From 1afac021e8f0cd9e251edd6dee5a7e99ba188c14 Mon Sep 17 00:00:00 2001
From: Bryan Ramos <bryan@ramos.codes>
Date: Mon, 20 Apr 2026 00:52:58 -0400
Subject: [PATCH 1/6] changed mcp endpoint

---
 system/machines/server/modules/nginx/default.nix | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix
index 3f4b0f2..8b3b97d 100644
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@@ -137,8 +137,13 @@ in
           '';
         };
 
-        # MCP servers (namespaced, for llama.cpp web UI + direct access)
-        locations."/mcp/web_search/" = {
+      };
+
+      virtualHosts."mcp.${domain}" = {
+        useACMEHost = domain;
+        forceSSL = true;
+
+        locations."/web_search/" = {
           proxyPass = "http://192.168.0.23:8002/";
           proxyWebsockets = true;
           extraConfig = ''

From f42ec1f725d1f85833925bac30c8b7752947b423 Mon Sep 17 00:00:00 2001
From: Bryan Ramos <bryan@ramos.codes>
Date: Mon, 20 Apr 2026 00:58:57 -0400
Subject: [PATCH 2/6] removed useless dev module from server

---
 system/machines/server/modules/home-manager/default.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/system/machines/server/modules/home-manager/default.nix b/system/machines/server/modules/home-manager/default.nix
index c3a558b..b9c7fc3 100644
--- a/system/machines/server/modules/home-manager/default.nix
+++ b/system/machines/server/modules/home-manager/default.nix
@@ -17,7 +17,6 @@
       neovim.enable = false;
       vim.enable = true;
       tmux.enable = false;
-      utils.dev.enable = true;
     };
   };
 }

From 89768a9e0bf8e6a929e9e99a1af3de5e45793777 Mon Sep 17 00:00:00 2001
From: Bryan Ramos <bryan@ramos.codes>
Date: Mon, 20 Apr 2026 01:13:36 -0400
Subject: [PATCH 3/6] cors

---
 .../machines/server/modules/nginx/default.nix | 25 +++++++++++++++++++
 system/machines/server/system.nix             |  2 +-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix
index 8b3b97d..33427e7 100644
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@@ -78,6 +78,14 @@ in
       recommendedGzipSettings = true;
       eventsConfig = "worker_connections 4096;";
 
+      # CORS origin allowlist for MCP servers
+      commonHttpConfig = ''
+        map $http_origin $mcp_cors_origin {
+          default "";
+          "https://ai.${domain}" "https://ai.${domain}";
+        }
+      '';
+
       # Catch-all default - friendly error for unknown subdomains
       virtualHosts."_" = {
         default = true;
@@ -148,6 +156,23 @@ in
           proxyWebsockets = true;
           extraConfig = ''
             include ${config.sops.templates."nginx-mcp-auth.conf".path};
+
+            # CORS — $mcp_cors_origin is set by the http-level map
+            # and is empty for disallowed origins
+            if ($request_method = OPTIONS) {
+              add_header Access-Control-Allow-Origin $mcp_cors_origin always;
+              add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+              add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key" always;
+              add_header Access-Control-Allow-Credentials "true" always;
+              add_header Access-Control-Max-Age 86400 always;
+              return 204;
+            }
+
+            add_header Access-Control-Allow-Origin $mcp_cors_origin always;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key" always;
+            add_header Access-Control-Allow-Credentials "true" always;
+
             proxy_read_timeout 300s;
             proxy_send_timeout 300s;
           '';
diff --git a/system/machines/server/system.nix b/system/machines/server/system.nix
index 43b75f6..1ceac33 100644
--- a/system/machines/server/system.nix
+++ b/system/machines/server/system.nix
@@ -40,7 +40,7 @@
     nginx = {
       enable = true;
     };
-    sandpack.enable = true;
+    sandpack.enable = false;
     forgejo.enable = true;
     frigate.enable = true;
     immich.enable = true;

