Deps

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1772198003,
+        "lastModified": 1772624091,
-        "narHash": "sha256-I45esRSssFtJ8p/gLHUZ1OUaaTaVLluNkABkk6arQwE=",
+        "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "dd9b079222d43e1943b6ebd802f04fd959dc8e61",
+        "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353",
         "type": "github"
       },
       "original": {

modules/nginx.nix

@@ -35,9 +35,6 @@ let
     locations."/" = {
       proxyPass = "http://${upstream}:${toString port}";
       proxyWebsockets = true;
-      # NOTE: `if` inside a location block is unsafe in general (nginx docs warn
-      # against it), but is safe here because the only statement is `return`.
-      # Do NOT add any other directives inside this if block.
       extraConfig = "if ($fuckai) { return 444; }";
     };
   };
@@ -150,8 +147,6 @@ in
         forceSSL = true;
         locations."/" = {
           proxyPass = "http://${upstream}:3000";
-          # NOTE: `if` is safe here because the only statement is `return`.
-          # Do NOT add other directives inside this if block.
           extraConfig = "if ($fuckai) { return 444; }";
         };
         locations."= /.well-known/matrix/server" = {
@@ -227,8 +222,7 @@ in
             client_max_body_size 100M;
           '';
         };
-        # Only forward the three known lk-jwt-service endpoints; reject everything
+
-        # else (including path traversal sequences) with 404.
         locations."^~ /livekit/jwt/" = {
           priority = 400;
           extraConfig = ''