don't do fetchTarball

some hostnames
convert caddy to nixos builtin
2026-03-15 13:46:08 +01:00 · 2025-08-04 22:18:54 +02:00 · 2025-08-04 21:51:46 +02:00 · 2025-08-04 21:18:59 +02:00
25 changed files with 466 additions and 295 deletions
--- a/nix/apps/does-it-build/default.nix
+++ b/nix/apps/does-it-build/default.nix
@ -1,11 +1,21 @@
 { pkgs, lib, my-projects-versions, ... }:
 let
-  does-it-build-base = (import (fetchTarball "https://github.com/Noratrieb/does-it-build/archive/${my-projects-versions.does-it-build}.tar.gz")) { inherit pkgs; };
+  does-it-build-base = (import (pkgs.fetchFromGitHub my-projects-versions.does-it-build.fetchFromGitHub)) { inherit pkgs; };
  does-it-build = does-it-build-base.overrideAttrs (finalAttrs: previousAttrs: {
-    DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build;
+    DOES_IT_BUILD_OVERRIDE_VERSION = my-projects-versions.does-it-build.commit;
  });
 in
 {
+  services.caddy.virtualHosts = {
+    "does-it-build.noratrieb.dev" = {
+      logFormat = "";
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * localhost:3000
+      '';
+    };
+  };
+
  systemd.services.does-it-build = {
    description = "https://github.com/Noratrieb/does-it-build";
    wantedBy = [ "multi-user.target" ];
--- a/nix/apps/fakessh/default.nix
+++ b/nix/apps/fakessh/default.nix
@ -1,5 +1,6 @@
 { lib, pkgs, my-projects-versions, ... }:
-let cluelessh = import (fetchTarball "https://github.com/Noratrieb/cluelessh/archive/${my-projects-versions.cluelessh}.tar.gz");
+let
+  cluelessh = import (pkgs.fetchFromGitHub my-projects-versions.cluelessh.fetchFromGitHub);
 in
 {
  systemd.services.fakessh = {
--- a/nix/apps/forgejo/default.nix
+++ b/nix/apps/forgejo/default.nix
@ -43,6 +43,14 @@
    };
  };

+  services.caddy.virtualHosts."git.noratrieb.dev" = {
+    logFormat = "";
+    extraConfig = ''
+      encode zstd gzip
+      reverse_proxy * localhost:5015
+    '';
+  };
+
  services.custom-backup.jobs = [{
    app = "forgejo";
    file = "/var/lib/forgejo/data/forgejo.db";
--- a/nix/apps/hugo-chat/default.nix
+++ b/nix/apps/hugo-chat/default.nix
@ -5,6 +5,11 @@ let
      "https://github.com/C0RR1T/HugoChat/releases/download/2024-08-05/HugoServer.jar";
    hash = "sha256-hCe2UPqrSR6u3/UxsURI2KzRxN5saeTteCRq5Zfay4M=";
  };
+  hugo-chat-client = fetchTarball {
+    url =
+      "https://github.com/C0RR1T/HugoChat/releases/download/2024-08-05/hugo-client.tar.xz";
+    sha256 = "sha256:121ai8q6bm7gp0pl1ajfk0k2nrfg05zid61i20z0j5gpb2qyhsib";
+  };
 in
 {
  age.secrets.hugochat_db_password.file = ../../secrets/hugochat_db_password.age;
@ -36,6 +41,61 @@ in
    };
  };

