minio for static-sites

2025-05-13 20:40:49 -07:00 · 2025-05-13 20:40:49 -07:00 · 3eeff16012
commit 3eeff16012
parent 7bf303b3e1
7 changed files with 150 additions and 47 deletions
--- a/flake.lock
+++ b/flake.lock
@ -39,11 +39,11 @@
    },
    "crane_2": {
      "locked": {
-        "lastModified": 1737689766,
+        "lastModified": 1746291859,
-        "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=",
+        "narHash": "sha256-DdWJLA+D5tcmrRSg5Y7tp/qWaD05ATI4Z7h22gd1h7Q=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527",
+        "rev": "dfd9a8dfd09db9aad544c4d3b6c47b12562544a5",
        "type": "github"
      },
      "original": {
@ -331,11 +331,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1746287478,
+        "lastModified": 1747184352,
-        "narHash": "sha256-z3HiHR2CNAdwyZTWPM2kkzhE1gD1G6ExPxkaiQfNh7s=",
+        "narHash": "sha256-GBZulv50wztp5cgc405t1uOkxQYhSkMqeKLI+iSrlpk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "75268f62525920c4936404a056f37b91e299c97e",
+        "rev": "7c1cefb98369cc85440642fdccc1c1394ca6dd2c",
        "type": "github"
      },
      "original": {
@ -397,11 +397,11 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1740256865,
+        "lastModified": 1746820998,
-        "narHash": "sha256-KhcnH5vgn9QMXeiYmpk1jtqr3hEAOuLoRuLmhVvr5FA=",
+        "narHash": "sha256-lLccmUibSUDF6omWoOx8eAtRee2WV3jiY75rIPfmqgM=",
        "owner": "4jx",
        "repo": "l5p-keyboard-rgb",
-        "rev": "2fd9dba693f9bed89fb07c672dd6c522e6cf4301",
+        "rev": "01e3ac051ee83f41e9b435f29217319cccb30f21",
        "type": "github"
      },
      "original": {
@ -523,11 +523,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1745955289,
+        "lastModified": 1747129300,
-        "narHash": "sha256-mmV2oPhQN+YF2wmnJzXX8tqgYmUYXUj3uUUBSTmYN5o=",
+        "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "72081c9fbbef63765ae82bff9727ea79cc86bd5b",
+        "rev": "e81fd167b33121269149c57806599045fd33eeed",
        "type": "github"
      },
      "original": {
@ -642,11 +642,11 @@
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1746307609,
+        "lastModified": 1747187148,
-        "narHash": "sha256-KyXS1SBYHC3rOuU+03n7FsK29dyYutDDhGGm+PclhuU=",
+        "narHash": "sha256-xE8/ML8PrY2qO0NlMmI94BdjIZ4gTgyq6cKmwbLvBnE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b440606b4212f01eac9d24e5fbb9ab0b281b5548",
+        "rev": "e481f916e39560b6d9327037f8001bf43e3f336f",
        "type": "github"
      },
      "original": {
@ -658,11 +658,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1746183838,
+        "lastModified": 1746957726,
-        "narHash": "sha256-kwaaguGkAqTZ1oK0yXeQ3ayYjs8u/W7eEfrFpFfIDFA=",
+        "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "bf3287dac860542719fe7554e21e686108716879",
+        "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94",
        "type": "github"
      },
      "original": {
@ -674,11 +674,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1746232882,
+        "lastModified": 1746904237,
-        "narHash": "sha256-MHmBH2rS8KkRRdoU/feC/dKbdlMkcNkB5mwkuipVHeQ=",
+        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "7a2622e2c0dbad5c4493cb268aba12896e28b008",
