nixos/services: add default website on nginx

nixos/services: disable nginx proxy buffering
nixos/impermanence: remove ssh host key persistence
2026-05-04 04:55:58 +02:00 · 2026-05-04 04:55:40 +02:00 · 2026-05-03 22:24:33 -04:00 · 2026-05-03 22:18:49 -04:00 · 2026-05-03 22:18:49 -04:00 · 2026-05-03 22:18:49 -04:00
20 changed files with 95 additions and 448 deletions
@@ -1,20 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 Wl2fDA 7PqbYWjorqzuPIDZgOZGIMzZa/P89aGzvORfMAeePRU
-J+gesdnj8VwqJSfD1ohDTSp7nBXdM4nEEB5/7aA1PMc
-> ssh-ed25519 zNC8SA z47u0fUlGVYiQr4/S0lLh6WEj7gyedjWsq4fUk5Z1CY
-6qR4zdA1gQqpAcm5Q5AZJgn3ZnafXL4OeHfU4WJae40
-> ssh-ed25519 EiAAKw 8mPi6HaHW+oFZHZ0Y2fJ2XISgarW3i/yLKD2QJleFGs
-Mch7D28T9eiJm8hmSuI7Wm/rjjT+EzzER9vQ7T6rA3k
-> ssh-rsa eFi+Zw
-d3mwAM+p4yz/UK5g4+0WyeOPyEVHQEyzGSB+pPDf6IIXxGbh613h1WD5j3AQQXdH
-178Es9PhkiZcy0Y0IsQt4dyqDzuqMMwzLLvLKgsfliFsPBcdo93V5r9rWtFi3+9S
-jAfhsFzVUj3KhuBY+xsgBtHpLe5CVV52NnEzXkoJw1wbdunNi62QZvyyC+0NixFV
-HW1lxan6g6XXPrXWWrLbZWvpuqvPV6DoLsofzkMm0nd1DhkeHRU1WU8ucnPaETrJ
-E5G3YrlfhftwRzp/QzeoSFREmdAJca7ycIJaJuG8QIszTZLOOQBUAxg7sonATGUc
-Zutg1lJEfaQSe8oG1iMrJlshGspuSmBc1Ki4iQJjhQnYzvkV+Th9trG3QGq5ur9O
-RYCxqjMMzbp6kR2GdJorSM7P5fpzt0sSv2mxd+nQpMoyvOVfbBjmEbiuWrKSlIl0
-tXYrI6723mRNsbtmodUdDttaDFnr2r0MWbpHPn/K6y422GEoAiKE96Z7Pcxo2+Ml
-
--- ILGiZiEBKY+7nych4vWMVWgiFNhF3eP7mtCvJ/JImxM
-jFÍ%aë;¸8Œõl�Ë�Ô é‚YÊ×ö…›�´töÐ:Â÷ì®û¦#í õÞ(¹ðÂV°;ê[Ç`üØë:tžS#ˆ
-@²ãÒk7²àFž¿ÓEn®†!ÉlÈ¥ÛšŽÃ�7°!•Òï‡êY3:+mzÕÒÈö
@@ -10,7 +10,6 @@ let
 in
 {
  "ntfy.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
-  "authentik.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;