+  services.caddy.virtualHosts = {
+    "hugo-chat.noratrieb.dev" = {
+      logFormat = "";
+      extraConfig = ''
+        encode zstd gzip
+        root * ${import ../../packages/caddy-static-prepare {
+          name = "hugo-chat-client";
+          src = hugo-chat-client;
+          inherit pkgs lib;
+        }}
+        try_files {path} /index.html
+        file_server {
+          etag_file_extensions .sha256
+          precompressed zstd gzip br
+        }
+      '';
+    };
+    "api.hugo-chat.noratrieb.dev" =
+      let
+        cors = pkgs.writeText "cors" ''
+          # https://gist.github.com/ryanburnette/d13575c9ced201e73f8169d3a793c1a3
+          @cors_preflight{args[0]} method OPTIONS
+          @cors{args[0]} header Origin {args[0]}
+
+          handle @cors_preflight{args[0]} {
+            header {
+              Access-Control-Allow-Origin "{args[0]}"
+              Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+              Access-Control-Allow-Credentials "false"
+              Access-Control-Allow-Headers "$${args[1]}"
+              Access-Control-Max-Age "86400"
+              defer
+            }
+            respond "" 204
+          }
+
+          handle @cors{args[0]} {
+            header {
+              Access-Control-Allow-Origin "{args[0]}"
+              Access-Control-Expose-Headers *
+              defer
+            }
+          }
+        '';
+      in
+      {
+        logFormat = "";
+        extraConfig = ''
+          import ${cors} https://hugo-chat.noratrieb.dev "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
+          encode zstd gzip
+          reverse_proxy * localhost:5001
+        '';
+      };
+  };
+
  services.custom-backup.jobs = [
    {
      app = "hugo-chat";
--- a/nix/apps/old-redirects/default.nix
+++ b/nix/apps/old-redirects/default.nix
@ -0,0 +1,41 @@
+{ ... }:
+let
+  permanent = [
+    { from = "www.noratrieb.dev"; to = "noratrieb.dev"; }
+    { from = "blog.noratrieb.dev"; to = "noratrieb.dev/blog"; }
+    { from = "nilstrieb.dev"; to = "noratrieb.dev"; }
+    { from = "www.nilstrieb.dev"; to = "noratrieb.dev"; }
+    { from = "blog.nilstrieb.dev"; to = "noratrieb.dev/blog"; }
+    { from = "bisect-rustc.nilstrieb.dev"; to = "bisect-rustc.noratrieb.dev"; }
+    { from = "docker.nilstrieb.dev"; to = "docker.noratrieb.dev"; }
+    { from = "hugo-chat.nilstrieb.dev"; to = "hugo-chat.noratrieb.dev"; }
+    { from = "api.hugo-chat.nilstrieb.dev"; to = "api.hugo-chat.noratrieb.dev"; }
+    { from = "uptime.nilstrieb.dev"; to = "uptime.noratrieb.dev"; }
+    { from = "olat.nilstrieb.dev"; to = "olat.noratrieb.dev"; }
+    { from = "olat.nilstrieb.dev:8088"; to = "olat.noratrieb.dev"; }
+  ];
+in
+{
+  services.caddy.virtualHosts = (
+    {
+      "bisect-rustc.noratrieb.dev" = {
+        logFormat = "";
+        extraConfig = "redir https://github.com/Noratrieb/cargo-bisect-rustc-service?tab=readme-ov-file#cargo-bisect-rustc-service";
+      };
+      "uptime.noratrieb.dev" = {
+        logFormat = "";
+        extraConfig = "redir https://github.com/Noratrieb/uptime?tab=readme-ov-file#uptime";
+      };
+    }
+  ) // (
+    builtins.listToAttrs (map
+      (redirect: {
+        name = redirect.from;
+        value = {
+          logFormat = "";
+          extraConfig = "redir https://${redirect.to}{uri} permanent";
+        };
+      })
+      permanent)
+  );
+}
--- a/nix/apps/openolat/default.nix
+++ b/nix/apps/openolat/default.nix
@ -44,6 +44,24 @@ in
    };
  };

+  services.caddy.virtualHosts = {
+    "olat.noratrieb.dev" = {
+      logFormat = "";
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * localhost:5011
+      '';
+    };
+    # unsure if necessary... something was misconfigured in the past here...
+    "olat.noratrieb.dev:8088" = {
+      logFormat = "";
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * localhost:5011
+      '';
+    };
+  };
+
  services.custom-backup.jobs = [
    {
      app = "openolat-db";
--- a/nix/apps/upload-files/default.nix
+++ b/nix/apps/upload-files/default.nix
@ -1,5 +1,7 @@
 { my-projects-versions, pkgs, lib, config, ... }:
-let upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.files.noratrieb.dev/archive/${my-projects-versions."upload.files.noratrieb.dev"}.tar.gz"); in
+let
+  upload-files = import (pkgs.fetchFromGitHub my-projects-versions."upload.files.noratrieb.dev".fetchFromGitHub);
+in
 {
  age.secrets.upload_files_s3_secret.file = ../../secrets/upload_files_s3_secret.age;

