caddy.nix | 175 +++++++++++++++++++++++++++++-------- users.nix | 1 + 6 files changed, 147 insertions(+), 38 deletions(-) create mode 100644 modules/pigs.nix diff --git a/aliases.nix b/aliases.nix index c9f8b3f..ae45876 100644 --- a/aliases.nix +++ b/aliases.nix @@ -21,6 +21,7 @@ cdn = "cd /etc/nixos"; cpu = "sudo turbostat --quiet --show PkgWatt --interval 1 --num_iterations 1 | awk 'NR==2{print $1}'"; + r = "nix run"; }; diff --git a/configuration.nix b/configuration.nix index 8486899..e22e1c8 100755 --- a/configuration.nix +++ b/configuration.nix @@ -17,6 +17,7 @@ ./modules/nodejs.nix ./modules/fishShell.nix + ./modules/pigs.nix ./users.nix ./networking/caddy.nix diff --git a/hardware-configuration.nix b/hardware-configuration.nix index 9a6a4fd..8ef0a82 100755 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -65,6 +65,8 @@ ]; swapDevices = [ ]; + zramSwap.enable = true; + hardware.bluetooth.enable = true; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/modules/pigs.nix b/modules/pigs.nix new file mode 100644 index 0000000..74379d1 --- /dev/null +++ b/modules/pigs.nix @@ -0,0 +1,5 @@ +{ pkgs, ... }: { + environment.variables.GZIP = "pigz"; + environment.systemPackages = with pkgs; [ pigz ]; +} + diff --git a/networking/caddy.nix b/networking/caddy.nix index ee5d362..c552aad 100644 --- a/networking/caddy.nix +++ b/networking/caddy.nix @@ -9,7 +9,7 @@ services.caddy.virtualHosts."ha.deprived.dev" = { extraConfig = '' - reverse_proxy * 127.0.0.1:8123 + reverse_proxy 127.0.0.1:8123 ''; }; @@ -33,50 +33,126 @@ services.caddy.virtualHosts."api.deprived.dev" = { extraConfig = '' - reverse_proxy * 127.0.0.1:6333 + @allowedOrigin header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ + @hasOrigin header Origin * + @preflight method OPTIONS + + @badOrigin { + not { + header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ + } + header Origin * + } + + @preflightAllowed { + method OPTIONS + header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ + } + + # Allowed preflight + handle @preflightAllowed { + header { + Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE" + Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}" + Access-Control-Max-Age "3600" + Access-Control-Allow-Credentials "true" + Access-Control-Allow-Origin "{http.request.header.Origin}" + Vary "Origin" + } + respond "" 204 + } + + # Preflight but missing/bad origin + handle @preflight { + respond "CORS origin not allowed" 403 + } + + # Block actual requests with bad origin + handle @badOrigin { + respond "CORS origin not allowed" 403 + } + + # Allowed origins → proxy + always add CORS (even if upstream returns 204) + handle @allowedOrigin { + reverse_proxy 127.0.0.1:6333 { + header_down -Access-Control-* + header_down -Vary + } + header { + Access-Control-Allow-Origin "{http.request.header.Origin}" + Access-Control-Allow-Credentials "true" + Access-Control-Expose-Headers "Authorization" + Vary "Origin" + } + } + + # No Origin: just proxy + handle { + reverse_proxy 127.0.0.1:6333 + } ''; }; services.caddy.virtualHosts."pocket.deprived.dev" = { extraConfig = '' - # Match allowed origins - @allowedOrigin header_regexp Origin ^https?://(localhost(:[0-9]+)?|deprived\.dev|([a-z0-9-]+\.)*deprived\.dev)$ - @preflight method OPTIONS + @allowedOrigin header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ + @hasOrigin header Origin * + @preflight method OPTIONS - # Preflight: answer directly - handle @preflight { - header { - -Access-Control-Allow-Origin - -Access-Control-Allow-Methods - -Access-Control-Allow-Headers - -Access-Control-Allow-Credentials - -Vary - } - header @allowedOrigin { - Access-Control-Allow-Origin "{http.request.header.Origin}" - Access-Control-Allow-Methods "GET,POST,PUT,PATCH,DELETE,OPTIONS" - Access-Control-Allow-Headers "*" - Access-Control-Allow-Credentials "true" - Vary "Origin" - } - respond 204 - } + @badOrigin { + not { + header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ + } + header Origin * + } + + @preflightAllowed { + method OPTIONS + header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$ + } + + # Allowed preflight + handle @preflightAllowed { + header { + Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE" + Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}" + Access-Control-Max-Age "3600" + Access-Control-Allow-Credentials "true" + Access-Control-Allow-Origin "{http.request.header.Origin}" + Vary "Origin" + } + respond "" 204 + } + + # Preflight but missing/bad origin + handle @preflight { + respond "CORS origin not allowed" 403 + } + + # Block actual requests with bad origin + handle @badOrigin { + respond "CORS origin not allowed" 403 + } + + # Allowed origins → proxy + always add CORS (even if upstream returns 204) + handle @allowedOrigin { + reverse_proxy 127.0.0.1:3433 { + header_down -Access-Control-* + header_down -Vary + } + header { + Access-Control-Allow-Origin "{http.request.header.Origin}" + Access-Control-Allow-Credentials "true" + Access-Control-Expose-Headers "Authorization" + Vary "Origin" + } + } + + # No Origin: just proxy + handle { + reverse_proxy 127.0.0.1:3433 + } - # Actual requests: proxy, strip upstream CORS, then set ours - handle { - reverse_proxy 127.0.0.1:3433 { - header_down -Access-Control-Allow-Origin - header_down -Access-Control-Allow-Methods - header_down -Access-Control-Allow-Headers - header_down -Access-Control-Allow-Credentials - header_down -Vary - } - header @allowedOrigin { - Access-Control-Allow-Origin "{http.request.header.Origin}" - Access-Control-Allow-Credentials "true" - Vary "Origin" - } - } ''; }; @@ -126,6 +202,23 @@ ''; }; + services.caddy.virtualHosts."zcol.deprived.dev" = { + extraConfig = '' + reverse_proxy * 127.0.0.1:7577 + ''; + }; + + services.caddy.virtualHosts."zcollection.deprived.dev" = { + extraConfig = '' + reverse_proxy * 127.0.0.1:7577 + ''; + }; + services.caddy.virtualHosts."zcollection.mcd.deprived.dev" = { + extraConfig = '' + reverse_proxy * 127.0.0.1:7578 + ''; + }; + services.caddy.virtualHosts."direct.stream.deprived.dev" = { extraConfig = '' @allowKey { @@ -148,6 +241,12 @@ ''; }; + services.caddy.virtualHosts."dev.hook.deprived.dev" = { + extraConfig = '' + reverse_proxy * 127.0.0.1:3322 + ''; + }; + services.caddy.virtualHosts."internal.deprived.dev" = { extraConfig = '' # Only allow GET + POST diff --git a/users.nix b/users.nix index 4eafb9b..3e447de 100644 --- a/users.nix +++ b/users.nix @@ -18,6 +18,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhcUZbIMX0W27l/FMF5WijpdsJAK329/P008OEAfcyz botmain@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyZOZlcQBmqSPxjaGgE2tP+K7LYziqjFUo3EX12rGtf botlap@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3J4vGo2eWzwXU2K6kaom8pmElX+PaAuasH5BWQ9v7 root@nixos" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILB0esg3ABIcYWxvQKlPuwEE6cbhNcWjisfky0wnGirJ root@nixos" ]; };