convert to flakes

Signed-off-by: Xe Iaso <me@christine.website>
2022-04-22 23:36:25 +00:00 · 2022-04-22 23:36:25 +00:00 · 2e539512b7
parent f51752ed3c
commit 2e539512b7
5 changed files with 292 additions and 41 deletions
--- a/.envrc
+++ b/.envrc
@ -1 +1 @@
-eval "$(lorri direnv)"
+use_nix
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@ cw.tar
 .#*
 /target
 .patreon.json
+.direnv
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,75 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1649676176,
+        "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "naersk": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1650265945,
+        "narHash": "sha256-SO8+1db4jTOjnwP++29vVgImLIfETSXyoz0FuLkiikE=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "e8f9f8d037774becd82fce2781e1abdb7836d7df",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1650647760,
+        "narHash": "sha256-Ng8CGYLSTxeI+oEux0x+tSRA6K7ydoyfJNQf56ld+Uo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b80f570a92d04e8ace67ff09c34aa48708a5c88c",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1650161686,
+        "narHash": "sha256-70ZWAlOQ9nAZ08OU6WY7n4Ij2kOO199dLfNlvO/+pf8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "1ffba9f2f683063c2b14c9f4d12c55ad5f4ed887",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "naersk": "naersk",
+        "nixpkgs": "nixpkgs_2"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,215 @@
+{
+  description = "A very basic flake";
+
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+    naersk.url = "github:nix-community/naersk";
+  };
+
+  outputs = { self, nixpkgs, flake-utils, naersk }:
+    flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+        naersk-lib = naersk.lib."${system}";
+        src = ./.;
+      in rec {
+        packages = rec {
+          bin = naersk-lib.buildPackage {
+            pname = "xesite-bin";
+            root = src;
+            buildInputs = with pkgs; [ pkg-config openssl git ];
+          };
+
+          config = pkgs.stdenv.mkDerivation {
+            pname = "xesite-config";
+            inherit (bin) version;
+            inherit src;
+            buildInputs = with pkgs; [ dhall ];
+
+            phases = "installPhase";
+
+            installPhase = ''
+              cd $src
+              mkdir -p $out
+              dhall resolve < $src/config.dhall >> $out/config.dhall
+            '';
+          };
+
+          static = pkgs.stdenv.mkDerivation {
+            pname = "xesite-static";
+            inherit (bin) version;
+            inherit src;
+
+            phases = "installPhase";
+
+            installPhase = ''
+              mkdir -p $out
+              cp -vrf $src/static $out
+              cp -vrf $src/css $out
+            '';
+          };
+
+          posts = pkgs.stdenv.mkDerivation {
+            pname = "xesite-posts";
+            inherit (bin) version;
+            inherit src;
+
+            phases = "installPhase";
+
+            installPhase = ''
+              mkdir -p $out
+              cp -vrf $src/blog $out
+              cp -vrf $src/gallery $out
+              cp -vrf $src/talks $out
+            '';
+          };
+
+          default = pkgs.symlinkJoin {
+            name = "xesite-${bin.version}";
+            paths = [ config posts static bin ];
+          };
+        };
+
+        devShells.default = pkgs.mkShell {
+          buildInputs = with pkgs; [
+            # Rust
+            rustc
+            cargo
+            rust-analyzer
+            cargo-watch
+
+            # system dependencies
+            openssl
+            pkg-config
+
+            # kubernetes deployment
+            dhall
+            dhall-json
+
+            # dependency manager
+            niv
+
+            # tools
+            ispell
+          ];
+
+          SITE_PREFIX = "devel.";
+          CLACK_SET = "Ashlynn,Terry Davis,Dennis Ritchie";
+          RUST_LOG = "debug";
+          RUST_BACKTRACE = "1";
+          GITHUB_SHA = "devel";
+        };
+
+        nixosModules.bot = { config, lib, ... }:
+          with lib;
+          let cfg = config.xeserv.services.xesite;
+          in {
+            options.within.services.xesite = {
+              enable = mkEnableOption "Activates my personal website";
+              useACME = mkEnableOption "Enables ACME for cert stuff";
+
+              port = mkOption {
+                type = types.port;
+                default = 32837;
+                example = 9001;
+                description =