@ -18,4 +20,15 @@ let upload-files = import (fetchTarball "https://github.com/Noratrieb/upload.fil
      EnvironmentFile = [ config.age.secrets.upload_files_s3_secret.path ];
    };
  };
+
+  services.caddy.virtualHosts."upload.files.noratrieb.dev" = {
+    logFormat = "";
+    extraConfig = ''
+      	encode zstd gzip
+        # we need HTTP/2 here because the server doesn't work with HTTP/1.1
+        # because it will send early 401 responses during the upload without consuming the body
+        # (this has been mostly fixed but still keep it)
+        reverse_proxy * h2c://localhost:3050
+    '';
+  };
 }
--- a/nix/apps/website/default.nix
+++ b/nix/apps/website/default.nix
@ -0,0 +1,34 @@
+{ pkgs, lib, my-projects-versions, ... }:
+let
+  website = import (pkgs.fetchFromGitHub my-projects-versions.website.fetchFromGitHub);
+  blog = pkgs.fetchFromGitHub my-projects-versions.blog.fetchFromGitHub;
+  slides = pkgs.fetchFromGitHub my-projects-versions.slides.fetchFromGitHub;
+  website-build = website { inherit pkgs slides blog; };
+in
+{
+  services.caddy.virtualHosts = {
+    "noratrieb.dev" = {
+      logFormat = "";
+      extraConfig = ''
+        encode zstd gzip
+        header -Last-Modified
+        root * ${import ../../packages/caddy-static-prepare {
+          name = "website";
+          src = website-build;
+          inherit pkgs lib;
+        }}
+        file_server {
+          etag_file_extensions .sha256
+          precompressed zstd gzip br
+        }
+      '';
+    };
+    "files.noratrieb.dev" = {
+      logFormat = "";
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * localhost:3902
+      '';
+    };
+  };
+}
--- a/nix/apps/widetom/default.nix
+++ b/nix/apps/widetom/default.nix
@ -1,12 +1,7 @@
 { config, pkgs, lib, my-projects-versions, ... }:
 let
  widetom = pkgs.rustPlatform.buildRustPackage {
-    src = pkgs.fetchFromGitHub {
-      owner = "Noratrieb";
-      repo = "widetom";
-      rev = my-projects-versions.widetom;
-      hash = "sha256-lSjlDozwKRLF62jsDaWo+8+rcQdeEgurEnuw00hk3o8=";
-    };
+    src = pkgs.fetchFromGitHub my-projects-versions.widetom.fetchFromGitHub;
    pname = "widetom";
    version = "0.1.0";
    cargoHash = "sha256-AWbdPcDc+QOW7U/FYbqlIsg+3MwfggKCTCw1z/ZbSEE=";
--- a/nix/hive.nix
+++ b/nix/hive.nix
@ -180,6 +180,8 @@
      ./modules/backup

      # apps
+      ./apps/website
+      ./apps/old-redirects
      ./apps/widetom
      ./apps/hugo-chat
      ./apps/killua
@ -211,6 +213,8 @@
      ./modules/caddy
      ./modules/garage
      ./modules/prometheus
+
+      ./apps/website
    ];

    system.stateVersion = "23.11";
@ -225,6 +229,7 @@
      ./modules/backup

      # apps
+      ./apps/website
      ./apps/does-it-build
    ];

--- a/nix/modules/caddy/base.Caddyfile
+++ b/nix/modules/caddy/base.Caddyfile
@ -1,59 +0,0 @@
-{
-	email noratrieb@proton.me
-	auto_https disable_redirects
-
-	storage s3 {
-		host "localhost:3900"
-		bucket "caddy-store"
-		# access_id ENV S3_ACCESS_ID
-		# secret_key ENV S3_SECRET_KEY
-
-		insecure true
-	}
-
-	servers {
-		metrics
-	}
-
-	log default {
-		output stdout
-		format json
-	}
-}
-
-# https://gist.github.com/ryanburnette/d13575c9ced201e73f8169d3a793c1a3
-(cors) {
-	@cors_preflight{args[0]} method OPTIONS
-	@cors{args[0]} header Origin {args[0]}
-
-	handle @cors_preflight{args[0]} {
-		header {
-			Access-Control-Allow-Origin "{args[0]}"
-			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
-			Access-Control-Allow-Credentials "false"
-			Access-Control-Allow-Headers "${args[1]}"
-			Access-Control-Max-Age "86400"
-			defer
-		}
-		respond "" 204
-	}
-
-	handle @cors{args[0]} {
-		header {
-			Access-Control-Allow-Origin "{args[0]}"
-			Access-Control-Expose-Headers *
-			defer
-		}
-	}
-}
-
-http:// {
-	log
-	respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418
-}
-
-# HTTP
-:9010 {
-	log
-	metrics /metrics
-}
--- a/nix/modules/caddy/default.nix
+++ b/nix/modules/caddy/default.nix
@ -1,4 +1,4 @@
-{ pkgs, config, lib, name, my-projects-versions, ... }:
+{ pkgs, config, lib, name, ... }:

 let
  caddy = pkgs.callPackage ./caddy-build.nix {
@ -11,15 +11,6 @@ let
    ];
    vendorHash = "sha256-KP9bYitM/Pocw4DxOXPVBigWh4IykNf8yKJiBlTFZmI=";
  };
-  website = import (fetchTarball "https://github.com/Noratrieb/website/archive/${my-projects-versions.website}.tar.gz");
-  blog = fetchTarball "https://github.com/Noratrieb/blog/archive/${my-projects-versions.blog}.tar.gz";
-  slides = fetchTarball "https://github.com/Noratrieb/slides/archive/${my-projects-versions.slides}.tar.gz";
-  website-build = website { inherit pkgs slides blog; };
-  hugo-chat-client = fetchTarball {
-    url =
-      "https://github.com/C0RR1T/HugoChat/releases/download/2024-08-05/hugo-client.tar.xz";
-    sha256 = "sha256:121ai8q6bm7gp0pl1ajfk0k2nrfg05zid61i20z0j5gpb2qyhsib";
-  };
 in
 {
  environment.systemPackages = [ caddy ];
@ -43,79 +34,56 @@ in
  services.caddy = {
    enable = true;
    package = caddy;
-    configFile = pkgs.writeTextFile {
-      name = "Caddyfile";
-      text = (
-        builtins.readFile ./base.Caddyfile +
-        ''
-          ${config.networking.hostName}.infra.noratrieb.dev {
-              log
-              encode zstd gzip
-              header -Last-Modified
-              root * ${import ./caddy-static-prepare {
-                name = "debugging-page";
-                src = ./debugging-page;
-                inherit pkgs lib;
-              }}
-              file_server {
-                  etag_file_extensions .sha256
-                  precompressed zstd gzip br
-              }
+    logFormat = ''
+      output stdout
+      format json
+    '';
+    globalConfig = ''
+      email noratrieb@proton.me
+      auto_https disable_redirects
+
+      storage s3 {
+        host "localhost:3900"
+        bucket "caddy-store"
+        # access_id ENV S3_ACCESS_ID
+        # secret_key ENV S3_SECRET_KEY
+
+        insecure true
+      }
+
+      servers {
+        metrics
+      }
+    '';
+    virtualHosts = {
+      "http://" = {
+        logFormat = "";
+        extraConfig = ''
+          respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418
+        '';
+      };
+      ":9010" = {
+        logFormat = "output discard";
+        extraConfig = ''
+          metrics /metrics
+        '';
+      };
+      "${name}.infra.noratrieb.dev" = {
+        logFormat = "";
+        extraConfig = ''
+          encode zstd gzip
+          header -Last-Modified
+          root * ${import ./caddy-static-prepare {
+            name = "debugging-page";
+            src = ./debugging-page;
+            inherit pkgs lib;
+          }}
+          file_server {
+            etag_file_extensions .sha256
+            precompressed zstd gzip br
          }
-
-          ${
-            if name == "vps1" || name == "vps3" || name == "vps4" then ''
-            noratrieb.dev {
-                log
-                encode zstd gzip
-                header -Last-Modified
-                root * ${import ./caddy-static-prepare {
-                  name = "website";
-                  src = website-build;
-                  inherit pkgs lib;
-                }}
-                file_server {
-                    etag_file_extensions .sha256
-                    precompressed zstd gzip br
-                }
-            }
-
-            files.noratrieb.dev {
-              log
-              encode zstd gzip
-
-              reverse_proxy * localhost:3902
-            }
-            '' else ""
-          }
-
-          ${if name == "vps1" then ''
-            hugo-chat.noratrieb.dev {
-              log
-              encode zstd gzip
-              root * ${import ./caddy-static-prepare {
-                name = "hugo-chat-client";
-                src = hugo-chat-client;
-                inherit pkgs lib;
-              }}
-              try_files {path} /index.html
-              file_server {
-                etag_file_extensions .sha256
-                precompressed zstd gzip br
-              }
-            }
-          '' else ""}
-
-          ${
-            if name == "vps1" || name == "vps3" || name == "vps4" then
-            builtins.readFile ./${name}.Caddyfile else ""
-          }
-        ''
-      );
-      checkPhase = ''
-        ${lib.getExe caddy} --version
-        ${lib.getExe caddy} validate --adapter=caddyfile --config=$out
-      '';
+        '';
+      };
    };
  };
 }
--- a/nix/modules/caddy/vps1.Caddyfile
+++ b/nix/modules/caddy/vps1.Caddyfile
@ -1,111 +0,0 @@
-www.noratrieb.dev {
-	log
-	redir https://noratrieb.dev{uri} permanent
-}
-
-api.hugo-chat.noratrieb.dev {
-	log
-	import cors https://hugo-chat.noratrieb.dev "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"
-	encode zstd gzip
-	reverse_proxy * localhost:5001
-}
-
-docker.noratrieb.dev {
-	log
-	reverse_proxy * localhost:5000
-}
-
-git.noratrieb.dev {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:5015
-}
-
-olat.noratrieb.dev {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:5011
-}
-
-# unsure if necessary... something was misconfigured in the past here...
-olat.noratrieb.dev:8088 {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:5011
-}
-
-upload.files.noratrieb.dev {
-	log
-	encode zstd gzip
-	# we need HTTP/2 here because the server doesn't work with HTTP/1.1
-	# because it will send early 401 responses during the upload without consuming the body
-	reverse_proxy * h2c://localhost:3050
-}
-
-################################################################
-# retired
-
-bisect-rustc.noratrieb.dev {
-	log
-	redir https://github.com/Noratrieb/cargo-bisect-rustc-service?tab=readme-ov-file#cargo-bisect-rustc-service
-}
-
-uptime.noratrieb.dev {
-	log
-	redir https://github.com/Noratrieb/uptime?tab=readme-ov-file#uptime
-}
-
-blog.noratrieb.dev {
-	log
-	redir https://noratrieb.dev/blog{uri} permanent
-}
-
-nilstrieb.dev {
-	log
-	redir https://noratrieb.dev{uri} permanent
-}
-
-www.nilstrieb.dev {
-	log
-	redir https://noratrieb.dev{uri} permanent
-}
-
-blog.nilstrieb.dev {
-	log
-	redir https://noratrieb.dev/blog{uri} permanent
-}
-
-bisect-rustc.nilstrieb.dev {
-	log
-	redir https://bisect-rustc.noratrieb.dev/blog{uri} permanent
-}
-
-docker.nilstrieb.dev {
-	log
-	redir https://docker.noratrieb.dev{uri} permanent
-}
-
-hugo-chat.nilstrieb.dev {
-	log
-	redir https://hugo-chat.noratrieb.dev{uri} permanent
-}
-
-api.hugo-chat.nilstrieb.dev {
-	log
-	redir https://api.hugo-chat.noratrieb.dev{uri} permanent
-}
-
-uptime.nilstrieb.dev {
-	log
-	redir https://uptime.noratrieb.dev{uri} permanent
-}
-
-olat.nilstrieb.dev {
-	log
-	redir https://olat.noratrieb.dev{uri} permanent
-}
-
-olat.nilstrieb.dev:8088 {
-	log
-	redir https://olat.noratrieb.dev{uri} permanent
-}
--- a/nix/modules/caddy/vps3.Caddyfile
+++ b/nix/modules/caddy/vps3.Caddyfile
@ -1,5 +0,0 @@
-grafana.noratrieb.dev {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:3000
-}
--- a/nix/modules/caddy/vps4.Caddyfile
+++ b/nix/modules/caddy/vps4.Caddyfile
@ -1,5 +0,0 @@
-does-it-build.noratrieb.dev {
-	log
-	encode zstd gzip
-	reverse_proxy * localhost:3000
-}
--- a/nix/modules/default/default.nix
+++ b/nix/modules/default/default.nix
@ -1,11 +1,15 @@
 { pkgs, lib, name, my-projects-versions, networkingConfig, nixpkgs-path, ... }:
 let
-  pretense = import (fetchTarball "https://github.com/Noratrieb/pretense/archive/${my-projects-versions.pretense}.tar.gz");
-  quotdd = import (fetchTarball "https://github.com/Noratrieb/quotdd/archive/${my-projects-versions.quotdd}.tar.gz");
+  pretense = import (pkgs.fetchFromGitHub my-projects-versions.pretense.fetchFromGitHub);
+  quotdd = import (pkgs.fetchFromGitHub my-projects-versions.quotdd.fetchFromGitHub);
 in
 {
  deployment.targetHost = "${name}.infra.noratrieb.dev";

