diff --git a/hosts/by-name/servo/services/gitea.nix b/hosts/by-name/servo/services/gitea.nix
index 31a48e989..f81f1ea99 100644
--- a/hosts/by-name/servo/services/gitea.nix
+++ b/hosts/by-name/servo/services/gitea.nix
@@ -1,6 +1,6 @@
# config options:
# TODO: service shouldn't run as `git` user, but as `gitea`
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
{
sane.persist.sys.byStore.private = [
@@ -122,9 +122,17 @@
# services.openssh.settings.UsePAM = true; #< required for `git` user to authenticate
+ services.anubis.instances."git.uninsane.org".settings.TARGET = "http://127.0.0.1:3000";
+
# hosted git (web view and for `git ` use
# TODO: enable publog?
- services.nginx.virtualHosts."git.uninsane.org" = {
+ services.nginx.virtualHosts."git.uninsane.org" = let
+ # XXX(2025-07-24): gitea's still being crawled, even with robots.txt.
+ # the load is less than when Anthropic first started, but it's still pretty high (like 600%).
+ # place behind anubis to prevent AI crawlers from hogging my CPU (gitea is slow to render pages).
+ proxyPass = "http://unix:${config.services.anubis.instances."git.uninsane.org".settings.BIND}";
+ # proxyPass = "http://127.0.0.1:3000";
+ in {
forceSSL = true; # gitea complains if served over a different protocol than its config file says
enableACME = true;
# inherit kTLS;
@@ -133,16 +141,18 @@
'';
locations."/" = {
- proxyPass = "http://127.0.0.1:3000";
+ inherit proxyPass;
+ recommendedProxySettings = true;
};
# fuck you @anthropic
- locations."= /robots.txt".extraConfig = ''
- return 200 "User-agent: *\nDisallow: /\n";
- '';
+ # locations."= /robots.txt".extraConfig = ''
+ # return 200 "User-agent: *\nDisallow: /\n";
+ # '';
# gitea serves all `raw` files as content-type: plain, but i'd like to serve them as their actual content type.
# or at least, enough to make specific pages viewable (serving unoriginal content as arbitrary content type is dangerous).
locations."~ ^/colin/phone-case-cq/raw/.*.html" = {
- proxyPass = "http://127.0.0.1:3000";
+ inherit proxyPass;
+ recommendedProxySettings = true;
extraConfig = ''
proxy_hide_header Content-Type;
default_type text/html;
@@ -150,7 +160,8 @@
'';
};
locations."~ ^/colin/phone-case-cq/raw/.*.js" = {
- proxyPass = "http://127.0.0.1:3000";
+ inherit proxyPass;
+ recommendedProxySettings = true;
extraConfig = ''
proxy_hide_header Content-Type;
default_type text/html;
diff --git a/hosts/by-name/servo/services/nginx/default.nix b/hosts/by-name/servo/services/nginx/default.nix
index 6800fa1cf..dd626a484 100644
--- a/hosts/by-name/servo/services/nginx/default.nix
+++ b/hosts/by-name/servo/services/nginx/default.nix
@@ -22,12 +22,15 @@
};
services.nginx.enable = true;
+
+ users.users.nginx.extraGroups = [ "anubis" ];
# nginxStable is one release behind nginxMainline.
# nginx itself recommends running mainline; nixos defaults to stable.
# services.nginx.package = pkgs.nginxMainline;
# XXX(2024-07-31): nixos defaults to zlib-ng -- supposedly more performant, but spams log with
# "gzip filter failed to use preallocated memory: ..."
- services.nginx.package = pkgs.nginxMainline.override { zlib = pkgs.zlib; };
+ # XXX(2025-07-24): "gzip filter" spam is gone => use default nginx package
+ # services.nginx.package = pkgs.nginxMainline.override { zlib = pkgs.zlib; };
services.nginx.appendConfig = ''
# use 1 process per core.
# may want to increase worker_connections too, but `ulimit -n` must be increased first.
diff --git a/hosts/common/ids.nix b/hosts/common/ids.nix
index 244742f7d..1d81104bf 100644
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@@ -68,6 +68,8 @@
sane.ids.ollama.gid = 2422;
sane.ids.bitmagnet.uid = 2423;
sane.ids.bitmagnet.gid = 2423;
+ sane.ids.anubis.uid = 2424;
+ sane.ids.anubis.gid = 2424;
sane.ids.shelvacu.uid = 5431;
sane.ids.colin.uid = 1000;