diff options
| author | Xe Iaso <me@christine.website> | 2022-12-30 10:09:08 -0500 |
|---|---|---|
| committer | Xe Iaso <me@christine.website> | 2022-12-30 10:09:27 -0500 |
| commit | 6171b772aab6db249f26ed80d8ea21386642cb73 (patch) | |
| tree | 3e76c3b08adabf0d8460071dc59278c0ea6fb41c /flake.nix | |
| parent | 7b1e0e83b06abb8908ca7800525ec098ea85f1df (diff) | |
| download | xesite-6171b772aab6db249f26ed80d8ea21386642cb73.tar.xz xesite-6171b772aab6db249f26ed80d8ea21386642cb73.zip | |
add xesite NixOS module
Signed-off-by: Xe Iaso <me@christine.website>
Diffstat (limited to 'flake.nix')
| -rw-r--r-- | flake.nix | 150 |
1 files changed, 19 insertions, 131 deletions
@@ -88,25 +88,22 @@ }; frontend = let - build = { entrypoint, name ? entrypoint, minify ? true }: pkgs.deno2nix.mkBundled { - pname = "xesite-frontend-${name}"; - inherit (bin) version; - - src = ./src/frontend; - lockfile = ./src/frontend/deno.lock; - - output = "${entrypoint}.js"; - outPath = "static/js"; - entrypoint = "./${entrypoint}.tsx"; - importMap = "./import_map.json"; - inherit minify; - }; - share-button = build { - entrypoint = "mastodon_share_button"; - }; - wasiterm = build { - entrypoint = "wasiterm"; - }; + build = { entrypoint, name ? entrypoint, minify ? true }: + pkgs.deno2nix.mkBundled { + pname = "xesite-frontend-${name}"; + inherit (bin) version; + + src = ./src/frontend; + lockfile = ./src/frontend/deno.lock; + + output = "${entrypoint}.js"; + outPath = "static/js"; + entrypoint = "./${entrypoint}.tsx"; + importMap = "./import_map.json"; + inherit minify; + }; + share-button = build { entrypoint = "mastodon_share_button"; }; + wasiterm = build { entrypoint = "wasiterm"; }; in pkgs.symlinkJoin { name = "xesite-frontend-${bin.version}"; paths = [ share-button wasiterm ]; @@ -197,116 +194,7 @@ GITHUB_SHA = "devel"; DHALL_PRELUDE = "${pkgs.dhallPackages.Prelude}"; }; - - nixosModules.bot = { config, lib, ... }: - with lib; - let cfg = config.xeserv.services.xesite; - in { - options.within.services.xesite = { - enable = mkEnableOption "Activates my personal website"; - useACME = mkEnableOption "Enables ACME for cert stuff"; - - port = mkOption { - type = types.port; - default = 32837; - example = 9001; - description = - "The port number xesite should listen on for HTTP traffic"; - }; - - domain = mkOption { - type = types.str; - default = "xesite.akua"; - example = "xeiaso.net"; - description = - "The domain name that nginx should check against for HTTP hostnames"; - }; - - sockPath = mkOption rec { - type = types.str; - default = "/srv/within/run/xesite.sock"; - example = default; - description = - "The unix domain socket that xesite should listen on"; - }; - }; - - config = mkIf cfg.enable { - users.users.xesite = { - createHome = true; - description = "github.com/Xe/site"; - isSystemUser = true; - group = "within"; - home = "/srv/within/xesite"; - extraGroups = [ "keys" ]; - }; - - systemd.services.xesite = { - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - User = "xesite"; - Group = "within"; - Restart = "on-failure"; - WorkingDirectory = "/srv/within/xesite"; - RestartSec = "30s"; - Type = "notify"; - - # Security - CapabilityBoundingSet = ""; - DeviceAllow = [ ]; - NoNewPrivileges = "true"; - ProtectControlGroups = "true"; - ProtectClock = "true"; - PrivateDevices = "true"; - PrivateUsers = "true"; - ProtectHome = "true"; - ProtectHostname = "true"; - ProtectKernelLogs = "true"; - ProtectKernelModules = "true"; - ProtectKernelTunables = "true"; - ProtectSystem = "true"; - ProtectProc = "invisible"; - RemoveIPC = "true"; - RestrictSUIDSGID = "true"; - RestrictRealtime = "true"; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "~@reboot" - "~@module" - "~@mount" - "~@swap" - "~@resources" - "~@cpu-emulation" - "~@obsolete" - "~@debug" - "~@privileged" - ]; - UMask = "007"; - }; - - script = let site = packages.default; - in '' - export SOCKPATH=${cfg.sockPath} - export DOMAIN=${toString cfg.domain} - cd ${site} - exec ${site}/bin/xesite - ''; - }; - - services.nginx.virtualHosts."xesite" = { - serverName = "${cfg.domain}"; - locations."/" = { - proxyPass = "http://unix:${toString cfg.sockPath}"; - proxyWebsockets = true; - }; - forceSSL = cfg.useACME; - useACMEHost = "xeiaso.net"; - extraConfig = '' - access_log /var/log/nginx/xesite.access.log; - ''; - }; - }; - }; - }); + }) // { + nixosModules.default = import ./nix/xesite.nix self; + }; } |