+  networking.hosts = {
+    "${networkingConfig.vps3.wg.privateIP}" = [ "loki.internal" "pyroscope.internal" "prometheus.internal" ];
+  };
+
  imports = [
    "${builtins.fetchTarball "https://github.com/ryantm/agenix/archive/de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6.tar.gz"}/modules/age.nix" # main 2024-07-26
  ];
@ -126,7 +130,7 @@ in
      };
      clients = [
        {
-          url = "http://vps3.local:3100/loki/api/v1/push";
+          url = "http://loki.internal:3100/loki/api/v1/push";
        }
      ];
      scrape_configs = [
@ -217,7 +221,7 @@ in

    pyroscope.write "endpoint" {
      endpoint {
-        url = "http://vps3.local:4040"
+        url = "http://pyroscope.internal:4040"
      }
      external_labels = {
        "instance" = env("HOSTNAME"),
--- a/nix/modules/garage/default.nix
+++ b/nix/modules/garage/default.nix
@ -35,12 +35,12 @@ in
      s3_api = {
        s3_region = "garage";
        api_bind_addr = "[::]:3900";
-        root_domain = ".s3.garage.localhost";
+        root_domain = ".s3.garage.internal";
      };

      s3_web = {
        bind_addr = "[::]:3902";
-        root_domain = ".web.garage.localhost";
+        root_domain = ".web.garage.internal";
        index = "index.html";
      };

--- a/nix/modules/prometheus/default.nix
+++ b/nix/modules/prometheus/default.nix
@ -18,7 +18,6 @@
        {
          job_name = "cadvisor";
          static_configs = [{ targets = map (name: "${name}.local:8080") (builtins.attrNames networkingConfig); }];
-
        }
        {
          job_name = "systemd";
@ -71,7 +70,7 @@
            name = "Prometheus";
            type = "prometheus";
            access = "proxy";
-            url = "http://vps3.local:9090";
+            url = "http://prometheus.internal:9090";
            jsonData = {
              httpMethod = "POST";
              prometheusType = "Prometheus";
@ -81,19 +80,27 @@
            name = "loki";
            type = "loki";
            access = "proxy";
-            url = "http://vps3.local:3100";
+            url = "http://loki.internal:3100";
          }
          {
            name = "pyroscope";
            type = "grafana-pyroscope-datasource";
            access = "proxy";
-            url = "http://vps3.local:4040";
+            url = "http://pyroscope.internal:4040";
          }
        ];
      };
    };
  };

