chore: update

2026-04-14 14:21:45 +04:00 · 2025-09-22 18:37:19 +09:00 · 2025-09-22 18:37:19 +09:00 · bbacfb100e
commit bbacfb100e
parent 8f90650888
11 changed files with 198 additions and 65 deletions
--- a/nix/server/default.nix
+++ b/nix/server/default.nix
@ -20,6 +20,9 @@ in {

 		forgejo = lib.mkEnableOption "";

+		dns = lib.mkEnableOption "";
+		nix-cache = lib.mkEnableOption "";
+
 		sitePath = lib.mkOption {
 			type = lib.types.str;
 		};
@ -31,6 +34,8 @@ in {
 		./boot.nix
 		./site.nix
 		./forgejo.nix
+		./dns.nix
+		./nix-cache.nix
 	];

 	config = {
--- a/nix/server/dns.nix
+++ b/nix/server/dns.nix
@ -0,0 +1,34 @@
+
+{ config
+, pkgs
+, lib
+, self
+, nixpkgs
+, kp2pml30-moe
+, system
+, ...
+}@args:
+let
+	cfg = config.kp2pml30.server;
+in lib.mkIf cfg.nginx {
+	services.coredns.enable = true;
+	services.coredns.config = ''
+		dns://.:53 {
+			forward . tls://1.1.1.1 {
+				tls
+				tls_servername cloudflare-dns.com
+			}
+			cache
+		}
+
+		https://.:8003 {
+			forward . dns://127.0.0.1:53 {
+				tls
+				tls_servername cloudflare-dns.com
+				policy random
+			}
+			cache
+		}
+	'';
+	# networking.networkmanager.insertNameservers = [ "127.0.0.1" ];
+}
--- a/nix/server/nginx.nix
+++ b/nix/server/nginx.nix
@ -14,7 +14,7 @@ in lib.mkIf cfg.nginx {
 		defaults.email = "kp2pml30@gmail.com";
 		#defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
 		certs."${cfg.hostname}" = {
-			extraDomainNames = [ "pr.${cfg.hostname}" "www.${cfg.hostname}" "git.${cfg.hostname}" "backend.${cfg.hostname}" ];
+			extraDomainNames = [ "pr.${cfg.hostname}" "www.${cfg.hostname}" "git.${cfg.hostname}" "backend.${cfg.hostname}" "dns.${cfg.hostname}" "cache.nix.${cfg.hostname}" ];
 			webroot = acmeRoot;
 			group = "nginx";
 		};
@ -23,47 +23,74 @@ in lib.mkIf cfg.nginx {
 	services.nginx = {
 		enable = true;

-		virtualHosts."git.${cfg.hostname}" = {
-			enableACME = true;
-			acmeRoot = acmeRoot;
+		virtualHosts = {
+			"git.${cfg.hostname}" = {
+				enableACME = true;
+				acmeRoot = acmeRoot;

-			listen = [
-				{ addr = "0.0.0.0"; port = 80; }
-			];
+				listen = [
+					{ addr = "0.0.0.0"; port = 80; }
+				];

-			locations."/" = {
-				proxyPass = "http://127.0.0.1:8002";
+				locations."/" = {
+					proxyPass = "http://127.0.0.1:8002";
+				};
 			};
-		};

-		virtualHosts."backend.${cfg.hostname}" = {
-			enableACME = true;
-			acmeRoot = acmeRoot;
+			"backend.${cfg.hostname}" = {
+				enableACME = true;
+				acmeRoot = acmeRoot;

-			listen = [
-				{ addr = "0.0.0.0"; port = 80; }
-			];
+				listen = [
+					{ addr = "0.0.0.0"; port = 80; }
+				];

-			locations."/" = {
-				proxyPass = "http://127.0.0.1:8001";
+				locations."/" = {
+					proxyPass = "http://127.0.0.1:8001";
+				};
 			};
-		};

-		virtualHosts."${cfg.hostname}" = {
-			# addSSL = true;
-			# forceSSL = true;
-			enableACME = true;
-			acmeRoot = acmeRoot;
+			"dns.${cfg.hostname}" = {
+				enableACME = true;
+				acmeRoot = acmeRoot;

-			listen = [
-				{ addr = "0.0.0.0"; port = 80; }
-			];
+				listen = [
+					{ addr = "0.0.0.0"; port = 80; }
+				];

-			locations."/" = {
-				root = cfg.sitePath;
-				tryFiles = "$uri $uri/ /index.html";
+				locations."/" = {
+					proxyPass = "http://127.0.0.1:8003";
+				};
 			};
-		};
+
+
+			"${cfg.hostname}" = {
+				# addSSL = true;
+				# forceSSL = true;
+				enableACME = true;
+				acmeRoot = acmeRoot;
+
+				listen = [
+					{ addr = "0.0.0.0"; port = 80; }
+				];
+
+				locations."/" = {
+					root = cfg.sitePath;
+					tryFiles = "$uri $uri/ /index.html";
+				};
+			};
+		} // (if cfg.nix-cache then {
+			"cache.nix.${cfg.hostname}" = {
+				enableACME = true;
+				acmeRoot = acmeRoot;
+				listen = [
+					{ addr = "0.0.0.0"; port = 80; }
+				];
+				locations."/" = {
+					proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+				};
+			};
+		} else {});

 		streamConfig = (builtins.readFile ./stream.nginx);
 	};
--- a/nix/server/nix-cache.nix
+++ b/nix/server/nix-cache.nix
@ -0,0 +1,18 @@
+
+{ config
+, pkgs
+, lib
+, self
+, nixpkgs
+, kp2pml30-moe
+, system
+, ...
+}@args:
+let
+	cfg = config.kp2pml30.server;
+in lib.mkIf cfg.nix-cache {
+	services.nix-serve = {
+		enable = true;
+		secretKeyFile = "/var/cache-priv-key.pem";
+	};
+}
--- a/nix/server/stream.nginx
+++ b/nix/server/stream.nginx
@ -14,6 +14,7 @@ map $ssl_preread_server_name $name {

 	kp2pml30.moe                            self;
 	git.kp2pml30.moe                        self;
+	cache.nix.kp2pml30.moe                        self;

 	default                                 deny;
 }
@ -83,7 +84,7 @@ server {

 server {
 	listen          443 ssl;
-	server_name     kp2pml30.moe git.kp2pml30.moe backend.kp2pml30.moe;
+	server_name     kp2pml30.moe git.kp2pml30.moe backend.kp2pml30.moe dns.kp2pml30.moe cache.nix.kp2pml30.moe;
 	proxy_pass      self;

 	ssl_certificate         /var/lib/acme/kp2pml30.moe/fullchain.pem;