+        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
        "type": "github"
      },
      "original": {
@ -706,18 +706,15 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1737717945,
+        "lastModified": 1743583204,
-        "narHash": "sha256-ET91TMkab3PmOZnqiJQYOtSGvSTvGeHoegAv4zcTefM=",
+        "narHash": "sha256-F7n4+KOIfWrwoQjXrL2wD9RhFYLs2/GGe/MQY1sSdlE=",
-        "owner": "NixOS",
+        "path": "/nix/store/fwhfa9pbx8vdi8nd5pcys665baz6xdxf-source",
-        "repo": "nixpkgs",
+        "rev": "2c8d3f48d33929642c1c12cd243df4cc7d2ce434",
-        "rev": "ecd26a469ac56357fd333946a99086e992452b6a",
+        "type": "path"
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "id": "nixpkgs",
-        "ref": "nixpkgs-unstable",
+        "type": "indirect"
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_4": {
@ -754,11 +751,11 @@
    },
    "nixpkgs_6": {
      "locked": {
-        "lastModified": 1746232882,
+        "lastModified": 1746904237,
-        "narHash": "sha256-MHmBH2rS8KkRRdoU/feC/dKbdlMkcNkB5mwkuipVHeQ=",
+        "narHash": "sha256-3e+AVBczosP5dCLQmMoMEogM57gmZ2qrVSrmq9aResQ=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "7a2622e2c0dbad5c4493cb268aba12896e28b008",
+        "rev": "d89fc19e405cb2d55ce7cc114356846a0ee5e956",
        "type": "github"
      },
      "original": {
@ -928,11 +925,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737771740,
+        "lastModified": 1746758179,
-        "narHash": "sha256-lWIdF4qke63TdCHnJ0QaUHfG8YvsDrBqzL4jiHYQd+Y=",
+        "narHash": "sha256-JECUw1YBEsTsVauvupRzE5ykZaJoyhHCpoY87ZZJGas=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "cfaaa1dddd280af09aca84af84612fbccd986ae2",
+        "rev": "4fd00513eac6b6140c5dced3e1b8133e2369a0f8",
        "type": "github"
      },
      "original": {
@ -967,11 +964,11 @@
        "nixpkgs": "nixpkgs_7"
      },
      "locked": {
-        "lastModified": 1745310711,
+        "lastModified": 1746485181,
-        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
+        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
+        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -89,12 +89,10 @@
  nixConfig = {
    extra-substituters = [
      "https://nix-community.cachix.org"
      "https://0uptime.cachix.org"
    ];
    extra-trusted-public-keys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "0uptime.cachix.org-1:ctw8yknBLg9cZBdqss+5krAem0sHYdISkw/IFdRbYdE="
    ];
  };
--- a/nixos/hosts/ingress-proxy/default.nix
+++ b/nixos/hosts/ingress-proxy/default.nix
@ -17,8 +17,12 @@ in rec {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 80 443 ];
-  services.nginx = {
+  services.nginx = let 
-    package = pkgs.tengine;
+    commonExtra = ''
      add_header Alt-Svc 'h3=":443"; ma=86400' always;
    ''; 
  in {
    package = pkgs.nginxQuic.override { withSlice = true; };
    recommendedBrotliSettings = true;
    recommendedGzipSettings = true;
@ -60,6 +64,10 @@ in rec {
      inactive = "720m";
    };
    commonHttpConfig = ''
      ssl_early_data on;
    '';
    virtualHosts = let
      defaultConfig = {
        listen = [
@ -70,8 +78,10 @@ in rec {
        ];    
        http2 = true;
        http3 = true;
        quic = true;
        forceSSL = lib.mkDefault true;