+                  "The port number xesite should listen on for HTTP traffic";
+              };
+
+              domain = mkOption {
+                type = types.str;
+                default = "xesite.akua";
+                example = "christine.website";
+                description =
+                  "The domain name that nginx should check against for HTTP hostnames";
+              };
+
+              sockPath = mkOption rec {
+                type = types.str;
+                default = "/srv/within/run/xesite.sock";
+                example = default;
+                description =
+                  "The unix domain socket that xesite should listen on";
+              };
+            };
+
+            config = mkIf cfg.enable {
+              users.users.xesite = {
+                createHome = true;
+                description = "github.com/Xe/site";
+                isSystemUser = true;
+                group = "within";
+                home = "/srv/within/xesite";
+                extraGroups = [ "keys" ];
+              };
+
+              systemd.services.xesite = {
+                wantedBy = [ "multi-user.target" ];
+
+                serviceConfig = {
+                  User = "xesite";
+                  Group = "within";
+                  Restart = "on-failure";
+                  WorkingDirectory = "/srv/within/xesite";
+                  RestartSec = "30s";
+                  Type = "notify";
+
+                  # Security
+                  CapabilityBoundingSet = "";
+                  DeviceAllow = [ ];
+                  NoNewPrivileges = "true";
+                  ProtectControlGroups = "true";
+                  ProtectClock = "true";
+                  PrivateDevices = "true";
+                  PrivateUsers = "true";
+                  ProtectHome = "true";
+                  ProtectHostname = "true";
+                  ProtectKernelLogs = "true";
+                  ProtectKernelModules = "true";
+                  ProtectKernelTunables = "true";
+                  ProtectSystem = "true";
+                  ProtectProc = "invisible";
+                  RemoveIPC = "true";
+                  RestrictSUIDSGID = "true";
+                  RestrictRealtime = "true";
+                  SystemCallArchitectures = "native";
+                  SystemCallFilter = [
+                    "~@reboot"
+                    "~@module"
+                    "~@mount"
+                    "~@swap"
+                    "~@resources"
+                    "~@cpu-emulation"
+                    "~@obsolete"
+                    "~@debug"
+                    "~@privileged"
+                  ];
+                  UMask = "007";
+                };
+
+                script = let site = packages.default;
+                in ''
+                  export SOCKPATH=${cfg.sockPath}
+                  export DOMAIN=${toString cfg.domain}
+                  cd ${site}
+                  exec ${site}/bin/xesite
+                '';
+              };
+
+              services.nginx.virtualHosts."xesite" = {
+                serverName = "${cfg.domain}";
+                locations."/" = {
+                  proxyPass = "http://unix:${toString cfg.sockPath}";
+                  proxyWebsockets = true;
+                };
+                forceSSL = cfg.useACME;
+                useACMEHost = "christine.website";
+                extraConfig = ''
+                  access_log /var/log/nginx/xesite.access.log;
+                '';
+              };
+            };
+          };
+      });
+}
--- a/shell.nix
+++ b/shell.nix
@ -1,40 +0,0 @@
-let
-  sources = import ./nix/sources.nix;
-  pkgs =
-    import sources.nixpkgs { overlays = [ (import sources.nixpkgs-mozilla) ]; };
-  dhallpkgs = import sources.easy-dhall-nix { inherit pkgs; };
-  dhall-yaml = dhallpkgs.dhall-yaml-simple;
-  dhall = dhallpkgs.dhall-simple;
-  xepkgs = import sources.xepkgs { inherit pkgs; };
-  rust = pkgs.callPackage ./nix/rust.nix { };
-in with pkgs;
-with xepkgs;
-mkShell {
-  buildInputs = [
-    # Rust
-    rust
-    cargo-watch
-
-    # system dependencies
-    openssl
-    pkg-config
-
-    # kubernetes deployment
-    dhall
-    dhall-yaml
-
-    # dependency manager
-    niv
-
-    # tools
-    ispell
-  ];
-
-  SITE_PREFIX = "devel.";
-  CLACK_SET = "Ashlynn,Terry Davis,Dennis Ritchie";
-  RUST_LOG = "debug";
-  RUST_BACKTRACE = "1";
-  RUST_SRC_PATH =
-    "${pkgs.latest.rustChannels.nightly.rust-src}/lib/rustlib/src/rust/library";
-  GITHUB_SHA = "devel";
-}