  # tsig-keygen etc.sub.domain.tld.
  "dns/tuxcord.net/tuxcord.net.key.age".publicKeys = [ tuxcord-ca ] ++ adminSSHKeys;
@@ -22,5 +21,5 @@ in
  map (user: {
    name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
    value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
-  }) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
+  }) (builtins.filter (user: user.value.options.ddns or false) (attrsToList users))
 )
@@ -23,67 +23,6 @@
        "type": "github"
      }
    },
-    "authentik-go": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1771856219,
-        "narHash": "sha256-zTEmvxe+BpfWYvAl675PnhXCH4jV4GUTFb1MrQ1Eyno=",
-        "owner": "goauthentik",
-        "repo": "client-go",
-        "rev": "4c1444ee54d945fbcc5ae107b4f191ca0352023d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "goauthentik",
-        "repo": "client-go",
-        "type": "github"
-      }
-    },
-    "authentik-nix": {
-      "inputs": {
-        "authentik-go": "authentik-go",
-        "authentik-src": "authentik-src",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "flake-utils": "flake-utils",
-        "napalm": "napalm",
-        "nixpkgs": "nixpkgs",
-        "pyproject-build-systems": "pyproject-build-systems",
-        "pyproject-nix": "pyproject-nix",
-        "systems": "systems_2",
-        "uv2nix": "uv2nix"
-      },
-      "locked": {
-        "lastModified": 1776085803,
-        "narHash": "sha256-JvvWVbXJYSY8qOReMbAOD4lxcN2cjKV6lg/jLz8CEuY=",
-        "owner": "nix-community",
-        "repo": "authentik-nix",
-        "rev": "4370b561c8bafb59773ce3a518506bcf1161dbdb",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "authentik-nix",
-        "type": "github"
-      }
-    },
-    "authentik-src": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1775573258,
-        "narHash": "sha256-Xq7JGI/8ppIydIuWd9KRJKUrh7UpeniwvZ4NAtXbYJ4=",
-        "owner": "goauthentik",
-        "repo": "authentik",
-        "rev": "5249546862986202b901c2afd860992ec48c6ef6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "goauthentik",
-        "ref": "version/2026.2.2",
-        "repo": "authentik",
-        "type": "github"
-      }
-    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
@@ -107,7 +46,6 @@
      }
    },
    "flake-compat": {
-      "flake": false,
      "locked": {
        "lastModified": 1767039857,
        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
@@ -123,21 +61,6 @@
      }
    },
    "flake-compat_2": {
-      "locked": {
-        "lastModified": 1767039857,
-        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1767039857,
@@ -157,24 +80,6 @@
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
-      "locked": {
-        "lastModified": 1769996383,
-        "narHash": "sha256-AnYjnFWgS49RlqX7LrC4uA+sCCDBj0Ry/WOJ5XWAsa0=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "57928607ea566b5db3ad13af0e57e921e6b12381",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-parts_2": {
-      "inputs": {
-        "nixpkgs-lib": "nixpkgs-lib_2"
-      },
      "locked": {
        "lastModified": 1777678872,
        "narHash": "sha256-EPIFsulyon7Z1vLQq5Fk64GR8L7cQsT+IPhcsukVbgk=",
@@ -189,27 +94,6 @@
        "type": "github"
      }
    },
-    "flake-utils": {
-      "inputs": {
-        "systems": [
-          "authentik-nix",
-          "systems"
-        ]
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
    "git-hooks-nix": {
      "inputs": {
        "flake-compat": [
@@ -304,35 +188,9 @@
        "type": "github"
      }
    },
-    "napalm": {
-      "inputs": {
-        "flake-utils": [
-          "authentik-nix",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1725806412,
-        "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
-        "owner": "willibutz",
-        "repo": "napalm",
-        "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "willibutz",
-        "ref": "avoid-foldl-stack-overflow",
-        "repo": "napalm",
-        "type": "github"
-      }
-    },
    "nix-alien": {
      "inputs": {
-        "flake-compat": "flake-compat_2",
+        "flake-compat": "flake-compat",
        "nix-index-database": [
          "nix-index-database"
        ],
@@ -376,12 +234,12 @@
    },
    "nix-super": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_2",
        "flake-parts": [
          "flake-parts"
        ],
        "git-hooks-nix": "git-hooks-nix",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
