RGBCube/ncc
1
Fork 0
mirror of https://github.com/RGBCube/ncc synced 2025-08-01 20:47:48 +00:00
Code Issues Activity

Compare commits

base: RGBCube:4baa790ca418a081275fc03c298acb232f600a70
Branches Tags
RGBCube:master
...
compare: RGBCube:f8c824dd0a24bf9cc5197d5542b96b750aad9c7d
Branches Tags
RGBCube:master

4 commits
4baa790ca4 ... f8c824dd0a

Author SHA1 Message Date
RGBCube
f8c824dd0a
plausible: add to other services 2025-06-08 06:11:29 +03:00
RGBCube
e7cf9c7239
plausible: init 2025-06-08 05:19:13 +03:00
RGBCube
b9c640dd78
matrix: add comment and explicit setting about registration 2025-06-08 05:01:15 +03:00
RGBCube
cb19202bb7
nix-serve: fix key user 2025-06-08 04:59:16 +03:00
10 changed files with 77 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/best/cache/default.nix vendored
View file

@ -10,7 +10,7 @@ in {
secrets.nixServeKey = { secrets.nixServeKey = {
file = ./key.age; file = ./key.age;
owner = "nix-serve"; owner = "root"; # `nix-serve` runs as root.
}; };
services.nix-serve = enabled { services.nix-serve = enabled {

4
hosts/best/forgejo.nix
View file

@ -111,6 +111,10 @@ in {
}; };
services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate { services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
extraConfig = ''
${config.services.plausible.extraNginxConfigFor fqdn}
'';
locations."/".proxyPass = "http://[::1]:${toString port}"; locations."/".proxyPass = "http://[::1]:${toString port}";
}; };
} }

2
hosts/best/grafana/default.nix
View file

@ -77,6 +77,8 @@ in {
# Grafana sets `nosniff` while not setting the content type properly, # Grafana sets `nosniff` while not setting the content type properly,
# so everything breaks with it. Unset the header. # so everything breaks with it. Unset the header.
proxy_hide_header X-Content-Type-Options; proxy_hide_header X-Content-Type-Options;
${config.services.plausible.extraNginxConfigFor fqdn}
''; '';
proxyPass = "http://[::1]:${toString port}"; proxyPass = "http://[::1]:${toString port}";

1
hosts/best/matrix/default.nix
View file

@ -66,6 +66,7 @@ in {
url_preview_enabled = true; url_preview_enabled = true;
dynamic_thumbnails = true; dynamic_thumbnails = true;
enable_registration = false; # Setting it explicitly just in case.
expire_access_token = true; expire_access_token = true;
# Trusting Matrix.org. # Trusting Matrix.org.

4
hosts/best/nextcloud/default.nix
View file

@ -111,6 +111,8 @@ in {
}; };
services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate { services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
extraConfig = config.services.nginx.headers; extraConfig = ''
${config.services.nginx.headers}
'';
}; };
} }

48
hosts/best/plausible/default.nix Normal file
View file

@ -0,0 +1,48 @@
{ config, self, lib, ... }: let
inherit (config.networking) domain;
inherit (lib) enabled merge mkConst;
fqdn = "shekels.${domain}";
port = 8007;
in {
imports = [
(self + /modules/nginx.nix)
(self + /modules/postgresql.nix)
];
config.secrets.plausibleKey = {
file = ./key.age;
owner = "plausible";
};
config.services.postgresql.ensure = [ "plausible" ];
config.services.plausible = enabled {
server = {
disableRegistration = true; # Setting it explicitly just in case.
secretKeybaseFile = config.secrets.plausibleKey.path;
baseUrl = "https://${fqdn}";
listenAddress = "::1";
inherit port;
};
};
options.services.plausible.extraNginxConfigFor = mkConst /* nginx */ (domain: ''
proxy_set_header Accept-Encoding ""; # Substitution won't work if it is compressed.
sub_filter "</head>" '<script defer data-domain="${domain}" src="https://${fqdn}/js/script.js"></script></head>';
sub_filter_last_modified on;
sub_filter_once on;
'');
config.services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
extraConfig = config.services.plausible.extraNginxConfigFor fqdn;
locations."/" = {
proxyPass = "http://[::1]:${toString port}";
proxyWebsockets = true;
};
};
}

