My nix-darwin and NixOS config
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

flake: update

+126 -24
+24 -24
flake.lock
··· 101 101 ] 102 102 }, 103 103 "locked": { 104 - "lastModified": 1773264488, 105 - "narHash": "sha256-rK0507bDuWBrZo+0zts9bCs/+RRUEHuvFE5DHWPxX/Q=", 104 + "lastModified": 1773681845, 105 + "narHash": "sha256-o8hrZrigP0JYcwnglCp8Zi8jQafWsxbDtRRPzuVwFxY=", 106 106 "owner": "nix-community", 107 107 "repo": "home-manager", 108 - "rev": "5c0f63f8d55040a7eed69df7e3fcdd15dfb5a04c", 108 + "rev": "0759e0e137305bc9d0c52c204c6d8dffe6f601a6", 109 109 "type": "github" 110 110 }, 111 111 "original": { ··· 167 167 ] 168 168 }, 169 169 "locked": { 170 - "lastModified": 1773500041, 171 - "narHash": "sha256-a4XM/aOCMWD1DUWiT/n04abAu7P3iGyGGDhGmeuxGhE=", 170 + "lastModified": 1773727286, 171 + "narHash": "sha256-n7gZKq9pJb0IoRsAPxZqjYWbm8/v2UdrZxARlmlKzvk=", 172 172 "owner": "oddlama", 173 173 "repo": "nix-topology", 174 - "rev": "c2241be404b75c78af026dfafbae8d40affa7f45", 174 + "rev": "49b439d8749703989a42f28a4bfe198b2b315894", 175 175 "type": "github" 176 176 }, 177 177 "original": { ··· 187 187 ] 188 188 }, 189 189 "locked": { 190 - "lastModified": 1773456042, 191 - "narHash": "sha256-XYrRyP6SaR5ksxyP7bWNdGRpOj+4n0Oa8RQtakGwS38=", 190 + "lastModified": 1773802261, 191 + "narHash": "sha256-yA91ySZRw9x7aLSy79LCWXt3l05lwNIfuNnGqz7Jy5A=", 192 192 "owner": "nix-community", 193 193 "repo": "nix-vscode-extensions", 194 - "rev": "02ac31746ca30eccfd5d9cfe9bc9a4ab807134e4", 194 + "rev": "af36c53062b124e097e2a545c68eacfde3fc715b", 195 195 "type": "github" 196 196 }, 197 197 "original": { ··· 248 248 }, 249 249 "nixpkgs-unstable": { 250 250 "locked": { 251 - "lastModified": 1773389992, 252 - "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=", 251 + "lastModified": 1773734432, 252 + "narHash": "sha256-IF5ppUWh6gHGHYDbtVUyhwy/i7D261P7fWD1bPefOsw=", 253 253 "owner": "nixos", 254 254 "repo": "nixpkgs", 255 - "rev": "c06b4ae3d6599a672a6210b7021d699c351eebda", 255 + "rev": "cda48547b432e8d3b18b4180ba07473762ec8558", 256 256 "type": "github" 257 257 }, 258 258 "original": { ··· 312 312 }, 313 313 "nixpkgs_5": { 314 314 "locked": { 315 - "lastModified": 1773375660, 316 - "narHash": "sha256-SEzUWw2Rf5Ki3bcM26nSKgbeoqi2uYy8IHVBqOKjX3w=", 315 + "lastModified": 1773814637, 316 + "narHash": "sha256-GNU+ooRmrHLfjlMsKdn0prEKVa0faVanm0jrgu1J/gY=", 317 317 "owner": "nixos", 318 318 "repo": "nixpkgs", 319 - "rev": "3e20095fe3c6cbb1ddcef89b26969a69a1570776", 319 + "rev": "fea3b367d61c1a6592bc47c72f40a9f3e6a53e96", 320 320 "type": "github" 321 321 }, 322 322 "original": { ··· 333 333 ] 334 334 }, 335 335 "locked": { 336 - "lastModified": 1773502766, 337 - "narHash": "sha256-L1S2SpApDZWBx/Ku4TvimvZhfs8qcY9B0eWIuklNAZ0=", 336 + "lastModified": 1773626560, 337 + "narHash": "sha256-SUwraLLuxH7AANRygLUC7SzC839ttetdMYXul1APOZc=", 338 338 "owner": "ewanc26", 339 339 "repo": "pkgs", 340 - "rev": "2d4459a479080ce75991cebf81202bfdfe96a7ec", 340 + "rev": "84e025a822e2aa466af3f0e63ac3b8068fff300a", 341 341 "type": "github" 342 342 }, 343 343 "original": { ··· 391 391 ] 392 392 }, 393 393 "locked": { 394 - "lastModified": 1773096132, 395 - "narHash": "sha256-M3zEnq9OElB7zqc+mjgPlByPm1O5t2fbUrH3t/Hm5Ag=", 394 + "lastModified": 1773698643, 395 + "narHash": "sha256-VCiDjE8kNs8uCAK73Ezk1r3fFuc4JepvW07YFqaN968=", 396 396 "owner": "Mic92", 397 397 "repo": "sops-nix", 398 - "rev": "d1ff3b1034d5bab5d7d8086a7803c5a5968cd784", 398 + "rev": "8237de83e8200d16fe0c4467b02a1c608ff28044", 399 399 "type": "github" 400 400 }, 401 401 "original": { ··· 441 441 ] 442 442 }, 443 443 "locked": { 444 - "lastModified": 1773491336, 445 - "narHash": "sha256-WG2l7h0hCHFh4yguqXIzgl2KI7plopGf/raGb9fqJ5U=", 444 + "lastModified": 1773796115, 445 + "narHash": "sha256-5JuA75F3v3kCom0ncuhSKlscFNuoV2iBcok68tZdMdQ=", 446 446 "owner": "tgirlcloud", 447 447 "repo": "pkgs", 448 - "rev": "d2fc453f1f564554dcad3f36abf03171a33afe69", 448 + "rev": "fe215dd510b9488341202689a562c8b4a2cf4315", 449 449 "type": "github" 450 450 }, 451 451 "original": {