From 2805b2aa2d01a121878d960643ede757beb8b440 Mon Sep 17 00:00:00 2001
From: Bryan Ramos <bryan@ramos.codes>
Date: Mon, 20 Apr 2026 01:21:19 -0400
Subject: [PATCH 4/6] back

---
 .../machines/server/modules/nginx/default.nix | 33 ++-----------------
 1 file changed, 2 insertions(+), 31 deletions(-)

diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix
index 33427e7..d7aa376 100644
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@@ -78,13 +78,6 @@ in
       recommendedGzipSettings = true;
       eventsConfig = "worker_connections 4096;";
 
-      # CORS origin allowlist for MCP servers
-      commonHttpConfig = ''
-        map $http_origin $mcp_cors_origin {
-          default "";
-          "https://ai.${domain}" "https://ai.${domain}";
-        }
-      '';
 
       # Catch-all default - friendly error for unknown subdomains
       virtualHosts."_" = {
@@ -145,34 +138,12 @@ in
           '';
         };
 
-      };
-
-      virtualHosts."mcp.${domain}" = {
-        useACMEHost = domain;
-        forceSSL = true;
-
-        locations."/web_search/" = {
+        # MCP servers (same-origin with the web UI to avoid CORS)
+        locations."/mcp/web_search/" = {
           proxyPass = "http://192.168.0.23:8002/";
           proxyWebsockets = true;
           extraConfig = ''
             include ${config.sops.templates."nginx-mcp-auth.conf".path};
-
-            # CORS — $mcp_cors_origin is set by the http-level map
-            # and is empty for disallowed origins
-            if ($request_method = OPTIONS) {
-              add_header Access-Control-Allow-Origin $mcp_cors_origin always;
-              add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
-              add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key" always;
-              add_header Access-Control-Allow-Credentials "true" always;
-              add_header Access-Control-Max-Age 86400 always;
-              return 204;
-            }
-
-            add_header Access-Control-Allow-Origin $mcp_cors_origin always;
-            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
-            add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-API-Key" always;
-            add_header Access-Control-Allow-Credentials "true" always;
-
             proxy_read_timeout 300s;
             proxy_send_timeout 300s;
           '';

From 20b39d2cd86314045689e6bc52f7d91c0c07c54d Mon Sep 17 00:00:00 2001
From: Bryan Ramos <bryan@ramos.codes>
Date: Mon, 20 Apr 2026 01:23:25 -0400
Subject: [PATCH 5/6] -

---
 system/machines/server/modules/nginx/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix
index d7aa376..e1487dc 100644
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@@ -139,8 +139,8 @@ in
         };
 
         # MCP servers (same-origin with the web UI to avoid CORS)
-        locations."/mcp/web_search/" = {
-          proxyPass = "http://192.168.0.23:8002/";
+        locations."/mcp/web-search" = {
+          proxyPass = "http://192.168.0.23:8002";
           proxyWebsockets = true;
           extraConfig = ''
             include ${config.sops.templates."nginx-mcp-auth.conf".path};

From 60e173662bc01258bdba3462c5f6bf8ca5f9144b Mon Sep 17 00:00:00 2001
From: Bryan Ramos <bryan@ramos.codes>
Date: Mon, 20 Apr 2026 01:27:03 -0400
Subject: [PATCH 6/6] n

---
 system/machines/server/modules/nginx/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix
index e1487dc..d2aa7f3 100644
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@@ -139,8 +139,8 @@ in
         };
 
         # MCP servers (same-origin with the web UI to avoid CORS)
-        locations."/mcp/web-search" = {
-          proxyPass = "http://192.168.0.23:8002";
+        locations."= /mcp/web-search" = {
+          proxyPass = "http://192.168.0.23:8002/mcp";
           proxyWebsockets = true;
           extraConfig = ''
             include ${config.sops.templates."nginx-mcp-auth.conf".path};