feat: Update cinny to use hashRouter and update caddy reverse proxy

Reviewed-on: #1

AGENTS.md

@@ -4,28 +4,8 @@ This repository contains NixOS, nix-darwin, and Home Manager configurations in N
 
 ## Build, Test, and Deployment Commands
 
-### Build and Apply Configurations
+### Build and Apply Configurations & Deploy to Remote Machines
-
+Can use deploy for both local and remote hosts
-**Linux (NixOS):**
-```bash
-just build                          # Build configuration
-just install cores='32'             # Apply with 32 cores
-sudo nixos-rebuild test --fast --flake .  # Test without activation
-sudo nixos-rebuild switch --rollback --flake .  # Rollback
-```
-
-**macOS (nix-darwin):**
-```bash
-just build                          # Build configuration
-just install                        # Apply configuration
-```
-
-**Home Manager:**
-```bash
-just home
-```
-
-### Deploy to Remote Machines (deploy-rs)
 
 ```bash
 deploy -s .#ryu      # Desktop (x86_64-linux)
@@ -35,6 +15,23 @@ deploy -s .#kuro     # MacBook M4 Pro (aarch64-darwin)
 deploy -s .#shiro    # Mac Mini M4 (aarch64-darwin)
 ```
 
+**Linux (NixOS):**
+```bash
+deploy -s .#ryu 
+deploy -s .#tako
+deploy -s .#tako --builders '' --cores 32 # with no other builders and 32 cores
+deploy -s .#ryu --max-jobs 4 --cores 32 # use 32 cores and 4 parallel derivations
+sudo nixos-rebuild test --fast --flake .  # Test without activation
+sudo nixos-rebuild switch --rollback --flake .  # Rollback
+```
+
+**macOS (nix-darwin):**
+```bash
+deploy -s .#kuro
+deploy -s .#shiro
+sudo nix-darwin test --fast --flake .
+```
+
 ### Validation and Formatting
 
 ```bash
@@ -164,7 +161,7 @@ just add program myprogram  # Creates home/programs/myprogram.nix and adds impor
 
 ### Adding a new dns entry
 ```bash
-cfcli add --type A foobar.bazbar.biz 192.168.0.1
+cfcli add --type A foobar.bazbar.biz 100.102.64.19
 ```
 
 ### Creating a Module

home/apps/zen.nix

@@ -9,7 +9,7 @@
     inputs.zen-browser.homeModules.beta
   ];
   programs.zen-browser = {
-    enable = device.isLinux;
+    enable = true;
     profiles.default = {
       containersForce = true;
       containers = {

nixos/tako/services/default.nix

@@ -21,9 +21,9 @@
     # ./headscale.nix
     ./immich.nix
     ./kellnr.nix
-    # ./llms.nix
+    ./llms.nix
     ./matrix
-    # ./monitoring.nix
+    ./monitoring.nix
     # ./paperless.nix
     ./prowlarr.nix
     # ./searxng.nix

nixos/tako/services/homepage.nix

@@ -198,19 +198,19 @@
         reverse_proxy localhost:${builtins.toString config.services.homepage-dashboard.listenPort}
       '';
     };
-    # authelia = {
+    authelia = {
-    #   instances.darksailor = {
+      instances.darksailor = {
-    #     settings = {
+        settings = {
-    #       access_control = {
+          access_control = {
-    #         rules = [
+            rules = [
-    #           {
+              {
-    #             domain = "dashboard.darksailor.dev";
+                domain = "dashboard.darksailor.dev";
-    #             policy = "one_factor";
+                policy = "one_factor";
-    #           }
+              }
-    #         ];
+            ];
-    #       };
+          };
-    #     };
+        };
-    #   };
+      };
-    # };
+    };
   };
 }

nixos/tako/services/matrix/tuwunel.nix

@@ -8,19 +8,16 @@
   client_id = "tuwunel";
   rtc_domain = "matrix-rtc.${base_domain}";
   jwt_port = 8081;
-  elementConfig = builtins.toJSON {
+  cinnyConfig = builtins.toJSON {
-    default_server_config = {
+    defaultHomeserver = 0;
-      "m.homeserver" = {
