diff options
| author | Xe Iaso <me@christine.website> | 2022-12-30 10:09:08 -0500 |
|---|---|---|
| committer | Xe Iaso <me@christine.website> | 2022-12-30 10:09:27 -0500 |
| commit | 6171b772aab6db249f26ed80d8ea21386642cb73 (patch) | |
| tree | 3e76c3b08adabf0d8460071dc59278c0ea6fb41c | |
| parent | 7b1e0e83b06abb8908ca7800525ec098ea85f1df (diff) | |
| download | xesite-6171b772aab6db249f26ed80d8ea21386642cb73.tar.xz xesite-6171b772aab6db249f26ed80d8ea21386642cb73.zip | |
add xesite NixOS module
Signed-off-by: Xe Iaso <me@christine.website>
| -rw-r--r-- | flake.nix | 150 | ||||
| -rw-r--r-- | nix/dhall-yaml.nix | 5 | ||||
| -rw-r--r-- | nix/rust.nix | 10 | ||||
| -rw-r--r-- | nix/sources.json | 69 | ||||
| -rw-r--r-- | nix/sources.nix | 171 | ||||
| -rw-r--r-- | xesite.nix | 153 |
6 files changed, 172 insertions, 386 deletions
@@ -88,25 +88,22 @@ }; frontend = let - build = { entrypoint, name ? entrypoint, minify ? true }: pkgs.deno2nix.mkBundled { - pname = "xesite-frontend-${name}"; - inherit (bin) version; - - src = ./src/frontend; - lockfile = ./src/frontend/deno.lock; - - output = "${entrypoint}.js"; - outPath = "static/js"; - entrypoint = "./${entrypoint}.tsx"; - importMap = "./import_map.json"; - inherit minify; - }; - share-button = build { - entrypoint = "mastodon_share_button"; - }; - wasiterm = build { - entrypoint = "wasiterm"; - }; + build = { entrypoint, name ? entrypoint, minify ? true }: + pkgs.deno2nix.mkBundled { + pname = "xesite-frontend-${name}"; + inherit (bin) version; + + src = ./src/frontend; + lockfile = ./src/frontend/deno.lock; + + output = "${entrypoint}.js"; + outPath = "static/js"; + entrypoint = "./${entrypoint}.tsx"; + importMap = "./import_map.json"; + inherit minify; + }; + share-button = build { entrypoint = "mastodon_share_button"; }; + wasiterm = build { entrypoint = "wasiterm"; }; in pkgs.symlinkJoin { name = "xesite-frontend-${bin.version}"; paths = [ share-button wasiterm ]; @@ -197,116 +194,7 @@ GITHUB_SHA = "devel"; DHALL_PRELUDE = "${pkgs.dhallPackages.Prelude}"; }; - - nixosModules.bot = { config, lib, ... }: - with lib; - let cfg = config.xeserv.services.xesite; - in { - options.within.services.xesite = { - enable = mkEnableOption "Activates my personal website"; - useACME = mkEnableOption "Enables ACME for cert stuff"; - - port = mkOption { - type = types.port; - default = 32837; - example = 9001; - description = - "The port number xesite should listen on for HTTP traffic"; - }; - - domain = mkOption { - type = types.str; - default = "xesite.akua"; - example = "xeiaso.net"; - description = - "The domain name that nginx should check against for HTTP hostnames"; - }; - - sockPath = mkOption rec { - type = types.str; - default = "/srv/within/run/xesite.sock"; - example = default; - description = - "The unix domain socket that xesite should listen on"; - }; - }; - - config = mkIf cfg.enable { - users.users.xesite = { - createHome = true; - description = "github.com/Xe/site"; - isSystemUser = true; - group = "within"; - home = "/srv/within/xesite"; - extraGroups = [ "keys" ]; - }; - - systemd.services.xesite = { - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - User = "xesite"; - Group = "within"; - Restart = "on-failure"; - WorkingDirectory = "/srv/within/xesite"; - RestartSec = "30s"; - Type = "notify"; - - # Security - CapabilityBoundingSet = ""; - DeviceAllow = [ ]; - NoNewPrivileges = "true"; - ProtectControlGroups = "true"; - ProtectClock = "true"; - PrivateDevices = "true"; - PrivateUsers = "true"; - ProtectHome = "true"; - ProtectHostname = "true"; - ProtectKernelLogs = "true"; - ProtectKernelModules = "true"; - ProtectKernelTunables = "true"; - ProtectSystem = "true"; - ProtectProc = "invisible"; - RemoveIPC = "true"; - RestrictSUIDSGID = "true"; - RestrictRealtime = "true"; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "~@reboot" - "~@module" - "~@mount" - "~@swap" - "~@resources" - "~@cpu-emulation" - "~@obsolete" - "~@debug" - "~@privileged" - ]; - UMask = "007"; - }; - - script = let site = packages.default; - in '' - export SOCKPATH=${cfg.sockPath} - export DOMAIN=${toString cfg.domain} - cd ${site} - exec ${site}/bin/xesite - ''; - }; - - services.nginx.virtualHosts."xesite" = { - serverName = "${cfg.domain}"; - locations."