flake: bump

flake.lock

@@ -146,11 +146,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729260213,
-        "narHash": "sha256-jAvHoU/1y/yCuXzr2fNF+q6uKmr8Jj2xgAisK4QB9to=",
+        "lastModified": 1729321331,
+        "narHash": "sha256-KVyQq+ez/oB30/WbdNgVD8g/bda34z8NiU187QKQb74=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "09a0c0c02953318bf94425738c7061ffdc4cba75",
+        "rev": "122f70545b29ccb922e655b08acfe05bfb44ec68",
         "type": "github"
       },
       "original": {
@@ -175,11 +175,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1729316020,
-        "narHash": "sha256-ujO/zbXqnZ6xR1Pl7zW0f4pGA3Q9mARpCTRxoGkn9E8=",
-        "rev": "c67ad664ffacf614ba6716bab41ac2f18b0e880e",
+        "lastModified": 1729329289,
+        "narHash": "sha256-49QKrohNJzmrLBjI9yqy/z8qdntfwrwqqb2EhQbrvKc=",
+        "rev": "51621426b862bced548fe9f88a5a36d02fd4b551",
         "type": "tarball",
-        "url": "https://git.ny4.dev/api/v1/repos/nyancat/ip-checker/archive/c67ad664ffacf614ba6716bab41ac2f18b0e880e.tar.gz"
+        "url": "https://git.ny4.dev/api/v1/repos/nyancat/ip-checker/archive/51621426b862bced548fe9f88a5a36d02fd4b551.tar.gz"
       },
       "original": {
         "type": "tarball",

hosts/aws/tyo0/default.nix

@@ -59,6 +59,36 @@
   services.caddy.enable = true;
   services.caddy.settings.apps.http.servers.srv0 = {
     listen = [ ":443" ];
+    trusted_proxies = {
+      # https://www.cloudflare.com/ips/
+      ranges = [
+        "173.245.48.0/20"
+        "103.21.244.0/22"
+        "103.22.200.0/22"
+        "103.31.4.0/22"
+        "141.101.64.0/18"
+        "108.162.192.0/18"
+        "190.93.240.0/20"
+        "188.114.96.0/20"
+        "197.234.240.0/22"
+        "198.41.128.0/17"
+        "162.158.0.0/15"
+        "104.16.0.0/13"
+        "104.24.0.0/14"
+        "172.64.0.0/13"
+        "131.0.72.0/22"
+
+        "2400:cb00::/32"
+        "2606:4700::/32"
+        "2803:f800::/32"
+        "2405:b500::/32"
+        "2405:8100::/32"
+        "2a06:98c0::/29"
+        "2c0f:f248::/32"
+      ];
+      source = "static";
+    };
+    trusted_proxies_strict = 1;
   };
 
   systemd.services."caddy".serviceConfig.SupplementaryGroups = [

hosts/vultr/sin0/anti-feature.nix

@@ -13,7 +13,11 @@
       ];
 
     allowUnfree = false;
-    allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [ ];
+    allowUnfreePredicate =
+      pkg:
+      lib.elem (lib.getName pkg) [
+        "clash-geoip"
+      ];
 
     permittedInsecurePackages = [ ];
   };

hosts/vultr/sin0/default.nix

@@ -27,5 +27,35 @@
   services.caddy.enable = true;
   services.caddy.settings.apps.http.servers.srv0 = {
     listen = [ ":443" ];
+    trusted_proxies = {
+      # https://www.cloudflare.com/ips/
+      ranges = [
+        "173.245.48.0/20"
+        "103.21.244.0/22"
+        "103.22.200.0/22"
+        "103.31.4.0/22"
+        "141.101.64.0/18"
+        "108.162.192.0/18"
+        "190.93.240.0/20"
+        "188.114.96.0/20"
+        "197.234.240.0/22"
+        "198.41.128.0/17"
+        "162.158.0.0/15"
+        "104.16.0.0/13"
+        "104.24.0.0/14"
+        "172.64.0.0/13"
+        "131.0.72.0/22"
+
+        "2400:cb00::/32"
+        "2606:4700::/32"
+        "2803:f800::/32"
+        "2405:b500::/32"
+        "2405:8100::/32"
+        "2a06:98c0::/29"
+        "2c0f:f248::/32"
+      ];
+      source = "static";
+    };
+    trusted_proxies_strict = 1;
   };
 }

hosts/vultr/sin0/services/ip-checker.nix

@@ -11,7 +11,10 @@ in
 {
   systemd.services."ip-checker" = {
     wantedBy = [ "multi-user.target" ];
-    environment.IP_CHECKER_LISTEN = "127.0.0.1:${toString port}";
+    environment = {
+      IP_CHECKER_LISTEN = "127.0.0.1:${toString port}";
+      IP_CHECKER_COUNTRY_DB = "${pkgs.clash-geoip}/etc/clash/Country.mmdb";
+    };
     serviceConfig = {
       ExecStart = lib.getExe inputs.ip-checker.packages.${pkgs.stdenv.hostPlatform.system}.default;
       WorkingDirectory = inputs.ip-checker;