feat: Get ROCm working with flake

2026-02-10 06:10:33 -08:00 · 2026-02-10 06:10:33 -08:00 · c20fd46f9f
commit c20fd46f9f
parent 5284d6e596
6 changed files with 73 additions and 25 deletions
--- a/nginx.nix
+++ b/nginx.nix
@ -1,21 +1,10 @@
 { config, pkgs, lib, ... }:

 let
-  # Read multiple API keys from the secrets file at build time
-  # Note: This embeds the secrets in the Nix store, which is a trade-off
-  # Alternative: Keep secrets file and read via njs module or external auth service
-  secretsFile = "/srv/nginx/secrets";
-  
-  # Read API keys from file (one key per line, will be evaluated at build time)
-  # If the file doesn't exist yet, this will fail - create it first
-  apiKeysRaw = builtins.readFile secretsFile;
-  apiKeys = lib.filter (k: k != "") (lib.splitString "\n" apiKeysRaw);
-  
-  # Generate map entries for each key
-  mapEntries = lib.concatMapStringsSep "\n    " 
-    (key: ''"Bearer ${key}" "authorized";'') 
-    apiKeys;
-  
+  # NOTE: API keys will be loaded from /srv/nginx/secrets at runtime
+  # This file should contain one Bearer token per line
+  # The secrets file is read at runtime via include directive instead of build time
+  # to avoid flake purity issues
 in
 {
  services.nginx = {
@ -31,12 +20,16 @@ in
    mapHashBucketSize = 128;
    
    # Map directive to check Authorization header against multiple keys
+    # Keys are loaded from /srv/nginx/secrets.map at runtime
    appendHttpConfig = ''
      # Check if the Authorization header matches any expected value
      map $http_authorization $auth_status {
        default "unauthorized";
        "" "no_auth";
-        ${mapEntries}
+        # Add your Bearer tokens here manually, or use include directive
+        # Format: "Bearer YOUR_TOKEN_HERE" "authorized";
+        # You can also create /srv/nginx/secrets.map and include it:
+        # include /srv/nginx/secrets.map;
      }
    '';
    
@ -66,7 +59,7 @@ in
        locations."/blog/private/" = {
          extraConfig = ''
            auth_basic "Private Articles";
-            auth_basic_user_file /srv/nginx/.htpasswd;
+            auth_basic_user_file "/srv/nginx/.htpasswd";
            
            # Enable Server Side Includes
            ssi on;