From da816d4d941aa49f732c9ab000185e1f33112261 Mon Sep 17 00:00:00 2001
From: emily <ek@kyouma.net>
Date: Thu, 11 Jan 2024 12:43:58 +0100
Subject: [PATCH] i think the web thingy is kinda done

---
 config/common-lxc.nix   |  1 +
 config/common-nginx.nix | 20 ++++++++++----------
 flake.lock              | 22 ++++++++++++++++++----
 flake.nix               | 10 ++--------
 4 files changed, 31 insertions(+), 22 deletions(-)

diff --git a/config/common-lxc.nix b/config/common-lxc.nix
index 3f46f36..2824373 100644
--- a/config/common-lxc.nix
+++ b/config/common-lxc.nix
@@ -8,6 +8,7 @@ with lib; {
     manageNetwork = true;
     manageHostName = true;
   };
+  nixpkgs.hostPlatform.system = "x86_64-linux";
   networking.useDHCP = false;
 
   system.autoUpgrade.enable = true;
diff --git a/config/common-nginx.nix b/config/common-nginx.nix
index c9d3d63..b9ba1ba 100644
--- a/config/common-nginx.nix
+++ b/config/common-nginx.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, pkgs, lib, ... }: with lib; {
   security.dhparams.enable = true;
   security.dhparams.params.nginx = {};
   security.acme = {
@@ -18,20 +18,20 @@
     recommendedTlsSettings = true;
 
     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-    sslProtocols = lib.mkDefault "TLSv1.3";
+    sslProtocols = mkDefault "TLSv1.3";
     sslDhparam = config.security.dhparams.params.nginx.path;
 
-    clientMaxBodySize = "0";
+    clientMaxBodySize = mkDefault "128M";
     commonHttpConfig = ''
       map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
+        https   "max-age=31536000; includeSubdomains; preload";
       }
-    add_header Strict-Transport-Security 	$hsts_header;
-    #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-    add_header X-Content-Type-Options 	"nosniff" always;
-    add_header X-XSS-Protection 		"1; mode=block" always;
-    add_header X-Frame-Options 		"SAMEORIGIN" always;
-    add_header Referrer-Policy 		"same-origin" always;
+      add_header Strict-Transport-Security 	$hsts_header;
+      add_header X-Content-Type-Options 	  "nosniff" always;
+      add_header X-XSS-Protection 		      "1; mode=block" always;
+      add_header X-Frame-Options 		        "SAMEORIGIN" always;
+      add_header Referrer-Policy 		        "same-origin" always;
+      #add_header Content-Security-Policy    "script-src 'self'; object-src 'none'; base-uri 'none';" always;
     '';
   };
 }
diff --git a/flake.lock b/flake.lock
index e48db3b..5d06957 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,9 +3,7 @@
     "fernglas": {
       "inputs": {
         "flake-utils": "flake-utils",
-        "nixpkgs": [
-          "nixpkgs"
-        ]
+        "nixpkgs": "nixpkgs"
       },
       "locked": {
         "lastModified": 1703863936,
@@ -55,6 +53,22 @@
       }
     },
     "nixpkgs": {
+      "locked": {
+        "lastModified": 1704722960,
+        "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
       "locked": {
         "lastModified": 1704722960,
         "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=",
@@ -74,7 +88,7 @@
       "inputs": {
         "fernglas": "fernglas",
         "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
       }
     },
     "systems": {
diff --git a/flake.nix b/flake.nix
index 226f473..83eb76e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -3,16 +3,10 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixos-hardware.url = "github:nixos/nixos-hardware";
-#    fernglas.url = "github:wobcom/fernglas";
-    fernglas = {
-      type = "github";
-      owner = "wobcom";
-      repo = "fernglas";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    fernglas.url = "github:wobcom/fernglas";
   };
 
-  outputs = { nixpkgs, nixos-hardware, fernglas, ... }@inputs: {
+  outputs = { self, nixpkgs, nixos-hardware, fernglas, ... }@inputs: {
     nixosConfigurations = {
       web02 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";