        "nixpkgs-23-11": "nixpkgs-23-11",
        "nixpkgs-regression": "nixpkgs-regression"
      },
@@ -401,18 +259,15 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1771848320,
-        "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "2fc6539b481e1d2569f25f8799236694180c0993",
-        "type": "github"
+        "lastModified": 1771903837,
+        "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=",
+        "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz"
      },
      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
      }
    },
    "nixpkgs-23-11": {
@@ -432,21 +287,6 @@
      }
    },
    "nixpkgs-lib": {
-      "locked": {
-        "lastModified": 1769909678,
-        "narHash": "sha256-cBEymOf4/o3FD5AZnzC3J9hLbiZ+QDT/KDuyHXVJOpM=",
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "rev": "72716169fe93074c333e8d0173151350670b824c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "nixpkgs.lib",
-        "type": "github"
-      }
-    },
-    "nixpkgs-lib_2": {
      "locked": {
        "lastModified": 1777168982,
        "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
@@ -478,19 +318,6 @@
      }
    },
    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1771903837,
-        "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=",
-        "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
-        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
-      }
-    },
-    "nixpkgs_3": {
      "locked": {
        "lastModified": 1777428379,
        "narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
@@ -506,66 +333,15 @@
        "type": "github"
      }
    },
-    "pyproject-build-systems": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ],
-        "pyproject-nix": [
-          "authentik-nix",
-          "pyproject-nix"
-        ],
-        "uv2nix": [
-          "authentik-nix",
-          "uv2nix"
-        ]
-      },
-      "locked": {
-        "lastModified": 1771423342,
-        "narHash": "sha256-7uXPiWB0YQ4HNaAqRvVndYL34FEp1ZTwVQHgZmyMtC8=",
-        "owner": "pyproject-nix",
-        "repo": "build-system-pkgs",
-        "rev": "04e9c186e01f0830dad3739088070e4c551191a4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "build-system-pkgs",
-        "type": "github"
-      }
-    },
-    "pyproject-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1771518446,
-        "narHash": "sha256-nFJSfD89vWTu92KyuJWDoTQJuoDuddkJV3TlOl1cOic=",
-        "owner": "pyproject-nix",
-        "repo": "pyproject.nix",
-        "rev": "eb204c6b3335698dec6c7fc1da0ebc3c6df05937",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "pyproject.nix",
-        "type": "github"
-      }
-    },
    "root": {
      "inputs": {
        "agenix": "agenix",
-        "authentik-nix": "authentik-nix",
-        "flake-parts": "flake-parts_2",
+        "flake-parts": "flake-parts",
        "impermanence": "impermanence",
        "nix-alien": "nix-alien",
        "nix-index-database": "nix-index-database",
        "nix-super": "nix-super",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs_2"
      }
    },
    "systems": {
@@ -582,46 +358,6 @@
        "repo": "default",
        "type": "github"
      }
-    },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1689347949,
-        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default-linux",
-        "type": "github"
-      }
-    },
-    "uv2nix": {
-      "inputs": {
-        "nixpkgs": [
-          "authentik-nix",
-          "nixpkgs"
-        ],
-        "pyproject-nix": [
-          "authentik-nix",
-          "pyproject-nix"
-        ]
-      },
-      "locked": {
-        "lastModified": 1772187362,
-        "narHash": "sha256-gCojeIlQ/rfWMe3adif3akyHsT95wiMkLURpxTeqmPc=",
-        "owner": "pyproject-nix",
-        "repo": "uv2nix",
-        "rev": "abe65de114300de41614002fe9dce2152ac2ac23",
-        "type": "github"
-      },
-      "original": {
-        "owner": "pyproject-nix",
-        "repo": "uv2nix",
-        "type": "github"
-      }
    }
  },
  "root": "root",
@@ -31,13 +31,6 @@
      url = "github:privatevoid-net/nix-super";
      inputs.flake-parts.follows = "flake-parts";
    };
-
-    authentik-nix = {
-      url = "github:nix-community/authentik-nix";
-
-      # inputs.nixpkgs.follows = "nixpkgs"
-      # inputs.flake-parts.follows = "flake-parts"
-    };
  };