        enableACME = true;
        extraConfig = commonExtra;
      };
      internalConfig = {
@ -105,7 +115,7 @@ in rec {
      } // defaultConfig;
    in rec {
      "mekanoe.com" = staticSite;
-      "noe.sh" = staticSite // { forceSSL = false; };
+      "noe.sh" = staticSite;
      "foxxolay.com" = staticSite;
      "kitsu.love" = staticSite;
      "doll.repair" = staticSite;
@ -131,6 +141,7 @@ in rec {
          proxyWebsockets = true;
        };
        extraConfig = ''
          ${commonExtra}
          allow 127.0.0.1;
          allow 10.0.0.0/8;
          allow 100.64.0.0/10;
@ -150,6 +161,7 @@ in rec {
          proxyPass = "https://censusdbg";
        };
        extraConfig = ''
          ${commonExtra}
          allow 127.0.0.1;
          allow 100.64.0.0/10;
          allow 10.0.0.0/8;
@ -207,7 +219,9 @@ in rec {
      "kat.cafe" = {
        serverAliases = ["dripping.blood.pet"];
        locations."/" = {
-          extraConfig = "return 302 https://noe.sh;";
+          extraConfig = ''
            return 302 https://bad.horse;
          '';
        };
        locations."/s" = {
          recommendedProxySettings = true;
--- a/nixos/hosts/static-sites/default.nix
+++ b/nixos/hosts/static-sites/default.nix
@ -7,6 +7,7 @@ in rec {
    ../../features/dns-cache.nix
    ../../features/nginx.nix
    ../../features/telemetry/nginx.nix
    ./minio.nix
  ];
  networking.hostName = "static-sites";
@ -41,6 +42,31 @@ in rec {
          '';
        };
      } // defaultConfig;
      minio = bucket: {
        locations."/" = {
          proxyPass = "http://127.0.0.1:9000/${bucket}/";
          recommendedProxySettings = true;
          extraConfig = ''
            proxy_intercept_errors on;
            proxy_hide_header x-amz-request-id;
            proxy_hide_header x-amz-bucket-region;
            proxy_hide_header x-amz-id-2;
            proxy_hide_header x-amz-meta-s3cmd-attrs;
            proxy_hide_header x-ratelimit-limit;
            proxy_hide_header x-ratelimit-remaining;
            proxy_hide_header x-minio-deployment-id;
            proxy_hide_header strict-transport-security;
            proxy_hide_header x-firefox-spdy;
            proxy_hide_header x-xss-protection;
            proxy_hide_header x-content-type-options;
            proxy_hide_header vary;
            rewrite ^/$ /${bucket}/index.html break;
            rewrite (.*)/$ /$1/index.html;
            rewrite ^([^.]*[^/])$ /$1/ permanent;
          '';
        };
      } // defaultConfig;
    in rec {
      "noe.sh" = static { src = flakePackage "noe-sh"; aliases = [ "mekanoe.com" ]; } // {
        locations."=/" = {
@ -53,7 +79,7 @@ in rec {
      };
      # "3d.noe.sh" = static { src = flakePackage "3d-noe-sh"; aliases = [ "art.mekanoe.com" ]; };
-      "doll.repair" = static { src = flakePackage "doll-repair"; };
+      "doll.repair" = minio "doll.repair";
      "blood.pet" = static { src = flakePackage "blood-pet"; };
      "foxxolay.com" = static {
--- a/nixos/hosts/static-sites/minio.nix
+++ b/nixos/hosts/static-sites/minio.nix
@ -0,0 +1,20 @@
 { config, ... }: {
  sops.secrets.minio_root_user = {
    sopsFile = ../../../secrets/static-sites/default.yaml;
  };
  sops.secrets.minio_root_pass = {
    sopsFile = ../../../secrets/static-sites/default.yaml;
