cinny: init

2025-07-27 18:17:44 +00:00 · 2025-06-08 18:26:57 +03:00 · 2025-06-08 18:26:57 +03:00 · b97f056b00
commit b97f056b00
parent 9e9cb7e522
4 changed files with 91 additions and 5 deletions
--- a/hosts/best/cinny.nix
+++ b/hosts/best/cinny.nix
@ -0,0 +1,78 @@
 { config, lib, pkgs, ... }: let
  inherit (lib) flip merge;
  fqdn = "cinny.rgbcu.be";
  root = pkgs.cinny;
 in {
  nixpkgs.overlays = [(self: super: {
    cinny-unwrapped = flip self.callPackage {} ({
      lib,
      buildNpmPackage,
      fetchFromGitHub,
      giflib,
      python3,
      pkg-config,
      pixman,
      cairo,
      pango,
      stdenv,
    }:
    buildNpmPackage {
      pname = "cinny";
      version = "4.8.0";
      src = fetchFromGitHub {
        owner = "RGBCube";
        repo  = "cinny";
        rev   = "becc5f65820c6bf0d9acf3ddf5519519c3e174ad";
        hash  = "sha256-Ym7BzkWjwR+ojP5jGBeHJeH03PZFuiME54RILR7pDqs=";
      };
      npmDepsHash = "sha256-LZLaaFL7vmFos3TCL4brT6gyEpZFjctsag6uH4CQPdI=";
      nativeBuildInputs = [
        python3
        pkg-config
      ];
      buildInputs = [
        pixman
        cairo
        pango
      ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ giflib ];
      installPhase = ''
        runHook preInstall
        cp -r dist $out
        runHook postInstall
      '';
      meta = {
        description = "Yet another Matrix client for the web";
        homepage    = "https://cinny.in/";
        license     = lib.licenses.agpl3Only;
        platforms   = lib.platforms.all;
      };
    });
  })];
  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
    inherit root;
    extraConfig = /* nginx */ ''
      rewrite ^/config.json$ /config.json break;
      rewrite ^/manifest.json$ /manifest.json break;
      rewrite ^/sw.js$ /sw.js break;
      rewrite ^/pdf.worker.min.js$ /pdf.worker.min.js break;
      rewrite ^/public/(.*)$ /public/$1 break;
      rewrite ^/assets/(.*)$ /assets/$1 break;
      rewrite ^(.+)$ /index.html break;
    '';
  };
 }
--- a/hosts/best/forgejo.nix
+++ b/hosts/best/forgejo.nix
@ -111,9 +111,7 @@ in {
  };
  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
-    extraConfig = ''
+    extraConfig = config.services.plausible.extraNginxConfigFor fqdn;
      ${config.services.plausible.extraNginxConfigFor fqdn}
    '';
    locations."/".proxyPass = "http://[::1]:${toString port}";
  };
--- a/hosts/best/matrix/default.nix
+++ b/hosts/best/matrix/default.nix
@ -7,7 +7,7 @@
  port = 8002;
  wellKnownResponse = data: /* nginx */ ''
-    ${config.services.nginx.headers}
+    ${config.services.nginx.headersNoAccessControlOrigin}
    add_header Access-Control-Allow-Origin * always;
    default_type application/json;
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -11,15 +11,26 @@ in {
  };
  options.services.nginx.headers = mkConst /* nginx */ ''
    proxy_hide_header Access-Control-Allow-Origin;
    add_header Access-Control-Allow-Origin $allow_origin always;
    ${config.services.nginx.headersNoAccessControlOrigin}
  '';
  options.services.nginx.headersNoAccessControlOrigin = mkConst /* nginx */ ''
    proxy_hide_header Access-Control-Allow-Methods;
    add_header Access-Control-Allow-Methods $allow_methods always;
    proxy_hide_header Strict-Transport-Security;
    add_header Strict-Transport-Security $hsts_header always;
    proxy_hide_header Content-Security-Policy;
    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; base-uri 'self';" always;
    proxy_hide_header Referrer-Policy;
    add_header Referrer-Policy no-referrer always;
    proxy_hide_header X-Frame-Options;
    add_header X-Frame-Options DENY always;
  '';
@ -52,7 +63,6 @@ in {
        https "max-age=31536000; includeSubdomains; preload";
      }
      # FIXME: These two aren't working.
      map $http_origin $allow_origin {
        ~^https://.+\.${domain}$ $http_origin;
      }