1 files changed, 98 insertions, 12 deletions
diff --git a/system/linde.nix b/system/linde.nix
index 96ff92f8..45c62ccb 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -21,6 +21,7 @@ in
     [
       # Include the results of the hardware scan.
       ./linde-hardware.nix
+      <agenix/modules/age.nix>
     ];
   age.secrets = {
     paperless =
@@ -48,10 +49,10 @@ in
 
   i18n.defaultLocale = "en_GB.UTF-8";
 
+  environment.enableAllTerminfo = true;
   environment.homeBinInPath = true;
   environment.localBinInPath = true;
   environment.systemPackages = with pkgs; [
-    kitty.terminfo
     htop
     lsof
     gitMinimal
@@ -95,6 +96,16 @@ in
         codeberg.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL2pDxWr18SoiDJCGZ5LmxPygTlPu+cCKSkpqkvCyQzl5xmIMeKNdfdBpfbCGDPoZQghePzFZkKJNR/v9Win3Sc=
         codeberg.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIVIC02vnjFyL+I4RHfvIGNtOgJMe769VTF1VR4EB3ZB
       '')
+      (writeText "sr.ht.keys" ''
+        # git.sr.ht:22 SSH-2.0-OpenSSH_9.6
+        # git.sr.ht:22 SSH-2.0-OpenSSH_9.6
+        # git.sr.ht:22 SSH-2.0-OpenSSH_9.6
+        # git.sr.ht:22 SSH-2.0-OpenSSH_9.6
+        # git.sr.ht:22 SSH-2.0-OpenSSH_9.6
+        git.sr.ht ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ+l/lvYmaeOAPeijHL8d4794Am0MOvmXPyvHTtrqvgmvCJB8pen/qkQX2S1fgl9VkMGSNxbp7NF7HmKgs5ajTGV9mB5A5zq+161lcp5+f1qmn3Dp1MWKp/AzejWXKW+dwPBd3kkudDBA1fa3uK6g1gK5nLw3qcuv/V4emX9zv3P2ZNlq9XRvBxGY2KzaCyCXVkL48RVTTJJnYbVdRuq8/jQkDRA8lHvGvKI+jqnljmZi2aIrK9OGT2gkCtfyTw2GvNDV6aZ0bEza7nDLU/I+xmByAOO79R1Uk4EYCvSc1WXDZqhiuO2sZRmVxa0pQSBDn1DB3rpvqPYW+UvKB3SOz
+        git.sr.ht ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCj6y+cJlqK3BHZRLZuM+KP2zGPrh4H66DacfliU1E2DHAd1GGwF4g1jwu3L8gOZUTIvUptqWTkmglpYhFp4Iy4=
+        git.sr.ht ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60
+      '')
     ];
   };
 
@@ -116,13 +127,16 @@ in
 
   system.autoUpgrade = {
     enable = true;
-    dates = "05:10";
+    dates = "02:10";
+    randomizedDelaySec = "59 min";
     allowReboot = true;
     flake = "git+file://${config.services.gitolite.dataDir}/repositories/nixfiles.git";
     flags = [
       "--no-write-lock-file"
       "--update-input"
-      "nixpkgs"
+      "nixpkgs-small"
+      "--update-input"
+      "searchix"
     ];
   };
 
@@ -134,6 +148,13 @@ in
       auto-optimise-store = true;
       trusted-users = [ "root" "nixremote" ];
       experimental-features = [ "nix-command" "flakes" ];
+      substituters = [
+        "https://nix-community.cachix.org"
+      ];
+
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
     };
     gc = {
       automatic = true;
@@ -242,13 +263,6 @@ in
 
   nixpkgs = {
     config.allowUnfree = true;
-    overlays = [
-      (self: super: {
-        cgit-pink = super.cgit-pink.overrideAttrs (old: {
-          patches = [ ../patches/cgit-pink.patch ];
-        });
-      })
-    ];
   };
 
   programs.fish = {
@@ -278,7 +292,9 @@ in
     createHome = true;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxa7lxDu0M4chats/VvpFzjT3ruexKa3J9UC6ASo3bN root@NanoPi.lan"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBmDSZnUzIPQowLrKSa24eSb1WFQe7yPjTcDPPe3UY0Q nix@mba"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9of82WBHK8nr8L9RGeieLMfcAWaFCeCkmvYHM9LCuT nanopi"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIy9jFioBvV0JA0lc+De2N+vDOABGHgCECW6vkD33CE4 sourcehut"
     ];
   };
 
