Use Brotli instead of ZSTD for Nginx

Remove redundant secret injection for oink
Upgrade to NixOS 25.11
2025-12-01 09:26:14 +01:00 · 2025-12-01 09:25:15 +01:00 · 2025-12-01 09:24:18 +01:00
8 changed files with 20 additions and 13 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -210,6 +210,11 @@ with pkgs;
      owner = "inadyn";
      group = "inadyn";
    };
+    secrets.inadyn-porkbun-secret = {
+      file = secrets/inadyn-porkbun-secret.age;
+      owner = "inadyn";
+      group = "inadyn";
+    };
    secrets.acme-duckdns = {
      file = secrets/acme-duckdns.age;
      owner = "acme";
--- a/flake.lock
+++ b/flake.lock
@@ -153,16 +153,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1755922037,
-        "narHash": "sha256-wY1+2JPH0ZZC4BQefoZw/k+3+DowFyfOxv17CN/idKs=",
+        "lastModified": 1764522689,
+        "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b1b3291469652d5a2edb0becc4ef0246fff97a7c",
+        "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
        "type": "indirect"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@@ -2,7 +2,7 @@
  description = "System configuration for zion";

  inputs = {
-    nixpkgs.url = "nixpkgs/nixos-25.05";
+    nixpkgs.url = "nixpkgs/nixos-25.11";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
    agenix = {
      url = "github:ryantm/agenix";
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -47,11 +47,9 @@ in
  # NOTE Temporary workaround until Inadyn fixes the Porkbun module
  services.oink = {
    enable = true;
-    settings = {
-      apiKey = "PLACEHOLDER";
-      secretApiKey = "PLACEHOLDER";
-      interval = 1800;
-    };
+    apiKeyFile = config.age.secrets.inadyn-porkbun.path;
+    secretApiKeyFile = config.age.secrets.inadyn-porkbun-secret.path;
+    settings.interval = 1800;
    domains = [
      {
        domain = "psydnd.org";
@@ -59,8 +57,6 @@ in
      }
    ];
  };
-  # NOTE Load credentials using environment variables
-  systemd.services.oink.serviceConfig.EnvironmentFile = config.age.secrets.inadyn-porkbun.path;

  # Firewall configuration
  networking.firewall = {
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -11,7 +11,7 @@
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
-    recommendedZstdSettings = true;
+    recommendedBrotliSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    clientMaxBodySize = "0";
--- a/secrets/inadyn-porkbun-secret.age
+++ b/secrets/inadyn-porkbun-secret.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 iUaRGg paS5BxWWicriSLAZyCBKd2xylLAp4/LcHmogO7me8yQ
+MWW/Pkvn+4G4YeYXY9ZPXC92TbcFXQMyHJ2ltFzXpZs
+--- ZdFfQ7tHfEo+u/0MmigCNh6OIxkd2bimRN30rMUs1ks
+<EFBFBD>9<EFBFBD>7Y<EFBFBD>$B<>sX<0E>ʽb<CABD>O'J<><4A>S'<27>5!<21><>UMʯ-v<>m<EFBFBD><6D><EFBFBD><EFBFBD><EFBFBD>8%|R,<2C>~I<><14><>G<EFBFBD><47>VQE<0E>0D<30>:Qv<<1E><>)<29><0B><>%fc<66><63>XZչ 7+yB
--- a/secrets/inadyn-porkbun.age
+++ b/secrets/inadyn-porkbun.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,6 +17,7 @@ in
  "signal.age".publicKeys = [ zion ];
  "inadyn-duckdns.age".publicKeys = [ zion ];
  "inadyn-porkbun.age".publicKeys = [ zion ];
+  "inadyn-porkbun-secret.age".publicKeys = [ zion ];
  "acme-duckdns.age".publicKeys = [ zion ];
  "acme-porkbun.age".publicKeys = [ zion ];
  "microbin.age".publicKeys = [ zion ];
Author	SHA1	Message	Date
coolneng	22fc403563	Use Brotli instead of ZSTD for Nginx	2025-12-01 09:26:14 +01:00
coolneng	d5e11e4909	Remove redundant secret injection for oink	2025-12-01 09:25:15 +01:00
coolneng	bcc764dd50	Upgrade to NixOS 25.11	2025-12-01 09:24:18 +01:00