+  services.caddy.virtualHosts."grafana.noratrieb.dev" = {
+    logFormat = "";
+    extraConfig = ''
+      encode zstd gzip
+      reverse_proxy * localhost:3000
+    '';
+  };
+
  networking.firewall.interfaces.wg0.allowedTCPPorts = [
    config.services.loki.configuration.server.http_listen_port
    4040 # pyroscope
--- a/nix/modules/registry/default.nix
+++ b/nix/modules/registry/default.nix
@ -60,4 +60,11 @@
      };
    };
  };
+
+  services.caddy.virtualHosts."docker.noratrieb.dev" = {
+    logFormat = "";
+    extraConfig = ''
+      reverse_proxy * localhost:5000
+    '';
+  };
 }
--- a/nix/modules/wg-mesh/default.nix
+++ b/nix/modules/wg-mesh/default.nix
@ -9,7 +9,7 @@ in
    let
      hostsEntries = map
        (host:
-          let hostConfig = builtins.getAttr host networkingConfig; in
+          let hostConfig = networkingConfig."${host}"; in
          if builtins.hasAttr "wg" hostConfig then {
            name = hostConfig.wg.privateIP;
            value = [ "${host}.local" ];
--- a/nix/my-projects.json
+++ b/nix/my-projects.json
@ -1,11 +1,83 @@
 {
-  "website": "57c4a239da5d17eafde4ade165f3c6706639a9b4",
-  "blog": "ea2758dd10f29e8d66ca3f54d7303f2ac20005d2",
-  "slides": "0401f35c22b124b69447655f0c537badae9e223c",
-  "pretense": "270b01fc1118dfd713c1c41530d1a7d98f04527d",
-  "quotdd": "e922229e1d9e055be35dabd112bafc87a0686548",
-  "does-it-build": "81790825173d87f89656f66f12a123bc99e2f6f1",
-  "upload.files.noratrieb.dev": "0124fa5ba5446cb463fb6b3c4f52e7e6b84e5077",
-  "cluelessh": "c711cd405da4b7951e554577d09c9576bedf7970",
-  "widetom": "33d1738799618d72fe2b86896f766cbfea58dc76"
+  "website": {
+    "commit": "57c4a239da5d17eafde4ade165f3c6706639a9b4",
+    "fetchFromGitHub": {
+      "owner": "Noratrieb",
+      "repo": "website",
+      "rev": "57c4a239da5d17eafde4ade165f3c6706639a9b4",
+      "hash": "sha256-or6mCQjbc7tWAzzAKQpznZv+2vWJMhyzqxBPwRE2HKw="
+    }
+  },
+  "blog": {
+    "commit": "ea2758dd10f29e8d66ca3f54d7303f2ac20005d2",
+    "fetchFromGitHub": {
+      "owner": "Noratrieb",
+      "repo": "blog",
+      "rev": "ea2758dd10f29e8d66ca3f54d7303f2ac20005d2",
+      "hash": "sha256-LvQ41eJzOvI7mLYDTvlFwGZ2TKrZO26rasydqnEZ/t4="
+    }
+  },
+  "slides": {
+    "commit": "0401f35c22b124b69447655f0c537badae9e223c",
+    "fetchFromGitHub": {
+      "owner": "Noratrieb",
+      "repo": "slides",
+      "rev": "0401f35c22b124b69447655f0c537badae9e223c",
+      "hash": "sha256-K1Me4wf/GSfoc1PGWVJygPyTVV8SXienxUrzXkdCrjQ="
+    }
+  },
+  "pretense": {
+    "commit": "270b01fc1118dfd713c1c41530d1a7d98f04527d",
+    "fetchFromGitHub": {
+      "owner": "Noratrieb",
+      "repo": "pretense",
+      "rev": "270b01fc1118dfd713c1c41530d1a7d98f04527d",
+      "hash": "sha256-76ixjjrZ2xFz3uy92LHT4zbeNvab2f4J9C46MDVr+xQ="
+    }
+  },
+  "quotdd": {
+    "commit": "e922229e1d9e055be35dabd112bafc87a0686548",
+    "fetchFromGitHub": {
+      "owner": "Noratrieb",
+      "repo": "quotdd",
+      "rev": "e922229e1d9e055be35dabd112bafc87a0686548",
+      "hash": "sha256-LhTrUDAZDIVyggaO1deFjoC13M6aktzV3QINY01ThfY="
+    }
+  },
+  "does-it-build": {
+    "commit": "81790825173d87f89656f66f12a123bc99e2f6f1",
+    "fetchFromGitHub": {
+      "owner": "Noratrieb",
+      "repo": "does-it-build",
+      "rev": "81790825173d87f89656f66f12a123bc99e2f6f1",
+      "hash": "sha256-MCgGDd7Sg+BiG8L20Bbz8bHMB/Xuc1ztOVwv/b37BnQ="
+    }
+  },
+  "upload.files.noratrieb.dev": {
+    "commit": "9f31fe53f040f73edbbdc8afcc9bd3cdbc1cd8ab",