  };
  sops.templates."minio-root-credentials" = {
    content = ''
 MINIO_ROOT_USER=${config.sops.placeholder.minio_root_user}    
 MINIO_ROOT_PASSWORD=${config.sops.placeholder.minio_root_pass}'';
  };
  services.minio = {
    enable = true;
    rootCredentialsFile = config.sops.templates."minio-root-credentials".path;
  };
 }
--- a/pkgs/mspaint/default.nix
+++ b/pkgs/mspaint/default.nix
@ -19,4 +19,8 @@ in pkgs.stdenvNoCC.mkDerivation {
  ];
  desktopItems = [ desktopItem ];
  installPhase = ''
  '';
 }
--- a/secrets/static-sites/default.yaml
+++ b/secrets/static-sites/default.yaml
@ -0,0 +1,44 @@
 minio_root_user: ENC[AES256_GCM,data:9ift+w==,iv:D25le5OO38mHNwakYl8qMaP/fIEFIeO8m2EFpqiiqAs=,tag:OL8bB5HClPibUtq0XqpMxQ==,type:str]
 minio_root_pass: ENC[AES256_GCM,data:Z0n2A7b+4JImsI8EikZR6hOf28Mae39lTRa6S/OiD4Bx/fcg7ecQ5g==,iv:K21e8oZ6ics9YUjSAqgTi0jp+58LVf3evUsLvYyanSk=,tag:NOmfZeThbDqAolLCoBR9mQ==,type:str]
 sops:
    age:
        - recipient: age1lq5q5g5qjsdcc3key0n6qytkc9z3qx3d3e96ap9zre2aqgvc9ujq82l9hd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Z1I0MTRuRTVPaldwYXpE
            dS9aTkVJai9iZG8zeFo2cHY1aGt0WkpYUjBvCk9BQzZtWTBSQkxNRTc4U0lUb1dN
            ZlNOYnFSc2Mwc0FYRnoyWWhrOFQ5UkEKLS0tIG55dnduN08vSnY1WStrSWprU1lK
            bUhnak1RZ2NEYTRlNGJQNU91dlpKUXcKPA1NHA75xRWllcbFLhogJS8V4ddwvGW5
            FGXVBKZMTWFg7scpWOE6OVlMHFK2+5kCoB+kLuAqXS1aVq0okS9EbQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1p0f62dwatt558sf5s4equdqwtg5m7lsnaytrf3xjnvmx3e0lqu4svtugyp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkMG5RZUxySWZSdmZua0Ur
            ZnJWSkJsUmdqY1laamdaWm14Q2J5dUxxNWdzCno4NDlEaWxwVE52Y2ptRDJlNTNt
            TTdCMWJJL2JkYUFRVWY2OGpDTkdoSk0KLS0tIHcwYitYSThCcjhjaXVNV3Zzak03
            YklSZm5XZ3BCSkNNWnErN0MwZEU1NlkK2jADPIG8/KkvOQ9bwi7EMVN77Wm8K4Lb
            1v2jYHPIsb7Ab0dInJcXfmcEnFo4I/IJ7JFUcsSCNKhB7POt3a0JEw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age13c5wv623jxjja5mjz7fajg9qqwvypzgsfqrs4tmk7rpgyzu7aufs4ul9f9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaDFSNWJRc0xzUDFuaEhV
            bm1Ncm5GV1l1MmlnOWtxbURMVVRGbCs0Q0NBCkwwVUR6V2pWSFN1dlJtMk1KQVB6
            ejVCVUR6N0hDcTVhaUdXRkRwOVZPR00KLS0tIE1UQ05lRGNCY3MyMXFQck9lSEo0
            azFtdzVwTTlwT3hpcVI0dDUxTjh1OEUKYK5VWYju936Y07dec4HTE/U4RG8pU/PG
            +yx+dci5eRayoN0I+JDZg8ifxj4f9SGBEUiB+xfImh67+Gcyhr4YdQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1s4hzwj982zk04kr7c5u0vlemkzalv72wtkttkgzt64xv8a4r25zqxra6u0
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMR1dRanR6N3dnNTZ1SGpM
            dlZ4UlIyMjJtVUR1eWZrN2E4Q0RYd09qeVFrCkNwd0Q5dDhEeXlWZnVkSzJlbENy
            V0xrTktHOUtMSnZhN1hZN0ROc05aMmcKLS0tIEFsTDE3RzdJV0crUFBPaFNFNjJr
            TzBkaEx6Z3VWYlB6aXJ0UEc1NnNTZWsKRE57cTa9yL8cKckISq9RlU0JwvJl0wuo
            VKy9TczYN+Sykrq30MxCXQSnpKCUqJ1xuJS7+xJlpLs+jGZIjIg7+A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-05-14T02:13:37Z"
    mac: ENC[AES256_GCM,data:E9iQOY3ZGsMAAN+FpIcAJLuylSlISvVBXYCndbqkh2zxQnvxnjO4EUw+0uqtknCiFJYqXl/tGudTZG0Xb091AHVjNzNPfhO8aNbHvugXCBTt2d55Zqjr3otYgE9lXV+aBhCkjo4CgrZPDRGLaG0iM0bLGuxgd9o1I0ILVOw33Bc=,iv:MsbhZSSHfvRt1Z4lg/OqNCCoebOrWC5CcBocXLGyMKc=,tag:Owf6/3IJLvgfvuOppfLzUw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2