  outputs =
@@ -1,24 +1,21 @@
 rec {
-  toList = x: if builtins.isList x then x else [ x ];
+  users = import ./users.nix;

-  nameValuePair = name: value: { inherit name value; };
-
-  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
+  adminSSHKeys = builtins.concatLists (
+    map (user: getSSHKeys user.name) (
+      builtins.filter (user: user.value.options.admin or false) (attrsToList users)
+    )
+  );

  attrsToList = mapAttrsToList nameValuePair;
+  mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
+  nameValuePair = name: value: { inherit name value; };
+  toList = x: if builtins.isList x then x else [ x ];

  getSSHKeys =
    username:
    if (builtins.hasAttr "ssh" users.${username}) then
      toList users.${username}.ssh
    else
-      builtins.warn "user ${username} declared without ssh keys" [ ];
-
-  users = import ./users.nix;
-
-  adminSSHKeys = builtins.concatLists (
-    map (user: getSSHKeys user.name) (
-      builtins.filter (user: user.value.admin or false) (attrsToList users)
-    )
-  );
+      builtins.warn "user ${username} declared without ssh key" [ ];
 }
@@ -1,19 +1,23 @@
 {
  error = {
    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
+    options = {
      admin = true;
      ddns = true;
    };
+  };

  javalsai = {
    ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
+    options = {
      admin = true;
      ddns = true;
    };
+  };

  max = {
    ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
-    admin = true;
+    options.admin = true;
  };

  vectorum = {
@@ -18,7 +18,6 @@ in
    agenix.nixosModules.default
    impermanence.nixosModules.default
    nix-index-database.nixosModules.nix-index
-    authentik-nix.nixosModules.default

    ./hardware.nix
    ./impermanence.nix
@@ -100,15 +99,22 @@ in

    extraHosts =
      let
-        subdomains = [ "git" "auth" ];
-
-        inherit (config.networking) fqdn;
-        hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
+        subdomains = [
+          ""
+          ".git"
+        ];
      in
-      lib.concatMapStrings (host: ''
+      builtins.foldl' (
+        hosts-acc: domain-prefix:
+        let
+          host = "${domain-prefix}${config.networking.fqdn}";
+        in
+        hosts-acc
+        + ''
          127.0.0.1 ${host}
          ::1 ${host}
-      '') hosts;
+        ''
+      ) "" subdomains;
  };

  virtualisation.podman.enable = true;
@@ -15,10 +15,7 @@
      "xhci_pci"
    ];

-    kernelModules = [
-      "kvm-amd"
-      "kvm-intel"
-    ];
+    kernelModules = [ "kvm-intel" ];
  };

  hardware = {
@@ -1,14 +1,11 @@
 {
-  imports = [
-    ./storage.nix
-  ];
+  acme = {
+    enable = true;
+    rfc2136.nameserver = "tuxcord.net";
+  };

-  networking.fqdn = "nix.tuxcord.net";
-
-  acme.rfc2136.nameserver = "tuxcord.net";
  dns.enable = true;
-
-  services.getty.autologinUser = "root";
+  networking.fqdn = "nix.tuxcord.net";

  time.timeZone = "Europe/Madrid";
 }
@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}
@@ -32,7 +32,6 @@
        device = "/dev/xvda2";
        fsType = "btrfs";
        options = [ "subvol=@persist" ] ++ defaultOptions;
-        neededForBoot = true;
      };
    };
 }
@@ -1,12 +1,6 @@
 {
-  imports = [
-    ./storage.nix
-  ];
-
-  networking.fqdn = "tuxcord.test";
-
  acme.enable = false;
  dns.enable = true;

-  services.getty.autologinUser = "root";
+  networking.fqdn = "tuxcord.test";
 }
@@ -1,6 +0,0 @@
-{
-  fileSystems."/" = {
-    device = "/dev/vda";
-    fsType = "ext4";
-  };
-}
@@ -55,6 +55,8 @@
    };
  };