/" = { - proxyPass = "http://unix:${toString cfg.sockPath}"; - proxyWebsockets = true; - }; - forceSSL = cfg.useACME; - useACMEHost = "xeiaso.net"; - extraConfig = '' - access_log /var/log/nginx/xesite.access.log; - ''; - }; - }; - }; - }); + }) // { + nixosModules.default = import ./nix/xesite.nix self; + }; } diff --git a/nix/dhall-yaml.nix b/nix/dhall-yaml.nix deleted file mode 100644 index ddb8c3d..0000000 --- a/nix/dhall-yaml.nix +++ /dev/null @@ -1,5 +0,0 @@ -let - sources = import ./sources.nix; - pkgs = import sources.nixpkgs { }; - dhall = import sources.easy-dhall-nix { inherit pkgs; }; -in dhall.dhall-yaml-simple diff --git a/nix/rust.nix b/nix/rust.nix deleted file mode 100644 index 02512df..0000000 --- a/nix/rust.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ sources ? import ./sources.nix }: - -let - pkgs = - import sources.nixpkgs { overlays = [ (import sources.nixpkgs-mozilla) ]; }; - channel = "nightly"; - date = "2022-08-08"; - targets = [ ]; - chan = pkgs.rustChannelOfTargets channel date targets; -in chan diff --git a/nix/sources.json b/nix/sources.json deleted file mode 100644 index 67003df..0000000 --- a/nix/sources.json +++ /dev/null @@ -1,69 +0,0 @@ -{ - "easy-dhall-nix": { - "branch": "master", - "description": "Derivations for easily downloading Dhall binaries and putting them to use.", - "homepage": "", - "owner": "justinwoo", - "repo": "easy-dhall-nix", - "rev": "dce9acbb99776a7f1344db4751d6080380f76f57", - "sha256": "0ckp6515gfvbxm08yyll87d9vg8sq2l21gwav2npzvwc3xz2lccf", - "type": "tarball", - "url": "https://github.com/justinwoo/easy-dhall-nix/archive/dce9acbb99776a7f1344db4751d6080380f76f57.tar.gz", - "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" - }, - "naersk": { - "branch": "master", - "description": "Build rust crates in Nix. No configuration, no code generation, no IFD. Sandbox friendly.", - "homepage": "", - "owner": "nmattia", - "repo": "naersk", - "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3", - "sha256": "01i282zrx651mpvnmlgk4fgwg56nbr1yljpzcj5irqxf18cqx3gn", - "type": "tarball", - "url": "https://github.com/nmattia/naersk/archive/6944160c19cb591eb85bbf9b2f2768a935623ed3.tar.gz", - "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" - }, - "niv": { - "branch": "master", - "description": "Easy dependency management for Nix projects", - "homepage": "https://github.com/nmattia/niv", - "owner": "nmattia", - "repo": "niv", - "rev": "351d8bc316bf901a81885bab5f52687ec8ccab6e", - "sha256": "1yzhz7ihkh6p2sxhp3amqfbmm2yqzaadqqii1xijymvl8alw5rrr", - "type": "tarball", - "url": "https://github.com/nmattia/niv/archive/351d8bc316bf901a81885bab5f52687ec8ccab6e.tar.gz", - "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" - }, - "nixpkgs": { - "branch": "nixpkgs-unstable", - "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", - "homepage": "https://github.com/NixOS/nixpkgs", - "owner": "NixOS", - "repo": "nixpkgs-channels", - "rev": "502845c3e31ef3de0e424f3fcb09217df2ce6df6", - "sha256": "0fcqpsy6y7dgn0y0wgpa56gsg0b0p8avlpjrd79fp4mp9bl18nda", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs-channels/archive/502845c3e31ef3de0e424f3fcb09217df2ce6df6.tar.gz", - "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" - }, - "nixpkgs-mozilla": { - "branch": "master", - "description": "mozilla related nixpkgs (extends nixos/nixpkgs repo)", - "homepage": null, - "owner": "mozilla", - "repo": "nixpkgs-mozilla", - "rev": "80627b282705101e7b38e19ca6e8df105031b072", - "sha256": "11g9lppm53f5aq7a0fnwh5hivdhn2p1wmhwgmz1052x10hfqjrah", - "type": "tarball", - "url": "https://github.com/mozilla/nixpkgs-mozilla/archive/80627b282705101e7b38e19ca6e8df105031b072.tar.gz", - "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" - }, - "xepkgs": { - "branch": "master", - "ref": "master", - "repo": "https://tulpa.dev/Xe/nixpkgs", - "rev": "5621d41482bca79d05c97758bb86eeb9099e26c9", - "type": "git" - } -} diff --git a/nix/sources.nix b/nix/sources.nix deleted file mode 100644 index b796fff..0000000 --- a/nix/sources.nix +++ /dev/null @@ -1,171 +0,0 @@ -# This file has been generated by Niv. - -let - - # - # The fetchers. fetch_<type> fetches specs of type <type>. - # - - fetch_file = pkgs: name: spec: - let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true then - builtins_fetchurl { inherit (spec) url sha256; name = name'; } - else - pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; - - fetch_tarball = pkgs: name: spec: - let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true then - builtins_fetchTarball { name = name'; inherit (spec) url sha256; } - else - pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; - - fetch_git = name: spec: - let - ref = - if spec ? ref then spec.ref else - if spec ? branch then "refs/heads/${spec.branch}" else - if spec ? tag then "refs/tags/${spec.tag}" else - abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; - in - builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; - - fetch_local = spec: spec.path; - - fetch_builtin-tarball = name: throw - ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=tarball -a builtin=true''; - - fetch_builtin-url = name: throw - ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=file -a builtin=true''; - - # - # Various helpers - # - - # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 - sanitizeName = name: - ( - concatMapStrings (s: if builtins.isList s then "-" else s) - ( - builtins.split "[^[:alnum:]+._?=-]+" - ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name) - ) - ); - - # The set of packages used when specs are fetched using non-builtins. - mkPkgs = sources: system: - let - sourcesNixpkgs = - import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; }; - hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; - hasThisAsNixpkgsPath = <nixpkgs> == ./.; - in - if builtins.hasAttr "nixpkgs" sources - then sourcesNixpkgs - else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then - import <nixpkgs> {} - else - abort - '' - Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; - - # The actual fetching function. - fetch = pkgs: name: spec: - - if ! builtins.hasAttr "type" spec then - abort "ERROR: niv spec ${name} does not have a 'type' attribute" - else if spec.type == "file" then fetch_file pkgs name spec - else if spec.type == "tarball" then fetch_tarball pkgs name spec - else if spec.type == "git" then fetch_git name spec - else if spec.type == "local" then fetch_local spec - else if spec.type == "builtin-tarball" then fetch_builtin-tarball name - else if spec.type == "builtin-url" then fetch_builtin-url name - else - abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; - - # If the environment variable NIV_OVERRIDE_${name} is set, then use - # the path directly as opposed to the fetched source. - replace = name: drv: - let - saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; - ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; - in - if ersatz == "" then drv else ersatz; - - # Ports of functions for older nix versions - - # a Nix version of mapAttrs if the built-in doesn't exist - mapAttrs = builtins.mapAttrs or ( - f: set: with builtins; - listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) - ); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 - range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 - stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 - stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); - concatMapStrings = f: list: concatStrings (map f list); - concatStrings = builtins.concatStringsSep ""; - - # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 - optionalAttrs = cond: as: if cond then as else {}; - - # fetchTarball version that is compatible between all the versions of Nix - builtins_fetchTarball = { url, name ? null, sha256 }@attrs: - let - inherit (builtins) lessThan nixVersion fetchTarball; - in - if lessThan nixVersion "1.12" then - fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) - else - fetchTarball attrs; - - # fetchurl version that is compatible between all the versions of Nix - builtins_fetchurl = { url, name ? null, sha256 }@attrs: - let - inherit (builtins) lessThan nixVersion fetchurl; - in - if lessThan nixVersion "1.12" then - fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) - else - fetchurl attrs; - - # Create the final "sources" from the config - mkSources = config: - mapAttrs ( - name: spec: - if builtins.hasAttr "outPath" spec - then abort - "The values in sources.json should not have an 'outPath' attribute" - else - spec // { outPath = replace name (fetch config.pkgs name spec); } - ) config.sources; - - # The "config" used by the fetchers - mkConfig = - { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null - , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) - , system ? builtins.currentSystem - , pkgs ? mkPkgs sources system - }: rec { - # The sources, i.e. the attribute set of spec name to spec - inherit sources; - - # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers - inherit pkgs; - }; - -in -mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/xesite.nix b/xesite.nix new file mode 100644 index 0000000..a6d0156 --- /dev/null +++ b/xesite.nix @@ -0,0 +1,153 @@ +self: +{ config, lib, ... }: +with lib; +let cfg = config.xeserv.services.xesite; +in { + options.xeserv.services.xesite = { + enable = mkEnableOption "Activates my personal website"; + useACME = mkEnableOption "Enables ACME for cert stuff"; + + port = mkOption { + type = types.port; + default = 32837; + example = 9001; + description = "The port number xesite should listen on for HTTP traffic"; + }; + + domain = mkOption { + type = types.str; + default = "${config.networking.hostName}.shark-harmonic.ts.net"; + example = "xeiaso.net"; + description = + "The domain name that nginx should check against for HTTP hostnames"; + }; + + sockPath = mkOption rec { + type = types.str; + default = "/srv/within/run/xesite.sock"; + example = default; + description = "The unix domain socket that xesite should listen on"; + }; + }; + + config = mkIf cfg.enable { + users.users.xesite = { + createHome = true; + description = "github.com/Xe/site"; + isSystemUser = true; + group = "within"; + home = "/srv/within/xesite"; + extraGroups = [ "keys" ]; + }; + + systemd.services.xesite = { + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "xesite"; + Group = "within"; + Restart = "on-failure"; + WorkingDirectory = "/srv/within/xesite"; + RestartSec = "30s"; + Type = "notify"; + + # Security + CapabilityBoundingSet = ""; + DeviceAllow = [ ]; + NoNewPrivileges = "true"; + ProtectControlGroups = "true"; + ProtectClock = "true"; + PrivateDevices = "true"; + PrivateUsers = "true"; + ProtectHome = "true"; + ProtectHostname = "true"; + ProtectKernelLogs = "true"; + ProtectKernelModules = "true"; + ProtectKernelTunables = "true"; + ProtectSystem = "true"; + ProtectProc = "invisible"; + RemoveIPC = "true"; + RestrictSUIDSGID = "true"; + RestrictRealtime = "true"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@reboot" + "~@module" + "~@mount" + "~@swap" + "~@resources" + "~@cpu-emulation" + "~@obsolete" + "~@debug" + "~@privileged" + ]; + UMask = "007"; + }; + + script = let site = self.packages.${system}.default; + in '' + [ -f /srv/within/xesite/.env ] && export $(cat /srv/within/xesite/.env | xargs) + export SOCKPATH=${cfg.sockPath} + export DOMAIN=${toString cfg.domain} + cd ${site} + exec ${site}/bin/xesite + ''; + }; + + services.nginx.virtualHosts."xelaso.net" = let + proxyOld = { + proxyPass = "http://unix:${toString cfg.sockPath}"; + proxyWebsockets = true; + }; + in { + locations."/jsonfeed" = proxyOld; + locations."/.within/health" = proxyOld; + locations."/.within/website.within.xesite/new_post" = proxyOld; + locations."/blog.rss" = proxyOld; + locations."/blog.atom" = proxyOld; + locations."/blog.json" = proxyOld; + locations."/".extraConfig = '' + return 301 https://xeiaso.net$request_uri; + ''; + forceSSL = cfg.useACME; + useACMEHost = "xeiaso.net"; + extraConfig = '' + access_log /var/log/nginx/xesite_old.access.log; + ''; + }; + + services.nginx.virtualHosts."christine.website" = let + proxyOld = { + proxyPass = "http://unix:${toString cfg.sockPath}"; + proxyWebsockets = true; + }; + in { + locations."/jsonfeed" = proxyOld; + locations."/.within/health" = proxyOld; + locations."/.within/website.within.xesite/new_post" = proxyOld; + locations."/blog.rss" = proxyOld; + locations."/blog.atom" = proxyOld; + locations."/blog.json" = proxyOld; + locations."/".extraConfig = '' + return 301 https://xeiaso.net$request_uri; + ''; + forceSSL = cfg.useACME; + useACMEHost = "christine.website"; + extraConfig = '' + access_log /var/log/nginx/xesite_old.access.log; + ''; + }; + + services.nginx.virtualHosts."xeiaso.net" = { + locations."/" = { + proxyPass = "http://unix:${toString cfg.sockPath}"; + proxyWebsockets = true; + }; + forceSSL = cfg.useACME; + useACMEHost = "xeiaso.net"; + extraConfig = '' + access_log /var/log/nginx/xesite.access.log; + ''; + }; + }; +} |