about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--configurations/eonwe/default.nix2
-rw-r--r--flake.lock42
-rw-r--r--modules/nginx.nix36
3 files changed, 47 insertions, 33 deletions
diff --git a/configurations/eonwe/default.nix b/configurations/eonwe/default.nix
index 74e12af..ca20140 100644
--- a/configurations/eonwe/default.nix
+++ b/configurations/eonwe/default.nix
@@ -23,7 +23,7 @@ with lib;
     incus.enable = true;
     libvirtd.enable = true;
     mpd.enable = true;
-    qutebrowser.enable = false; # FIXME https://github.com/NixOS/nixpkgs/pull/325773
+    qutebrowser.enable = true;
   };
 
   hm = {
diff --git a/flake.lock b/flake.lock
index b9ad685..35e4908 100644
--- a/flake.lock
+++ b/flake.lock
@@ -278,11 +278,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722028105,
-        "narHash": "sha256-0ButnGQ1bCMIDblzC6NBSL71Wi6JmHGweI3scoV8CgM=",
+        "lastModified": 1722217815,
+        "narHash": "sha256-8r5AJ3n8WEDw3rsZLALSuFQ5kJyWOcssNZvPxYLr2yc=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5b01cea8b5753de9c2febd27203c530be14745ff",
+        "rev": "1e6f8a7b4634fc051cc9361959bf414fcf17e094",
         "type": "github"
       },
       "original": {
@@ -453,11 +453,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722119539,
-        "narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=",
+        "lastModified": 1722203588,
+        "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d0240a064db3987eb4d5204cf2400bc4452d9922",
+        "rev": "792757f643cedc13f02098d8ed506d82e19ec1da",
         "type": "github"
       },
       "original": {
@@ -535,11 +535,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722130825,
-        "narHash": "sha256-wT3ujK3g3Ybqj2F7fNIBrEHY4SbEtoiI/mrUUPr//Fs=",
+        "lastModified": 1722217035,
+        "narHash": "sha256-VbKRSpzdC9KZ7JW/g2taP88WcBVZZXthbHQ/Ik3jDHE=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "c04c517fc3d5f0d3e577b09b8bc527a18a95b79b",
+        "rev": "c24ecb1841d927bafde547c3d62fcb8c8da29a96",
         "type": "github"
       },
       "original": {
@@ -643,11 +643,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1722177403,
-        "narHash": "sha256-X1wtgrkgLNHLOvOe8deNlQyuFIJKsiBdphTG36DZde4=",
+        "lastModified": 1722273041,
+        "narHash": "sha256-NpKImX5XaOVvedRtn6MHuXtYJhiMS5aOXKl7e0ipOyk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "480aa424113bfef080198fcdbc0ca3cdd38a6168",
+        "rev": "fb89aa5757d11dcbf6a29e3051cc572183469ff4",
         "type": "github"
       },
       "original": {
@@ -659,11 +659,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1722176734,
-        "narHash": "sha256-sB+glJWgjypDGUXWO88FSpd6UEuROlQ5y5I63BH1rfE=",
+        "lastModified": 1722272837,
+        "narHash": "sha256-iHO942tXSkiZ0ZhWkfqCvqo9/67+S6WYfphXSJogEmM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ed739215d981ac5071ba6d7d568865c43aa2c29f",
+        "rev": "89526a7d969e38fe8c30253170d44d0f131882de",
         "type": "github"
       },
       "original": {
@@ -741,11 +741,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1721888498,
-        "narHash": "sha256-O5/s8e6CL99AQoKEn8k6F99UoJdAzQ8z9LZ7SxFJ3c4=",
+        "lastModified": 1722263926,
+        "narHash": "sha256-xhuXR7hKOM4dQwDvHyZYn+aHbUDHnpi4+yPhsyP+mwU=",
         "owner": "nix-community",
         "repo": "srvos",
-        "rev": "27b3a9b23847cb2e716334ee6ad58b82ddc3f7a7",
+        "rev": "1f867a5658bfc4318ea6f83304b2a1bc4a0b28ee",
         "type": "github"
       },
       "original": {
@@ -846,11 +846,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722130475,
-        "narHash": "sha256-VT2GvIRL8+nNSQ/XS9N6m42VDBiNDy7Luz3wMHoPLBk=",
+        "lastModified": 1722216590,
+        "narHash": "sha256-O55w/XIIwheC9m1xGeQ28fajcJQh7x/EtfvL9p+B/ak=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "25a36236f5051034e2085fb3414493c921bb1994",
+        "rev": "84c2c64bef5f00bfcab73780801f1b270a1c5869",
         "type": "github"
       },
       "original": {
diff --git a/modules/nginx.nix b/modules/nginx.nix
index 2ac6d1b..6cb47b4 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -29,13 +29,16 @@ in
   config = mkIf cfg.enable {
     _module.args.libNginx.config = {
       internalOnly = ''
+        add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
+        access_log off;
         if ($internal != 1) {
           return 403;
         }
-        access_log off;
       '';
-      # FIXME This stopped working.
       appendHead = text: ''
+        brotli off;
+        gzip off;
+        zstd off;
         sub_filter '</head>' '${lib.concatStrings text}</head>';
         sub_filter_once on;
       '';
@@ -48,25 +51,36 @@ in
     services = {
       nginx = {
         enable = true;
+
         enableReload = true;
 
         package = pkgs.nginxMainline;
 
-        statusPage = true;
+        statusPage = mkDefault true;
+
+        recommendedOptimisation = mkDefault true;
+        recommendedProxySettings = mkDefault true;
+        recommendedTlsSettings = mkDefault true;
 
-        serverTokens = false;
+        recommendedBrotliSettings = mkDefault true;
+        recommendedGzipSettings = mkDefault true;
+        recommendedZstdSettings = mkDefault true;
 
-        recommendedBrotliSettings = lib.mkDefault true;
-        recommendedGzipSettings = lib.mkDefault true;
-        recommendedOptimisation = lib.mkDefault true;
-        recommendedProxySettings = lib.mkDefault true;
-        recommendedTlsSettings = lib.mkDefault true;
-        recommendedZstdSettings = lib.mkDefault true;
+        resolver.addresses =
+          let
+            isIPv6 = addr: builtins.match ".*:.*:.*" addr != null;
+            escapeIPv6 = addr: if isIPv6 addr then "[${addr}]" else addr;
+            resolvers =
+              if config.networking.nameservers != [ ] then
+                config.networking.nameservers
+              else
+                dns.const.quad9.default;
+          in
+          map escapeIPv6 resolvers;
 
         commonHttpConfig = concatStrings [
           ''
             access_log syslog:server=unix:/dev/log;
-            add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
           ''
           (optionalString (hasAttr "wireguard" this) (
             with config.nixfiles.modules.wireguard;

Consider giving Nix/NixOS a try! <3