+  fileSystems."/persist".neededForBoot = true;
+
  environment.persistence."/persist" = {
    enable = true;
    hideMounts = true;
@@ -1,17 +0,0 @@
-{ config, self, ... }:
-let
-  inherit (config.networking) fqdn;
-in
-{
-  age.secrets.authentik.file = "${self}/agenix/authentik.age";
-
-  services.authentik = {
-    enable = true;
-    environmentFile = config.age.secrets.authentik.path; # just trust, this specifies port 3001
-    # nginx = {
-    #   enable = true;
-    #   enableACME = true;
-    #   host = "auth.${fqdn}";
-    # };
-  };
-}
@@ -1,7 +1,6 @@
 {
  imports = [
    ./acme.nix
-    ./authentik.nix
    ./dns.nix
    ./fail2ban.nix
    ./gitea.nix
@@ -3,20 +3,13 @@ let
  inherit (config.networking) fqdn;

  mkVhost =
-    attrs: locations:
+    attrs:
    let
      acmeEnabled = config.acme.enable;
    in
    {
      forceSSL = acmeEnabled;
      useACMEHost = if acmeEnabled then fqdn else null;
-
-      locations = {
-        "= /robots.txt" = {
-          alias = disallowedRobotsTxt;
-        };
-      }
-      // locations;
    }
    // attrs;

@@ -28,19 +21,6 @@ let
      proxy_request_buffering off;
    '';
  };
-
-  mkSsi = webRoot: {
-    root = webRoot;
-
-    extraConfig = ''
-      ssi on;
-    '';
-  };
-
-  disallowedRobotsTxt = builtins.toFile "robots.txt" ''
-    User-agent: *
-    Disallow: /
-  '';
 in
 {
  services.nginx = {
@@ -52,18 +32,20 @@ in
    recommendedGzipSettings = true;
    recommendedOptimisation = true;

-    virtualHosts = {
-      "${fqdn}" = mkVhost { default = true; } {
-        "/" = mkSsi "${self.pins.website}/web-root";
+    virtualHosts."${fqdn}" = mkVhost {
+      default = true;
+
+      locations."/" = {
+        root = "${self.pins.website}/web-root";
+
+        extraConfig = ''
+          ssi on;
+        '';
+      };
    };

-      "git.${fqdn}" = mkVhost { } {
-        "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
-      };
-
-      "auth.${fqdn}" = mkVhost { } {
-        "/" = mkProxy 3001;
-      };
+    virtualHosts."git.${fqdn}" = mkVhost {
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
    };
  };

@@ -4,7 +4,6 @@

    settings = {
      ClientAliveInterval = 300;
-      X11Forwarding = true;

      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
@@ -11,7 +11,12 @@ let
    "wheel"
  ];

