sync

2026-02-04 05:39:18 +01:00 · 2025-12-11 15:16:47 +01:00 · 2025-12-11 15:16:47 +01:00 · 44957eb1a4
commit 44957eb1a4
parent 134fe2e279
6 changed files with 147 additions and 38 deletions
--- a/aliases.nix
+++ b/aliases.nix
@ -21,6 +21,7 @@
      cdn = "cd /etc/nixos";
      cpu =
        "sudo turbostat --quiet --show PkgWatt --interval 1 --num_iterations 1 | awk 'NR==2{print $1}'";
      r = "nix run";
    };
--- a/configuration.nix
+++ b/configuration.nix
@ -17,6 +17,7 @@
    ./modules/nodejs.nix
    ./modules/fishShell.nix
    ./modules/pigs.nix
    ./users.nix
    ./networking/caddy.nix
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -65,6 +65,8 @@
  ];
  swapDevices = [ ];
  zramSwap.enable = true;
  hardware.bluetooth.enable = true;
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/modules/pigs.nix
+++ b/modules/pigs.nix
@ -0,0 +1,5 @@
 { pkgs, ... }: {
  environment.variables.GZIP = "pigz";
  environment.systemPackages = with pkgs; [ pigz ];
 }
--- a/networking/caddy.nix
+++ b/networking/caddy.nix
@ -9,7 +9,7 @@
  services.caddy.virtualHosts."ha.deprived.dev" = {
    extraConfig = ''
-      reverse_proxy * 127.0.0.1:8123
+      reverse_proxy 127.0.0.1:8123
    '';
  };
@ -33,50 +33,126 @@
  services.caddy.virtualHosts."api.deprived.dev" = {
    extraConfig = ''
-      reverse_proxy * 127.0.0.1:6333
+      @allowedOrigin header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
      	@hasOrigin header Origin *
      	@preflight method OPTIONS
      	@badOrigin {
      		not {
      			header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
      		}
      		header Origin *
      	}
      	@preflightAllowed {
      		method OPTIONS
      		header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
      	}
      	# Allowed preflight
      	handle @preflightAllowed {
      		header {
      			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE"
      			Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
      			Access-Control-Max-Age "3600"
      			Access-Control-Allow-Credentials "true"
      			Access-Control-Allow-Origin "{http.request.header.Origin}"
      			Vary "Origin"
      		}
      		respond "" 204
      	}
      	# Preflight but missing/bad origin
      	handle @preflight {
      		respond "CORS origin not allowed" 403
      	}
      	# Block actual requests with bad origin
      	handle @badOrigin {
      		respond "CORS origin not allowed" 403
      	}
      	# Allowed origins → proxy + always add CORS (even if upstream returns 204)
      	handle @allowedOrigin {
      		reverse_proxy 127.0.0.1:6333 {
      			header_down -Access-Control-*
      			header_down -Vary
      		}
      		header {
      			Access-Control-Allow-Origin "{http.request.header.Origin}"
      			Access-Control-Allow-Credentials "true"
      			Access-Control-Expose-Headers "Authorization"
      			Vary "Origin"
      		}
      	}
      	# No Origin: just proxy
      	handle {
      		reverse_proxy 127.0.0.1:6333
      	}
    '';
  };
  services.caddy.virtualHosts."pocket.deprived.dev" = {
    extraConfig = ''
-      # Match allowed origins
+        @allowedOrigin header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
-      @allowedOrigin header_regexp Origin ^https?://(localhost(:[0-9]+)?|deprived\.dev|([a-z0-9-]+\.)*deprived\.dev)$
+      	@hasOrigin header Origin *
      	@preflight method OPTIONS
-      # Preflight: answer directly
+      	@badOrigin {
-      handle @preflight {
+      		not {
-        header {
+      			header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
          -Access-Control-Allow-Origin
          -Access-Control-Allow-Methods
          -Access-Control-Allow-Headers
          -Access-Control-Allow-Credentials
          -Vary
      		}
-        header @allowedOrigin {
+      		header Origin *
          Access-Control-Allow-Origin "{http.request.header.Origin}"
          Access-Control-Allow-Methods "GET,POST,PUT,PATCH,DELETE,OPTIONS"
          Access-Control-Allow-Headers "*"
          Access-Control-Allow-Credentials "true"
          Vary "Origin"
        }
        respond 204
      	}
-      # Actual requests: proxy, strip upstream CORS, then set ours
+      	@preflightAllowed {
-      handle {
+      		method OPTIONS
      		header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
      	}
      	# Allowed preflight
      	handle @preflightAllowed {
      		header {
      			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE"
      			Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
      			Access-Control-Max-Age "3600"
      			Access-Control-Allow-Credentials "true"
      			Access-Control-Allow-Origin "{http.request.header.Origin}"
      			Vary "Origin"
      		}
      		respond "" 204
      	}
      	# Preflight but missing/bad origin
      	handle @preflight {
      		respond "CORS origin not allowed" 403
      	}
      	# Block actual requests with bad origin
      	handle @badOrigin {
      		respond "CORS origin not allowed" 403
      	}
      	# Allowed origins → proxy + always add CORS (even if upstream returns 204)
      	handle @allowedOrigin {
      		reverse_proxy 127.0.0.1:3433 {
-          header_down -Access-Control-Allow-Origin
+      			header_down -Access-Control-*
          header_down -Access-Control-Allow-Methods
          header_down -Access-Control-Allow-Headers
          header_down -Access-Control-Allow-Credentials
      			header_down -Vary
      		}
-        header @allowedOrigin {
+      		header {
      			Access-Control-Allow-Origin "{http.request.header.Origin}"
      			Access-Control-Allow-Credentials "true"
      			Access-Control-Expose-Headers "Authorization"
      			Vary "Origin"
      		}
      	}
      	# No Origin: just proxy
      	handle {
      		reverse_proxy 127.0.0.1:3433
      	}
    '';
  };
@ -126,6 +202,23 @@
    '';
  };
  services.caddy.virtualHosts."zcol.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 127.0.0.1:7577
    '';
  };
  services.caddy.virtualHosts."zcollection.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 127.0.0.1:7577
    '';
  };
  services.caddy.virtualHosts."zcollection.mcd.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 127.0.0.1:7578
    '';
  };
  services.caddy.virtualHosts."direct.stream.deprived.dev" = {
    extraConfig = ''
      @allowKey {
@ -148,6 +241,12 @@
    '';
  };
  services.caddy.virtualHosts."dev.hook.deprived.dev" = {
    extraConfig = ''
      reverse_proxy * 127.0.0.1:3322
    '';
  };
  services.caddy.virtualHosts."internal.deprived.dev" = {
    extraConfig = ''
      # Only allow GET + POST
--- a/users.nix
+++ b/users.nix
@ -18,6 +18,7 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhcUZbIMX0W27l/FMF5WijpdsJAK329/P008OEAfcyz botmain@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyZOZlcQBmqSPxjaGgE2tP+K7LYziqjFUo3EX12rGtf botlap@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3J4vGo2eWzwXU2K6kaom8pmElX+PaAuasH5BWQ9v7 root@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILB0esg3ABIcYWxvQKlPuwEE6cbhNcWjisfky0wnGirJ root@nixos"
    ];
  };