diff options
| author | Xe Iaso <me@christine.website> | 2022-04-22 23:36:25 +0000 |
|---|---|---|
| committer | Xe Iaso <me@christine.website> | 2022-04-22 23:36:25 +0000 |
| commit | 2e539512b713ffcbb8de15e7318abcea5a3d9249 (patch) | |
| tree | b4ee0cafb7d0b774d323adcc8b87e7abd75d1164 /flake.nix | |
| parent | f51752ed3caaaff598099045b808afa4b96812ba (diff) | |
| download | xesite-2e539512b713ffcbb8de15e7318abcea5a3d9249.tar.xz xesite-2e539512b713ffcbb8de15e7318abcea5a3d9249.zip | |
convert to flakes
Signed-off-by: Xe Iaso <me@christine.website>
Diffstat (limited to 'flake.nix')
| -rw-r--r-- | flake.nix | 215 |
1 files changed, 215 insertions, 0 deletions
diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..186fbe9 --- /dev/null +++ b/flake.nix @@ -0,0 +1,215 @@ +{ + description = "A very basic flake"; + + inputs = { + nixpkgs.url = "nixpkgs/nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + naersk.url = "github:nix-community/naersk"; + }; + + outputs = { self, nixpkgs, flake-utils, naersk }: + flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system: + let + pkgs = import nixpkgs { inherit system; }; + naersk-lib = naersk.lib."${system}"; + src = ./.; + in rec { + packages = rec { + bin = naersk-lib.buildPackage { + pname = "xesite-bin"; + root = src; + buildInputs = with pkgs; [ pkg-config openssl git ]; + }; + + config = pkgs.stdenv.mkDerivation { + pname = "xesite-config"; + inherit (bin) version; + inherit src; + buildInputs = with pkgs; [ dhall ]; + + phases = "installPhase"; + + installPhase = '' + cd $src + mkdir -p $out + dhall resolve < $src/config.dhall >> $out/config.dhall + ''; + }; + + static = pkgs.stdenv.mkDerivation { + pname = "xesite-static"; + inherit (bin) version; + inherit src; + + phases = "installPhase"; + + installPhase = '' + mkdir -p $out + cp -vrf $src/static $out + cp -vrf $src/css $out + ''; + }; + + posts = pkgs.stdenv.mkDerivation { + pname = "xesite-posts"; + inherit (bin) version; + inherit src; + + phases = "installPhase"; + + installPhase = '' + mkdir -p $out + cp -vrf $src/blog $out + cp -vrf $src/gallery $out + cp -vrf $src/talks $out + ''; + }; + + default = pkgs.symlinkJoin { + name = "xesite-${bin.version}"; + paths = [ config posts static bin ]; + }; + }; + + devShells.default = pkgs.mkShell { + buildInputs = with pkgs; [ + # Rust + rustc + cargo + rust-analyzer + cargo-watch + + # system dependencies + openssl + pkg-config + + # kubernetes deployment + dhall + dhall-json + + # dependency manager + niv + + # tools + ispell + ]; + + SITE_PREFIX = "devel."; + CLACK_SET = "Ashlynn,Terry Davis,Dennis Ritchie"; + RUST_LOG = "debug"; + RUST_BACKTRACE = "1"; + GITHUB_SHA = "devel"; + }; + + nixosModules.bot = { config, lib, ... }: + with lib; + let cfg = config.xeserv.services.xesite; + in { + options.within.services.xesite = { + enable = mkEnableOption "Activates my personal website"; + useACME = mkEnableOption "Enables ACME for cert stuff"; + + port = mkOption { + type = types.port; + default = 32837; + example = 9001; + description = + "The port number xesite should listen on for HTTP traffic"; + }; + + domain = mkOption { + type = types.str; + default = "xesite.akua"; + example = "christine.website"; + description = + "The domain name that nginx should check against for HTTP hostnames"; + }; + + sockPath = mkOption rec { + type = types.str; + default = "/srv/within/run/xesite.sock"; + example = default; + description = + "The unix domain socket that xesite should listen on"; + }; + }; + + config = mkIf cfg.enable { + users.users.xesite = { + createHome = true; + description = "github.com/Xe/site"; + isSystemUser = true; + group = "within"; + home = "/srv/within/xesite"; + extraGroups = [ "keys" ]; + }; + + systemd.services.xesite = { + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "xesite"; + Group = "within"; + Restart = "on-failure"; + WorkingDirectory = "/srv/within/xesite"; + RestartSec = "30s"; + Type = "notify"; + + # Security + CapabilityBoundingSet = ""; + DeviceAllow = [ ]; + NoNewPrivileges = "true"; + ProtectControlGroups = "true"; + ProtectClock = "true"; + PrivateDevices = "true"; + PrivateUsers = "true"; + ProtectHome = "true"; + ProtectHostname = "true"; + ProtectKernelLogs = "true"; + ProtectKernelModules = "true"; + ProtectKernelTunables = "true"; + ProtectSystem = "true"; + ProtectProc = "invisible"; + RemoveIPC = "true"; + RestrictSUIDSGID = "true"; + RestrictRealtime = "true"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@reboot" + "~@module" + "~@mount" + "~@swap" + "~@resources" + "~@cpu-emulation" + "~@obsolete" + "~@debug" + "~@privileged" + ]; + UMask = "007"; + }; + + script = let site = packages.default; + in '' + export SOCKPATH=${cfg.sockPath} + export DOMAIN=${toString cfg.domain} + cd ${site} + exec ${site}/bin/xesite + ''; + }; + + services.nginx.virtualHosts."xesite" = { + serverName = "${cfg.domain}"; + locations."/" = { + proxyPass = "http://unix:${toString cfg.sockPath}"; + proxyWebsockets = true; + }; + forceSSL = cfg.useACME; + useACMEHost = "christine.website"; + extraConfig = '' + access_log /var/log/nginx/xesite.access.log; + ''; + }; + }; + }; + }); +} |