-  mkUser = name: uid: admin: {
+  mkUser =
+    name: uid: options:
+    let
+      admin = options.admin or false;
+    in
+    {
      users.users.${name} = {
        inherit uid;
        isNormalUser = true;
@@ -34,7 +39,7 @@ lib.recursiveUpdate
  (builtins.foldl'
    (attrs: user: {
      options = lib.recursiveUpdate attrs.options (
-        mkUser user.name attrs.uid (user.value.admin or false)
+        mkUser user.name attrs.uid (user.value.options or { })
      );
      uid = attrs.uid + 1;
    })
@@ -45,21 +50,8 @@ lib.recursiveUpdate
    (lib.attrsToList users)
  ).options
  {
-    users = {
-      motd = ''
-                  __                                          __                      __
-        ---------/\ \__                                      /\ \                    /\ \__
-        ---------\ \ ,_\  __  __  __  _   ___    ___   _ __  \_\ \        ___      __\ \ ,_\
-        ----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \      /'_ `\  /'__`\ \ \/
-        -----------\ \ \_\ \ \_\ \/>  <//\ \__//\ \L\ \ \ \//\ \L\ \  __/\ \/\ \/\  __/\ \ \_
-        ------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-        -------------\/__/ \/___/ \//\/_/\/____/\/___/  \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
-                                                    A friendly Linux community - est. July 2023
-      '';
-
-      users.root = {
+    users.users.root = {
      initialPassword = "tuxcord";
      openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
    };
-    };
  }
@@ -8,9 +8,9 @@
      },
      "branch": "main",
      "submodules": false,
-      "revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
+      "revision": "a9f523c268062c0c4a8167b719be15e3e4b3ef88",
      "url": null,
-      "hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
+      "hash": "0ql14xjz0prvy3rdx6zkbpsjxvx40ivdzrwzdgfsk07jg07aki05"
    }
  },
  "version": 5
Author	SHA1	Message	Date
javalsai	a78752607f	nixos/services: add default website on nginx Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 12s Details	2026-05-04 04:55:58 +02:00
javalsai	e0bd689d4f	nixos/services: disable nginx proxy buffering	2026-05-04 04:55:40 +02:00
ErrorNoInternet	a18a871eb3	nixos/impermanence: remove ssh host key persistence Check / Nix flake (push) Failing after 10s Details Lint / Nix expressions (push) Failing after 12s Details The SSH host key files are already defined in the OpenSSH module, so there is no need to persist them with impermanence.nix.	2026-05-03 22:24:33 -04:00
ErrorNoInternet	ac5fe801a9	shells: remove neovim Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 11s Details Some users may be using self-contained Neovim executables.	2026-05-03 22:18:49 -04:00
ErrorNoInternet	d2ad014c23	agenix: import initial user dns keys	2026-05-03 22:18:49 -04:00
ErrorNoInternet	b431300f49	treewide: create global user list	2026-05-03 22:18:49 -04:00
javalsai	7218ed9bce	docs: add sections and fix typos/errors	2026-05-03 22:18:49 -04:00
ErrorNoInternet	fbbb83bf52	treewide: initialize npins	2026-05-03 22:18:48 -04:00
ErrorNoInternet	0479f0d441	treewide: refactor code	2026-05-03 21:12:36 -04:00
javalsai	e939c28c9c	nixos/security: add acme through dns challenge few side refactors of this: - no more `dns.domain`, it all must rely on `fqdn`, prevents inconsistencies. - also added an specific host `tuxcord-acmetest` that uses the key zone for `nix.tuxcord.net` to test certificate pulling.	2026-05-03 21:11:07 -04:00
javalsai	455753a192	docs: document installation, secrets, and setup steps	2026-05-03 21:11:07 -04:00
javalsai	967af49d7d	nixos/services: make dns configuration easier	2026-05-03 21:11:07 -04:00
javalsai	e5a38b15ee	nixos/service: add dns (bind named server)	2026-05-03 20:36:49 -04:00
javalsai	6b2c8d482c	nixos/programs: add bind utils	2026-05-03 20:36:49 -04:00
javalsai	dd7ad60710	nixos/services: add gitea server Check / Nix flake (push) Failing after 9s Details Lint / Nix expressions (push) Failing after 10s Details	2026-05-04 01:56:34 +02:00
javalsai	fd18ae4a78	nixos/services: add nginx base configuration	2026-05-04 01:56:34 +02:00
javalsai	d7deaa187c	nixos/networking: add own fqdn to extraHosts	2026-05-04 01:56:34 +02:00
javalsai	c6d66902bb	nixos/hosts: add tuxcord-vm host configuration	2026-05-04 01:56:34 +02:00
ErrorNoInternet	4704a887fa	nixos: separate openssh firewall port	2026-05-04 01:56:34 +02:00
javalsai	eaaffcc289	lib/ssh: add more ssh keys	2026-05-04 01:56:32 +02:00