+    homeserverList = ["darksailor.dev" "matrix.org"];
-        base_url = "https://matrix.${base_domain}";
+    allowCustomHomeservers = false;
+    hashRouter = {
+      enabled = true;
+      basename = "/";
     };
   };
-    sso_redirect_options = {
+  cinnyConfigFile = pkgs.writeText "cinny-config.json" cinnyConfig;
-      immediate = false;
-      on_welcome_page = true;
-      on_login_page = true;
-    };
-  };
-  elementConfigFile = pkgs.writeText "element-config.json" elementConfig;
 in {
   sops = {
     secrets."tuwunel/client_id" = {
@@ -75,13 +72,18 @@ in {
   };
   services.caddy.virtualHosts = {
     "matrix.${base_domain}".extraConfig = ''
+      handle /_matrix/* {
         reverse_proxy /_matrix/* localhost:${toString port}
+      }
       handle_path /config.json  {
         file_server
-        root ${elementConfigFile}
+        root ${cinnyConfigFile}
       }
-      root * ${pkgs.element-web}
+      handle {
+          root * ${pkgs.cinny}
+          try_files {path} /index.html
           file_server
+      }
     '';
     "${base_domain}".extraConfig = ''
       reverse_proxy /.well-known/* localhost:${toString port}

nixos/tako/services/monitoring.nix

@@ -23,6 +23,9 @@
     caddy = 2019;
   };
 in {
+  sops.secrets."grafana/secret_key" = {
+    owner = "grafana";
+  };
   # Grafana configuration with Authelia integration
   services.grafana = {
     enable = true;
@@ -54,6 +57,7 @@ in {
       security = {
         disable_gravatar = true;
         cookie_secure = true;
+        secret_key = ''$__file{${config.sops.secrets."grafana/secret_key".path}}'';
       };
 
       analytics = {

secrets/secrets.yaml

@@ -79,7 +79,7 @@ minecraft:
     modded: ENC[AES256_GCM,data:6itrol9NObR3TczEeOa7wkykgqkpDus0VkHBRpU6VdQ=,iv:F56uYdHozJvkJ+m18aviTWzCrLfW2VcxkbOqpnRiniA=,tag:WLKA+uIJJtlDfMMOn0ak7Q==,type:str]
 grafana:
     adminPassword: ENC[AES256_GCM,data:im6FJVlVUoZg+9W6KmsqtloH4nB6AhXOcia5waRyFKj2DoQlt4jhPH1CFvw=,iv://D6aD/fGl7h4KmtQcQ0TQLWLfKdIs4+EMg2LWjPHvg=,tag:6gHu/V0V0a8GpcgA/hUwXg==,type:str]
-    secretKey: ENC[AES256_GCM,data:LD0x8Fa6SU1+6mwxLkKa/o+ZqeuRIr7o/AKS7EmrDYj0vzrA3/FjViVJNfkOJDch9TbVyjIpk2ZLwxHXOZx7MA==,iv:t6UwZj2JZpMIDsDDeJ4rZah4aBoMIKaoiu9VU2VhViE=,tag:MIz/b8JWYtOpUCcg6gYhJg==,type:str]
+    secret_key: ENC[AES256_GCM,data:QkNTWQyQGgD/zJ0C0nkqTuxJXCx/hqwFH1XrJEGcIB7U3PUNdMpvTYrazgGRUcfEUjMeCIbUgYcamrPJJgaBsA==,iv:RZa79OtDS74JErBk/j5wg/p02Rd4zCXLi4LQGffHLmU=,tag:sbsovzFXj3xmDIF+ACwPgQ==,type:str]
 discord:
     token: ENC[AES256_GCM,data:M6TayHpIa0J1w3zVRKPPU0P/f18UXOpxzU7fjKNCx8YxzSAaQfY52S5XpiqDgjPWfWdSxzG2VVDqu1708Vwofa8IRKwWafam,iv:x0ySoaS68aLRVUcQin096RoeQGRELvNwdFJxezPj/cA=,tag:Omv5uL97y7ZTI8juVJFNug==,type:str]
 lastfm:
@@ -119,7 +119,7 @@ sops:
             VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
             ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-19T21:23:49Z"
+    lastmodified: "2026-02-24T08:02:58Z"
-    mac: ENC[AES256_GCM,data:Pey0VPpH1lZazbAqHrrwuoEHZL2Pi7uMV/tR8aLGI958JHDxuHZK41YEOsMa+aiOtiJclgRvO8iOb0oDESsVO5hDTCou7/sJe2Epk62lEclTiho+QnjhnEmP2qYcuWfR1PVwk/n/wkPWm+rBsYGH7PpQZeYUznWQaHPZPFNnIPw=,iv:KTe0Quu/MJA17BivQDCTnBi5IAGtq6x0GKaqm4MuUUo=,tag:IPehj8blXzuEr0HN85y4eg==,type:str]
+    mac: ENC[AES256_GCM,data:JzKh6k1nzp2sTDXFG0/bJbBSksCri2WIcXU0C+cyCg6hHzQMsKc36xSRfyrytW8r6rCooJRlC46nPYvFH9JhG/1uIAx4QU/PAvgzEKvXOQi2xXULajpEeCAdmU8TERl3to9JCTAhCbV7oibzOalC6WbVOfhQvqBYWN2JamwCHwc=,iv:oMmpcadFUZT5mdMQ8BzGoKKdpV2PvtaoXhOsKSYUGII=,tag:cdBim93M98OcSNZsmPQ57A==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0