@@ -593,8 +609,8 @@ in
       "files.alanpearce.eu" = {
         useACMEHost = "alanpearce.eu";
         extraConfig = ''
+          encode zstd gzip
           root * /srv/http/files
-          encode gzip zstd
           file_server browse
         '';
       };
@@ -607,7 +623,7 @@ in
           useACMEHost = "alanpearce.eu";
           extraConfig = ''
             root * ${pkgs.cgit-pink}/cgit/
-            encode gzip zstd
+            encode zstd gzip
             handle_path /custom/* {
               file_server {
                 root /srv/http/cgit/
@@ -668,9 +684,30 @@ in
       "ntfy.alanpearce.eu" = {
         useACMEHost = "alanpearce.eu";
         extraConfig = ''
+          encode zstd gzip
           reverse_proxy localhost${config.services.ntfy-sh.settings.listen-http}
         '';
       };
+      "searchix.alanpearce.eu" = {
+        useACMEHost = "alanpearce.eu";
+        extraConfig = ''
+          reverse_proxy localhost:${toString config.services.searchix.settings.web.port} {
+            health_uri /health
+            health_status 2xx
+          }
+          encode zstd gzip {
+            match {
+              header Content-Type text/*
+              header Content-Type application/json*
+              header Content-Type application/javascript*
+              header Content-Type application/opensearchdescription+xml
+              header Content-Type application/atom+xml*
+              header Content-Type application/rss+xml*
+              header Content-Type image/svg+xml*
+            }
+          }
+        '';
+      };
       "legit.alanpearce.eu" =
         let
           server = config.services.legit.settings.server;
@@ -678,6 +715,7 @@ in
         {
           useACMEHost = "alanpearce.eu";
           extraConfig = ''
+            encode zstd gzip
             handle_path /static/* {
               root * /srv/http/legit/src/static
               file_server
@@ -687,6 +725,7 @@ in
         };
       "papers.alanpearce.eu" = {
         extraConfig = ''
+          encode zstd gzip
           handle_path /static/* {
             root * ${config.services.paperless.package}/lib/paperless-ngx/static
             file_server
@@ -792,7 +831,54 @@ in
     enable = true;
     dataDir = "/srv/syncthing";
     configDir = "/var/lib/syncthing";
+    openDefaultPorts = true;
     overrideDevices = false;
     overrideFolders = false;
   };
+
+  services.searchix = {
+    enable = true;
+    settings = {
+      web = {
+        baseURL = "https://searchix.alanpearce.eu";
+        sentryDSN = "https://26d4cd8d20157ae2f6b4726ceae1a563@o4507187730120704.ingest.de.sentry.io/4507187734970448";
+        contentSecurityPolicy = {
+          script-src = [
+            "'self'"
+            "https://gc.zgo.at"
+            "https://js-de.sentry-cdn.com"
+            "https://browser.sentry-cdn.com"
+          ];
+          img-src = [
+            "'self'"
+            "https://gc.zgo.at"
+          ];
+          connect-src = [
+            "'self'"
+            "https://searchix.goatcounter.com/count"
+            "*.sentry.io"
+          ];
+          worker-src = [
+            "blob:"
+          ];
+        };
+        extraHeadHTML = ''
+          <script async
+            src="https://js-de.sentry-cdn.com/d735e99613a86e1625fb85d0e8e762de.min.js"
+            crossorigin="anonymous"></script>
+          <script data-goatcounter="https://searchix.goatcounter.com/count"
+                async src="//gc.zgo.at/count.js"></script>
+        '';
+      };
+
+      importer.sources = {
+        darwin = {
+          enable = true;
+          fetcher = "download";
+          url = "https://alanpearce.github.io/nix-darwin-options";
+        };
+        home-manager.enable = true;
+      };
+    };
+  };
 }