+    "fetchFromGitHub": {
+      "owner": "Noratrieb",
+      "repo": "upload.files.noratrieb.dev",
+      "rev": "9f31fe53f040f73edbbdc8afcc9bd3cdbc1cd8ab",
+      "hash": "sha256-IQug0slBlMpHTqrj/SlJKPWCMijSka+s33HDeMf8rd0="
+    }
+  },
+  "cluelessh": {
+    "commit": "c711cd405da4b7951e554577d09c9576bedf7970",
+    "fetchFromGitHub": {
+      "owner": "Noratrieb",
+      "repo": "cluelessh",
+      "rev": "c711cd405da4b7951e554577d09c9576bedf7970",
+      "hash": "sha256-UTo5RUda/AcwGiPEeeliuA78TVMJzvBhhXs4Fr2+BGg="
+    }
+  },
+  "widetom": {
+    "commit": "33d1738799618d72fe2b86896f766cbfea58dc76",
+    "fetchFromGitHub": {
+      "owner": "Noratrieb",
+      "repo": "widetom",
+      "rev": "33d1738799618d72fe2b86896f766cbfea58dc76",
+      "hash": "sha256-lSjlDozwKRLF62jsDaWo+8+rcQdeEgurEnuw00hk3o8="
+    }
+  }
 }
--- a/nix/packages/caddy-static-prepare/default.nix
+++ b/nix/packages/caddy-static-prepare/default.nix
@ -0,0 +1,13 @@
+{ pkgs, lib, name, src ? null, ... }: pkgs.stdenv.mkDerivation {
+  inherit name src;
+
+  buildInputs = with pkgs; [ python311 python311Packages.zstandard python311Packages.brotli ];
+
+  buildPhase = ''
+    mkdir -p $out
+    cp -r $src/* $out/
+    chmod -R +w $out
+    ${lib.getExe pkgs.python311} ${./prepare.py} $out
+    chmod -R -w $out
+  '';
+}
--- a/nix/packages/caddy-static-prepare/prepare.py
+++ b/nix/packages/caddy-static-prepare/prepare.py
@ -0,0 +1,60 @@
+import os
+import sys
+import gzip
+import brotli
+import zstandard
+import hashlib
+
+
+def usage():
+    print("usage: prepare.py [SRC]")
+
+
+def write_etag(path, content):
+    shasum = hashlib.sha256(content)
+    etag_path = path+".sha256"
+    with open(etag_path, "w") as f:
+        print(f"Writing ETag {etag_path}")
+        f.write(f'"{shasum.hexdigest()}"')
+
+
+def main():
+    if len(sys.argv) < 2:
+        usage()
+        exit(1)
+
+    src_dir = sys.argv[1]
+
+    for root, dirs, files in os.walk(src_dir):
+        for file in files:
+            path = os.path.join(root, file)
+
+            # Ignore etags
+            if path.endswith(".sha256") or path.endswith(".b3sum"):
+                continue
+
+            # Ignore already compressed files        
+            if path.endswith(".gz") or path.endswith(".zst") or path.endswith(".br"):
+                continue
+
+            with open(path, "rb") as f:
+                content = f.read()
+
+            compressions = [
+                (".gz", gzip),
+                (".zst", zstandard),
+                (".br", brotli),
+            ]
+
+            for ext, alg in compressions:
+                new_path = path+ext
+                with open(new_path, "wb") as out:
+                    print(f"Writing {new_path}")
+                    compressed = alg.compress(content)
+                    out.write(compressed)
+                    write_etag(new_path, compressed)
+
+            write_etag(path, content)
+
+if __name__ == "__main__":
+    main()
--- a/nix/update-my-projects.mjs
+++ b/nix/update-my-projects.mjs
@ -1,11 +1,28 @@
 import fs from "node:fs/promises";
+import child_process from "node:child_process";
+
+const fetchHash = (url) => {
+  const res = child_process.execFileSync("nix", [
+    "store",
+    "prefetch-file",
+    "--unpack",
+    "--hash-type",
+    "sha256",
+    "--json",
+    url,
+  ]);
+  const out = new TextDecoder().decode(res).trim();
+  const { hash } = JSON.parse(out);
+  return hash;
+};

