flake: update

flake.lock

@@ -135,11 +135,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1775610697,
-        "narHash": "sha256-fw3+p16ZokENxpWPCLR7ngHUPz5lPvZZzKpQUwRgiXE=",
+        "lastModified": 1777339890,
+        "narHash": "sha256-/8cNnAn4FMZgIEEWf9chqo2ffH6bu/vDoJR8mnaNjtM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4f9024bce4025dc9a16d9fb27dd258d6cdf52862",
+        "rev": "fcf51609c44b7781822f4258feb16f15085ff47d",
         "type": "github"
       },
       "original": {
@@ -178,11 +178,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1775423009,
-        "narHash": "sha256-vPKLpjhIVWdDrfiUM8atW6YkIggCEKdSAlJPzzhkQlw=",
+        "lastModified": 1776877367,
+        "narHash": "sha256-EHq1/OX139R1RvBzOJ0aMRT3xnWyqtHBRUBuO1gFzjI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "68d8aa3d661f0e6bd5862291b5bb263b2a6595c9",
+        "rev": "0726a0ecb6d4e08f6adced58726b95db924cef57",
         "type": "github"
       },
       "original": {

hosts/defiant/services/nginx.nix

@@ -35,7 +35,7 @@ in {
   #   dnsProvider = "domeneshop";
   #   environmentFile = config.sops.secrets."domeneshop/acme".path;
   #   webroot = null;
-  # }
+  # };
   sops.secrets."domeneshop/acme" = {
     group = "nginx";
   };
@@ -63,15 +63,40 @@ in {
       '';
     } // overrides;
   in {
-    "amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
     "cloud.feal.no" = publicProxy "" {
+      listen = [
+        { addr = "192.168.10.175"; port = 43443; ssl = true; }
+        { addr = "192.168.10.175"; port = 43080; ssl = false; }
+        # Note: cloud.feal.no is overriden in the local DNS, to allow use through Wireguard VPN
+        { addr = "192.168.10.175"; port =   443; ssl = true; }
+        { addr = "192.168.10.175"; port =    80; ssl = false; }
+      ];
       locations."/" = {
         proxyPass = "http://challenger.home.feal.no";
         extraConfig = ''
           client_max_body_size 8G;
         '';
       };
+      extraConfig = ''
+          # Direct local traffic and NAT Hairpin
+          allow 192.168.10.0/24;
+
+          # Wireguard
+          allow 10.100.0.0/24;
+
+          # AS16185
+          allow 82.146.64.0/19;
+          allow 217.31.96.0/20;
+          allow 185.166.44.0/22;
+
+          # NTNU
+          allow 129.241.0.0/16;
+
+          deny all;
+      '';
     };
+
+    "amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
     "feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
     "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
     "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
@@ -79,4 +104,10 @@ in {
     "kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
     "wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
   };
+
+  security.acme.certs."cloud.feal.no" = {
+    dnsProvider = "domeneshop";
+    environmentFile = config.sops.secrets."domeneshop/acme".path;
+    webroot = null;
+  };
 }

hosts/leonard/hardware-configuration.nix

@@ -15,7 +15,10 @@
       fsType = "ext4";
     };
 
-  swapDevices = [ ]; # TODO
+  swapDevices = [ {
+    device = "/swapfile";
+    size = 4*1024;
+  } ];
 
   networking.useDHCP = lib.mkDefault false;
   # networking.interfaces.ens18.useDHCP = lib.mkDefault true;

hosts/morn/hardware-configuration.nix

@@ -24,7 +24,10 @@
       options = [ "fmask=0077" "dmask=0077" ];
     };
 
-  swapDevices = [ ];
+  swapDevices = [ {
+    device = "/swapfile";
+    size = 4*1024;
+  } ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's