sync

2026-02-04 05:39:18 +01:00 · 2025-12-11 15:16:47 +01:00 · 2025-12-11 15:16:47 +01:00 · 44957eb1a4
commit 44957eb1a4
parent 134fe2e279
6 changed files with 147 additions and 38 deletions
--- a/aliases.nix
+++ b/aliases.nix
@ -21,6 +21,7 @@
      cdn = "cd /etc/nixos";
      cpu =
        "sudo turbostat --quiet --show PkgWatt --interval 1 --num_iterations 1 | awk 'NR==2{print $1}'";
+      r = "nix run";

    };

--- a/configuration.nix
+++ b/configuration.nix
@ -17,6 +17,7 @@
    ./modules/nodejs.nix

    ./modules/fishShell.nix
+    ./modules/pigs.nix

    ./users.nix
    ./networking/caddy.nix
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -65,6 +65,8 @@
  ];

  swapDevices = [ ];
+  zramSwap.enable = true;
+  hardware.bluetooth.enable = true;

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/modules/pigs.nix
+++ b/modules/pigs.nix
@ -0,0 +1,5 @@
+{ pkgs, ... }: {
+  environment.variables.GZIP = "pigz";
+  environment.systemPackages = with pkgs; [ pigz ];
+}
+
--- a/networking/caddy.nix
+++ b/networking/caddy.nix
@ -9,7 +9,7 @@

  services.caddy.virtualHosts."ha.deprived.dev" = {
    extraConfig = ''
-      reverse_proxy * 127.0.0.1:8123
+      reverse_proxy 127.0.0.1:8123
    '';
  };

@ -33,50 +33,126 @@

  services.caddy.virtualHosts."api.deprived.dev" = {
    extraConfig = ''
-      reverse_proxy * 127.0.0.1:6333
+      @allowedOrigin header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
+      	@hasOrigin header Origin *
+      	@preflight method OPTIONS
+
+      	@badOrigin {
+      		not {
+      			header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
+      		}
+      		header Origin *
+      	}
+
+      	@preflightAllowed {
+      		method OPTIONS
+      		header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
+      	}
+
+      	# Allowed preflight
+      	handle @preflightAllowed {
+      		header {
+      			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE"
+      			Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
+      			Access-Control-Max-Age "3600"
+      			Access-Control-Allow-Credentials "true"
+      			Access-Control-Allow-Origin "{http.request.header.Origin}"
+      			Vary "Origin"
+      		}
+      		respond "" 204
+      	}
+
+      	# Preflight but missing/bad origin
+      	handle @preflight {
+      		respond "CORS origin not allowed" 403
+      	}
+
+      	# Block actual requests with bad origin
+      	handle @badOrigin {
+      		respond "CORS origin not allowed" 403
+      	}
+
+      	# Allowed origins → proxy + always add CORS (even if upstream returns 204)
+      	handle @allowedOrigin {
+      		reverse_proxy 127.0.0.1:6333 {
+      			header_down -Access-Control-*
+      			header_down -Vary
+      		}
+      		header {
+      			Access-Control-Allow-Origin "{http.request.header.Origin}"
+      			Access-Control-Allow-Credentials "true"
+      			Access-Control-Expose-Headers "Authorization"
+      			Vary "Origin"
+      		}
+      	}
+
+      	# No Origin: just proxy
+      	handle {
+      		reverse_proxy 127.0.0.1:6333
+      	}
    '';
  };

  services.caddy.virtualHosts."pocket.deprived.dev" = {
    extraConfig = ''
-      # Match allowed origins
-      @allowedOrigin header_regexp Origin ^https?://(localhost(:[0-9]+)?|deprived\.dev|([a-z0-9-]+\.)*deprived\.dev)$
+        @allowedOrigin header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
+      	@hasOrigin header Origin *
      	@preflight method OPTIONS

-      # Preflight: answer directly
-      handle @preflight {
-        header {
-          -Access-Control-Allow-Origin
-          -Access-Control-Allow-Methods
-          -Access-Control-Allow-Headers
-          -Access-Control-Allow-Credentials
-          -Vary
+      	@badOrigin {
+      		not {
+      			header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
      		}
-        header @allowedOrigin {
-          Access-Control-Allow-Origin "{http.request.header.Origin}"
-          Access-Control-Allow-Methods "GET,POST,PUT,PATCH,DELETE,OPTIONS"
-          Access-Control-Allow-Headers "*"
-          Access-Control-Allow-Credentials "true"
-          Vary "Origin"
-        }
-        respond 204
+      		header Origin *
      	}

-      # Actual requests: proxy, strip upstream CORS, then set ours
-      handle {
+      	@preflightAllowed {
+      		method OPTIONS
+      		header_regexp Origin ^https?://(localhost(:\d+)?|([a-z0-9-]+\.)*deprived\.dev)$
+      	}
+
+      	# Allowed preflight
+      	handle @preflightAllowed {
+      		header {
+      			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE"
+      			Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
+      			Access-Control-Max-Age "3600"
+      			Access-Control-Allow-Credentials "true"
+      			Access-Control-Allow-Origin "{http.request.header.Origin}"
+      			Vary "Origin"
+      		}
+      		respond "" 204
+      	}
+
+      	# Preflight but missing/bad origin
+      	handle @preflight {
+      		respond "CORS origin not allowed" 403
+      	}
+
+      	# Block actual requests with bad origin
+      	handle @badOrigin {
+      		respond "CORS origin not allowed" 403
+      	}
+
+      	# Allowed origins → proxy + always add CORS (even if upstream returns 204)
+      	handle @allowedOrigin {
      		reverse_proxy 127.0.0.1:3433 {
-          header_down -Access-Control-Allow-Origin
-          header_down -Access-Control-Allow-Methods
-          header_down -Access-Control-Allow-Headers
-          header_down -Access-Control-Allow-Credentials
+      			header_down -Access-Control-*
      			header_down -Vary
      		}
-        header @allowedOrigin {
+      		header {
      			Access-Control-Allow-Origin "{http.request.header.Origin}"
      			Access-Control-Allow-Credentials "true"
+      			Access-Control-Expose-Headers "Authorization"
      			Vary "Origin"
      		}
      	}
+
+      	# No Origin: just proxy
+      	handle {
+      		reverse_proxy 127.0.0.1:3433
+      	}
+
    '';
  };

@ -126,6 +202,23 @@
    '';
  };

+  services.caddy.virtualHosts."zcol.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:7577
+    '';
+  };
+
+  services.caddy.virtualHosts."zcollection.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:7577
+    '';
+  };
+  services.caddy.virtualHosts."zcollection.mcd.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:7578
+    '';
+  };
+
  services.caddy.virtualHosts."direct.stream.deprived.dev" = {
    extraConfig = ''
      @allowKey {
@ -148,6 +241,12 @@
    '';
  };

+  services.caddy.virtualHosts."dev.hook.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:3322
+    '';
+  };
+
  services.caddy.virtualHosts."internal.deprived.dev" = {
    extraConfig = ''
      # Only allow GET + POST
--- a/users.nix
+++ b/users.nix
@ -18,6 +18,7 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhcUZbIMX0W27l/FMF5WijpdsJAK329/P008OEAfcyz botmain@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyZOZlcQBmqSPxjaGgE2tP+K7LYziqjFUo3EX12rGtf botlap@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3J4vGo2eWzwXU2K6kaom8pmElX+PaAuasH5BWQ9v7 root@nixos"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILB0esg3ABIcYWxvQKlPuwEE6cbhNcWjisfky0wnGirJ root@nixos"
    ];
  };