 const path = `${import.meta.dirname}/my-projects.json`;
 const projects = JSON.parse(await fs.readFile(path));

 let hasChanges = false;

-for (const [name, commit] of Object.entries(projects)) {
+for (const [name, state] of Object.entries(projects)) {
+  const { commit } = state;
  const res = await fetch(
    `https://api.github.com/repos/Noratrieb/${name}/commits/HEAD`
  );
@ -21,7 +38,18 @@ for (const [name, commit] of Object.entries(projects)) {
    console.log(
      `${name} changed from ${commit} -> ${latestCommit} (${body.commit.message})`
    );
-    projects[name] = latestCommit;
+
+    const url = `https://github.com/Noratrieb/${name}/archive/${latestCommit}.tar.gz`;
+
+    projects[name] = {
+      commit: latestCommit,
+      fetchFromGitHub: {
+        owner: "Noratrieb",
+        repo: name,
+        rev: latestCommit,
+        hash: fetchHash(url),
+      },
+    };
    hasChanges = true;
  }
 }
--- a/shell.nix
+++ b/shell.nix
@ -12,6 +12,13 @@
    python311Packages.zstandard
    python311Packages.brotli
    nodejs
-    (import (builtins.fetchTarball "https://github.com/ryantm/agenix/archive/531beac616433bac6f9e2a19feb8e99a22a66baf.tar.gz") { }).agenix
+    (import
+      (pkgs.fetchFromGitHub {
+        owner = "ryantm";
+        repo = "agenix";
+        rev = "531beac616433bac6f9e2a19feb8e99a22a66baf";
+        hash = "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=";
+      })
+      { }).agenix
  ];
 }
Author	SHA1	Message	Date
Noratrieb	db714febbf	don't do fetchTarball	2025-08-04 22:18:54 +02:00
Noratrieb	9121101308	some hostnames	2025-08-04 21:51:46 +02:00
Noratrieb	33a7017375	convert caddy to nixos builtin	2025-08-04 21:18:59 +02:00