7
hosts/best/plausible/key.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 8y3T6w 6z16kXAqAppYOMXQ7riHs+iP6SFMfJND1KlG0TI+Bgo
Gm99zghsZ69nBzs8I+Hs3fRM7+dGEaNC7mFwVJZbjO4
-> ssh-ed25519 CzqbPQ AYm8rfc18ftg7vvt6MVIYlaMcyL09VDoDBLGa0v6STo
uWmdITsGHXPZfMMBDdaYkbLCHntii4mupaWklLfOYa0
--- LFjB2mFBC6OkRoM7A9RVGjcXGbMQGKutBz44EDK3YJo
ーuL6lクレ6eユ燗z<E78797>月モE<EFBE93>'「Gコ殻逎、^xjノヤj椴!YEsDZモy2紙ヲ<E7B499>rF瀚Oソ<4F>K<EFBFBD><4B>剰%フ<>圦ネ^秉怖ホ<E68096>ミ┐ィ∩ワY麩屍トyI

3
modules/nginx.nix
View file

@ -16,7 +16,7 @@ in {
add_header Strict-Transport-Security $hsts_header always; add_header Strict-Transport-Security $hsts_header always;
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'; base-uri 'self';" always; add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; base-uri 'self';" always;
add_header Referrer-Policy no-referrer always; add_header Referrer-Policy no-referrer always;
@ -52,6 +52,7 @@ in {
https "max-age=31536000; includeSubdomains; preload"; https "max-age=31536000; includeSubdomains; preload";
} }
# FIXME: These two aren't working.
map $http_origin $allow_origin { map $http_origin $allow_origin {
~^https://.+\.${domain}$ $http_origin; ~^https://.+\.${domain}$ $http_origin;
} }

11
modules/site.nix
View file

@ -2,6 +2,7 @@
inherit (config.networking) domain; inherit (config.networking) domain;
inherit (lib) enabled merge; inherit (lib) enabled merge;
fqdn = domain;
root = "/var/www/site"; root = "/var/www/site";
in { in {
imports = [(self + /modules/nginx.nix)]; imports = [(self + /modules/nginx.nix)];
@ -16,7 +17,7 @@ in {
} }
''; '';
virtualHosts.${domain} = merge config.services.nginx.sslTemplate { virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
inherit root; inherit root;
locations."/".tryFiles = "$uri $uri.html $uri/index.html =404"; locations."/".tryFiles = "$uri $uri.html $uri/index.html =404";
@ -29,6 +30,8 @@ in {
extraConfig = /* nginx */ '' extraConfig = /* nginx */ ''
error_page 404 /404.html; error_page 404 /404.html;
${config.services.plausible.extraNginxConfigFor fqdn}
''; '';
locations."/404".extraConfig = /* nginx */ '' locations."/404".extraConfig = /* nginx */ ''
@ -36,12 +39,12 @@ in {
''; '';
}; };
virtualHosts."www.${domain}" = merge config.services.nginx.sslTemplate { virtualHosts."www.${fqdn}" = merge config.services.nginx.sslTemplate {
locations."/".return = "301 https://${domain}$request_uri"; locations."/".return = "301 https://${fqdn}$request_uri";
}; };
virtualHosts._ = merge config.services.nginx.sslTemplate { virtualHosts._ = merge config.services.nginx.sslTemplate {
locations."/".return = "301 https://${domain}/404"; locations."/".return = "301 https://${fqdn}/404";
}; };
}; };
} }

2
secrets.nix
View file

@ -20,6 +20,8 @@ in {
"hosts/best/nextcloud/password.age".publicKeys = [ best ] ++ admins; "hosts/best/nextcloud/password.age".publicKeys = [ best ] ++ admins;
"hosts/best/plausible/key.age".publicKeys = [ best ] ++ admins;
# disk # disk
"hosts/disk/id.age".publicKeys = [ disk ] ++ admins; "hosts/disk/id.age".publicKeys = [ disk ] ++ admins;
"hosts/disk/password.age".publicKeys = [ disk ] ++ admins; "hosts/disk/password.age".publicKeys = [ disk ] ++ admins;