+102
modules/server/mastofe.nix
··· 1 + ############################################################################## 2 + # masto-fe-standalone — GoToSocial's fork of the Mastodon/glitch-soc 3 + # frontend, served as a static site on fe.ap.ewancroft.uk. 4 + # 5 + # Architecture: 6 + # Caddy file_server (127.0.0.1:cfg.mastofe.caddyPort) 7 + # ↑ Cloudflare tunnel (outbound only) 8 + # 9 + # The frontend is purely client-side — it authenticates against GTS via 10 + # OAuth from the browser. No backend process runs here. 11 + # 12 + # Source: https://codeberg.org/superseriousbusiness/masto-fe-standalone 13 + # 14 + # First-time hash pinning: 15 + # Run the following to get the correct src hash: 16 + # nix-prefetch-git --url https://codeberg.org/superseriousbusiness/masto-fe-standalone.git \ 17 + # --rev <commit-or-tag> 18 + # And for the yarn deps hash: 19 + # nix build .#mastofe --impure (will fail and print the correct hash) 20 + # Then fill both hashes in below. 21 + ############################################################################## 22 + { 23 + config, 24 + lib, 25 + pkgs, 26 + ... 27 + }: 28 + let 29 + cfg = config.myConfig; 30 + mfe = cfg.mastofe; 31 + caddyPort = toString mfe.caddyPort; 32 + 33 + # ── Source derivation ────────────────────────────────────────────────────── 34 + # Pin to a specific commit for reproducibility. 35 + # Update rev + hash together when you want to pull in upstream changes. 36 + mastoFeSrc = pkgs.fetchFromGitea { 37 + domain = "codeberg.org"; 38 + owner = "superseriousbusiness"; 39 + repo = "masto-fe-standalone"; 40 + # TODO: replace with the latest tag/commit from 41 + # https://codeberg.org/superseriousbusiness/masto-fe-standalone/releases 42 + rev = "main"; 43 + hash = lib.fakeHash; 44 + }; 45 + 46 + # ── Build derivation ──────────────────────────────────────────────────────── 47 + # masto-fe-standalone is a Yarn-based Vite project. 48 + # After `yarn build` the compiled assets land in dist/. 49 + mastoFe = pkgs.mkYarnPackage { 50 + name = "masto-fe-standalone"; 51 + src = mastoFeSrc; 52 + 53 + # TODO: obtain with: 54 + # nix-prefetch-url "$(nix eval --raw '<nixpkgs/pkgs/development/node-packages/yarn.lock')" 55 + # or just let Nix tell you the right value on first build. 56 + offlineCache = pkgs.fetchYarnDeps { 57 + yarnLock = "${mastoFeSrc}/yarn.lock"; 58 + hash = lib.fakeHash; 59 + }; 60 + 61 + buildPhase = '' 62 + export HOME=$(mktemp -d) 63 + yarn --offline build 64 + ''; 65 + 66 + installPhase = '' 67 + cp -r dist $out 68 + ''; 69 + 70 + # masto-fe-standalone has no server-side JS — skip the default node_modules 71 + # dist and just keep the compiled static assets. 72 + distPhase = "true"; 73 + }; 74 + in 75 + lib.mkIf cfg.services.mastofe.enable { 76 + 77 + # ── Caddy virtual host ──────────────────────────────────────────────────── 78 + # Plain HTTP on the internal caddyPort — TLS is terminated by Cloudflare. 79 + services.caddy.virtualHosts."http://${mfe.hostname}:${caddyPort}" = { 80 + extraConfig = '' 81 + root * ${mastoFe} 82 + file_server 83 + 84 + # Security headers 85 + header { 86 + X-Content-Type-Options "nosniff" 87 + X-Frame-Options "DENY" 88 + Referrer-Policy "strict-origin-when-cross-origin" 89 + Permissions-Policy "interest-cohort=()" 90 + } 91 + 92 + # Cache static assets aggressively; HTML never cached (SPA routing). 93 + @assets { 94 + path *.js *.css *.woff2 *.woff *.ttf *.png *.svg *.ico 95 + } 96 + header @assets Cache-Control "public, max-age=31536000, immutable" 97 + header /index.html Cache-Control "no-store" 98 + 99 + encode zstd gzip 100 + ''; 101 + }; 102 + }