feat: add nix-secrets input and enable upstream proxy

flake.lock

@@ -343,6 +343,26 @@
         "type": "github"
       }
     },
+    "nix-secrets": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1738161919,
+        "narHash": "sha256-EKyY5XwFmgkEYElZEpNGEl6UsJO4jYvqtzZYtQPvD18=",
+        "owner": "tuxdotrs",
+        "repo": "nix-secrets",
+        "rev": "5f6314b52859812eb877b54ddf158098cf21c8c0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tuxdotrs",
+        "repo": "nix-secrets",
+        "type": "github"
+      }
+    },
     "nix-vscode-extensions": {
       "inputs": {
         "flake-compat": "flake-compat_3",
@@ -662,6 +682,7 @@
         "ghostty": "ghostty",
         "home-manager": "home-manager",
         "impermanence": "impermanence",
+        "nix-secrets": "nix-secrets",
         "nix-vscode-extensions": "nix-vscode-extensions",
         "nixos-hardware": "nixos-hardware",
         "nixos-wsl": "nixos-wsl",

flake.nix

@@ -86,6 +86,10 @@
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    nix-secrets = {
+      url = "github:tuxdotrs/nix-secrets";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     ghostty.url = "github:ghostty-org/ghostty";
     nixos-hardware.url = "github:nixos/nixos-hardware";
     nixpkgs-f2k.url = "github:moni-dz/nixpkgs-f2k";

hosts/alpha/default.nix

@@ -3,12 +3,14 @@
   username,
   config,
   email,
+  inputs,
   ...
 }: {
   imports = [
     ./hardware.nix
     ../common
     ../../modules/nixos/uptime-kuma.nix
+    ../../modules/nixos/upstream-proxy.nix
   ];
 
   sops.secrets = {
@@ -64,6 +66,11 @@
 
   users.users.nginx.extraGroups = ["acme"];
 
+  tux.services.nginxStreamProxy = {
+    enable = true;
+    upstreamServers = inputs.nix-secrets.proxy-servers;
+  };
+
   services = {
     nginx = {
       recommendedGzipSettings = true;