From 3eeff16012e9593478442de2aec1a5c33faf4bd8 Mon Sep 17 00:00:00 2001 From: noe Date: Tue, 13 May 2025 20:40:49 -0700 Subject: [PATCH] minio for static-sites --- flake.lock | 77 +++++++++++++-------------- flake.nix | 2 - nixos/hosts/ingress-proxy/default.nix | 22 ++++++-- nixos/hosts/static-sites/default.nix | 28 +++++++++- nixos/hosts/static-sites/minio.nix | 20 +++++++ pkgs/mspaint/default.nix | 4 ++ secrets/static-sites/default.yaml | 44 +++++++++++++++ 7 files changed, 150 insertions(+), 47 deletions(-) create mode 100644 nixos/hosts/static-sites/minio.nix create mode 100644 secrets/static-sites/default.yaml diff --git a/flake.lock b/flake.lock index 6280f6b..76f798f 100644 --- a/flake.lock +++ b/flake.lock @@ -39,11 +39,11 @@ }, "crane_2": { "locked": { - "lastModified": 1737689766, - "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=", + "lastModified": 1746291859, + "narHash": "sha256-DdWJLA+D5tcmrRSg5Y7tp/qWaD05ATI4Z7h22gd1h7Q=", "owner": "ipetkov", "repo": "crane", - "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527", + "rev": "dfd9a8dfd09db9aad544c4d3b6c47b12562544a5", "type": "github" }, "original": { @@ -331,11 +331,11 @@ ] }, "locked": { - "lastModified": 1746287478, - "narHash": "sha256-z3HiHR2CNAdwyZTWPM2kkzhE1gD1G6ExPxkaiQfNh7s=", + "lastModified": 1747184352, + "narHash": "sha256-GBZulv50wztp5cgc405t1uOkxQYhSkMqeKLI+iSrlpk=", "owner": "nix-community", "repo": "home-manager", - "rev": "75268f62525920c4936404a056f37b91e299c97e", + "rev": "7c1cefb98369cc85440642fdccc1c1394ca6dd2c", "type": "github" }, "original": { @@ -397,11 +397,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1740256865, - "narHash": "sha256-KhcnH5vgn9QMXeiYmpk1jtqr3hEAOuLoRuLmhVvr5FA=", + "lastModified": 1746820998, + "narHash": "sha256-lLccmUibSUDF6omWoOx8eAtRee2WV3jiY75rIPfmqgM=", "owner": "4jx", "repo": "l5p-keyboard-rgb", - "rev": "2fd9dba693f9bed89fb07c672dd6c522e6cf4301", + "rev": "01e3ac051ee83f41e9b435f29217319cccb30f21", "type": "github" }, "original": { @@ -523,11 +523,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1745955289, - "narHash": "sha256-mmV2oPhQN+YF2wmnJzXX8tqgYmUYXUj3uUUBSTmYN5o=", + "lastModified": 1747129300, + "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "72081c9fbbef63765ae82bff9727ea79cc86bd5b", + "rev": "e81fd167b33121269149c57806599045fd33eeed", "type": "github" }, "original": { @@ -642,11 +642,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1746307609, - "narHash": "sha256-KyXS1SBYHC3rOuU+03n7FsK29dyYutDDhGGm+PclhuU=", + "lastModified": 1747187148, + "narHash": "sha256-xE8/ML8PrY2qO0NlMmI94BdjIZ4gTgyq6cKmwbLvBnE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b440606b4212f01eac9d24e5fbb9ab0b281b5548", + "rev": "e481f916e39560b6d9327037f8001bf43e3f336f", "type": "github" }, "original": { @@ -658,11 +658,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1746183838, - "narHash": "sha256-kwaaguGkAqTZ1oK0yXeQ3ayYjs8u/W7eEfrFpFfIDFA=", + "lastModified": 1746957726, + "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bf3287dac860542719fe7554e21e686108716879", + "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94", "type": "github" }, "original": { @@ -674,11 +674,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1746232882, - "narHash": "sha256-MHmBH2rS8KkRRdoU/feC/dKbdlMkcNkB5mwkuipVHeQ=", + "lastModified": 1746904237, + "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7a2622e2c0dbad5c4493cb268aba12896e28b008", + "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956", "type": "github" }, "original": { @@ -706,18 +706,15 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1737717945, - "narHash": "sha256-ET91TMkab3PmOZnqiJQYOtSGvSTvGeHoegAv4zcTefM=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ecd26a469ac56357fd333946a99086e992452b6a", - "type": "github" + "lastModified": 1743583204, + "narHash": "sha256-F7n4+KOIfWrwoQjXrL2wD9RhFYLs2/GGe/MQY1sSdlE=", + "path": "/nix/store/fwhfa9pbx8vdi8nd5pcys665baz6xdxf-source", + "rev": "2c8d3f48d33929642c1c12cd243df4cc7d2ce434", + "type": "path" }, "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "type": "indirect" } }, "nixpkgs_4": { @@ -754,11 +751,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1746232882, - "narHash": "sha256-MHmBH2rS8KkRRdoU/feC/dKbdlMkcNkB5mwkuipVHeQ=", + "lastModified": 1746904237, + "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7a2622e2c0dbad5c4493cb268aba12896e28b008", + "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956", "type": "github" }, "original": { @@ -928,11 +925,11 @@ ] }, "locked": { - "lastModified": 1737771740, - "narHash": "sha256-lWIdF4qke63TdCHnJ0QaUHfG8YvsDrBqzL4jiHYQd+Y=", + "lastModified": 1746758179, + "narHash": "sha256-JECUw1YBEsTsVauvupRzE5ykZaJoyhHCpoY87ZZJGas=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "cfaaa1dddd280af09aca84af84612fbccd986ae2", + "rev": "4fd00513eac6b6140c5dced3e1b8133e2369a0f8", "type": "github" }, "original": { @@ -967,11 +964,11 @@ "nixpkgs": "nixpkgs_7" }, "locked": { - "lastModified": 1745310711, - "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=", + "lastModified": 1746485181, + "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c", + "rev": "e93ee1d900ad264d65e9701a5c6f895683433386", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b888bcf..a3749ae 100644 --- a/flake.nix +++ b/flake.nix @@ -89,12 +89,10 @@ nixConfig = { extra-substituters = [ "https://nix-community.cachix.org" - "https://0uptime.cachix.org" ]; extra-trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "0uptime.cachix.org-1:ctw8yknBLg9cZBdqss+5krAem0sHYdISkw/IFdRbYdE=" ]; }; diff --git a/nixos/hosts/ingress-proxy/default.nix b/nixos/hosts/ingress-proxy/default.nix index a08420e..7160d56 100644 --- a/nixos/hosts/ingress-proxy/default.nix +++ b/nixos/hosts/ingress-proxy/default.nix @@ -17,8 +17,12 @@ in rec { networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedUDPPorts = [ 80 443 ]; - services.nginx = { - package = pkgs.tengine; + services.nginx = let + commonExtra = '' + add_header Alt-Svc 'h3=":443"; ma=86400' always; + ''; + in { + package = pkgs.nginxQuic.override { withSlice = true; }; recommendedBrotliSettings = true; recommendedGzipSettings = true; @@ -60,6 +64,10 @@ in rec { inactive = "720m"; }; + commonHttpConfig = '' + ssl_early_data on; + ''; + virtualHosts = let defaultConfig = { listen = [ @@ -70,8 +78,10 @@ in rec { ]; http2 = true; http3 = true; + quic = true; forceSSL = lib.mkDefault true; enableACME = true; + extraConfig = commonExtra; }; internalConfig = { @@ -105,7 +115,7 @@ in rec { } // defaultConfig; in rec { "mekanoe.com" = staticSite; - "noe.sh" = staticSite // { forceSSL = false; }; + "noe.sh" = staticSite; "foxxolay.com" = staticSite; "kitsu.love" = staticSite; "doll.repair" = staticSite; @@ -131,6 +141,7 @@ in rec { proxyWebsockets = true; }; extraConfig = '' + ${commonExtra} allow 127.0.0.1; allow 10.0.0.0/8; allow 100.64.0.0/10; @@ -150,6 +161,7 @@ in rec { proxyPass = "https://censusdbg"; }; extraConfig = '' + ${commonExtra} allow 127.0.0.1; allow 100.64.0.0/10; allow 10.0.0.0/8; @@ -207,7 +219,9 @@ in rec { "kat.cafe" = { serverAliases = ["dripping.blood.pet"]; locations."/" = { - extraConfig = "return 302 https://noe.sh;"; + extraConfig = '' + return 302 https://bad.horse; + ''; }; locations."/s" = { recommendedProxySettings = true; diff --git a/nixos/hosts/static-sites/default.nix b/nixos/hosts/static-sites/default.nix index 510ec49..8d0817f 100644 --- a/nixos/hosts/static-sites/default.nix +++ b/nixos/hosts/static-sites/default.nix @@ -7,6 +7,7 @@ in rec { ../../features/dns-cache.nix ../../features/nginx.nix ../../features/telemetry/nginx.nix + ./minio.nix ]; networking.hostName = "static-sites"; @@ -41,6 +42,31 @@ in rec { ''; }; } // defaultConfig; + minio = bucket: { + locations."/" = { + proxyPass = "http://127.0.0.1:9000/${bucket}/"; + recommendedProxySettings = true; + extraConfig = '' + proxy_intercept_errors on; + proxy_hide_header x-amz-request-id; + proxy_hide_header x-amz-bucket-region; + proxy_hide_header x-amz-id-2; + proxy_hide_header x-amz-meta-s3cmd-attrs; + proxy_hide_header x-ratelimit-limit; + proxy_hide_header x-ratelimit-remaining; + proxy_hide_header x-minio-deployment-id; + proxy_hide_header strict-transport-security; + proxy_hide_header x-firefox-spdy; + proxy_hide_header x-xss-protection; + proxy_hide_header x-content-type-options; + proxy_hide_header vary; + + rewrite ^/$ /${bucket}/index.html break; + rewrite (.*)/$ /$1/index.html; + rewrite ^([^.]*[^/])$ /$1/ permanent; + ''; + }; + } // defaultConfig; in rec { "noe.sh" = static { src = flakePackage "noe-sh"; aliases = [ "mekanoe.com" ]; } // { locations."=/" = { @@ -53,7 +79,7 @@ in rec { }; # "3d.noe.sh" = static { src = flakePackage "3d-noe-sh"; aliases = [ "art.mekanoe.com" ]; }; - "doll.repair" = static { src = flakePackage "doll-repair"; }; + "doll.repair" = minio "doll.repair"; "blood.pet" = static { src = flakePackage "blood-pet"; }; "foxxolay.com" = static { diff --git a/nixos/hosts/static-sites/minio.nix b/nixos/hosts/static-sites/minio.nix new file mode 100644 index 0000000..e294e16 --- /dev/null +++ b/nixos/hosts/static-sites/minio.nix @@ -0,0 +1,20 @@ +{ config, ... }: { + + sops.secrets.minio_root_user = { + sopsFile = ../../../secrets/static-sites/default.yaml; + }; + sops.secrets.minio_root_pass = { + sopsFile = ../../../secrets/static-sites/default.yaml; + }; + + sops.templates."minio-root-credentials" = { + content = '' +MINIO_ROOT_USER=${config.sops.placeholder.minio_root_user} +MINIO_ROOT_PASSWORD=${config.sops.placeholder.minio_root_pass}''; + }; + + services.minio = { + enable = true; + rootCredentialsFile = config.sops.templates."minio-root-credentials".path; + }; +} diff --git a/pkgs/mspaint/default.nix b/pkgs/mspaint/default.nix index 7627652..320c877 100644 --- a/pkgs/mspaint/default.nix +++ b/pkgs/mspaint/default.nix @@ -19,4 +19,8 @@ in pkgs.stdenvNoCC.mkDerivation { ]; desktopItems = [ desktopItem ]; + + installPhase = '' + + ''; } diff --git a/secrets/static-sites/default.yaml b/secrets/static-sites/default.yaml new file mode 100644 index 0000000..c5e8f39 --- /dev/null +++ b/secrets/static-sites/default.yaml @@ -0,0 +1,44 @@ +minio_root_user: ENC[AES256_GCM,data:9ift+w==,iv:D25le5OO38mHNwakYl8qMaP/fIEFIeO8m2EFpqiiqAs=,tag:OL8bB5HClPibUtq0XqpMxQ==,type:str] +minio_root_pass: ENC[AES256_GCM,data:Z0n2A7b+4JImsI8EikZR6hOf28Mae39lTRa6S/OiD4Bx/fcg7ecQ5g==,iv:K21e8oZ6ics9YUjSAqgTi0jp+58LVf3evUsLvYyanSk=,tag:NOmfZeThbDqAolLCoBR9mQ==,type:str] +sops: + age: + - recipient: age1lq5q5g5qjsdcc3key0n6qytkc9z3qx3d3e96ap9zre2aqgvc9ujq82l9hd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Z1I0MTRuRTVPaldwYXpE + dS9aTkVJai9iZG8zeFo2cHY1aGt0WkpYUjBvCk9BQzZtWTBSQkxNRTc4U0lUb1dN + ZlNOYnFSc2Mwc0FYRnoyWWhrOFQ5UkEKLS0tIG55dnduN08vSnY1WStrSWprU1lK + bUhnak1RZ2NEYTRlNGJQNU91dlpKUXcKPA1NHA75xRWllcbFLhogJS8V4ddwvGW5 + FGXVBKZMTWFg7scpWOE6OVlMHFK2+5kCoB+kLuAqXS1aVq0okS9EbQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p0f62dwatt558sf5s4equdqwtg5m7lsnaytrf3xjnvmx3e0lqu4svtugyp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkMG5RZUxySWZSdmZua0Ur + ZnJWSkJsUmdqY1laamdaWm14Q2J5dUxxNWdzCno4NDlEaWxwVE52Y2ptRDJlNTNt + TTdCMWJJL2JkYUFRVWY2OGpDTkdoSk0KLS0tIHcwYitYSThCcjhjaXVNV3Zzak03 + YklSZm5XZ3BCSkNNWnErN0MwZEU1NlkK2jADPIG8/KkvOQ9bwi7EMVN77Wm8K4Lb + 1v2jYHPIsb7Ab0dInJcXfmcEnFo4I/IJ7JFUcsSCNKhB7POt3a0JEw== + -----END AGE ENCRYPTED FILE----- + - recipient: age13c5wv623jxjja5mjz7fajg9qqwvypzgsfqrs4tmk7rpgyzu7aufs4ul9f9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaDFSNWJRc0xzUDFuaEhV + bm1Ncm5GV1l1MmlnOWtxbURMVVRGbCs0Q0NBCkwwVUR6V2pWSFN1dlJtMk1KQVB6 + ejVCVUR6N0hDcTVhaUdXRkRwOVZPR00KLS0tIE1UQ05lRGNCY3MyMXFQck9lSEo0 + azFtdzVwTTlwT3hpcVI0dDUxTjh1OEUKYK5VWYju936Y07dec4HTE/U4RG8pU/PG + +yx+dci5eRayoN0I+JDZg8ifxj4f9SGBEUiB+xfImh67+Gcyhr4YdQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s4hzwj982zk04kr7c5u0vlemkzalv72wtkttkgzt64xv8a4r25zqxra6u0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMR1dRanR6N3dnNTZ1SGpM + dlZ4UlIyMjJtVUR1eWZrN2E4Q0RYd09qeVFrCkNwd0Q5dDhEeXlWZnVkSzJlbENy + V0xrTktHOUtMSnZhN1hZN0ROc05aMmcKLS0tIEFsTDE3RzdJV0crUFBPaFNFNjJr + TzBkaEx6Z3VWYlB6aXJ0UEc1NnNTZWsKRE57cTa9yL8cKckISq9RlU0JwvJl0wuo + VKy9TczYN+Sykrq30MxCXQSnpKCUqJ1xuJS7+xJlpLs+jGZIjIg7+A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-14T02:13:37Z" + mac: ENC[AES256_GCM,data:E9iQOY3ZGsMAAN+FpIcAJLuylSlISvVBXYCndbqkh2zxQnvxnjO4EUw+0uqtknCiFJYqXl/tGudTZG0Xb091AHVjNzNPfhO8aNbHvugXCBTt2d55Zqjr3otYgE9lXV+aBhCkjo4CgrZPDRGLaG0iM0bLGuxgd9o1I0ILVOw33Bc=,iv:MsbhZSSHfvRt1Z4lg/OqNCCoebOrWC5CcBocXLGyMKc=,tag:Owf6/3IJLvgfvuOppfLzUw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2