forked from cadey/xesite
217 lines
6.4 KiB
Nix
217 lines
6.4 KiB
Nix
{
|
|
description = "A very basic flake";
|
|
|
|
inputs = {
|
|
nixpkgs.url = "nixpkgs/nixos-unstable";
|
|
flake-utils.url = "github:numtide/flake-utils";
|
|
naersk.url = "github:nix-community/naersk";
|
|
};
|
|
|
|
outputs = { self, nixpkgs, flake-utils, naersk }:
|
|
flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system:
|
|
let
|
|
pkgs = import nixpkgs { inherit system; };
|
|
naersk-lib = naersk.lib."${system}";
|
|
src = ./.;
|
|
in rec {
|
|
packages = rec {
|
|
bin = naersk-lib.buildPackage {
|
|
pname = "xesite-bin";
|
|
root = src;
|
|
buildInputs = with pkgs; [ pkg-config openssl git ];
|
|
};
|
|
|
|
config = pkgs.stdenv.mkDerivation {
|
|
pname = "xesite-config";
|
|
inherit (bin) version;
|
|
inherit src;
|
|
buildInputs = with pkgs; [ dhall ];
|
|
|
|
phases = "installPhase";
|
|
|
|
installPhase = ''
|
|
cd $src
|
|
mkdir -p $out
|
|
dhall resolve < $src/config.dhall >> $out/config.dhall
|
|
'';
|
|
};
|
|
|
|
static = pkgs.stdenv.mkDerivation {
|
|
pname = "xesite-static";
|
|
inherit (bin) version;
|
|
inherit src;
|
|
|
|
phases = "installPhase";
|
|
|
|
installPhase = ''
|
|
mkdir -p $out
|
|
cp -vrf $src/static $out
|
|
cp -vrf $src/css $out
|
|
'';
|
|
};
|
|
|
|
posts = pkgs.stdenv.mkDerivation {
|
|
pname = "xesite-posts";
|
|
inherit (bin) version;
|
|
inherit src;
|
|
|
|
phases = "installPhase";
|
|
|
|
installPhase = ''
|
|
mkdir -p $out
|
|
cp -vrf $src/blog $out
|
|
cp -vrf $src/gallery $out
|
|
cp -vrf $src/talks $out
|
|
'';
|
|
};
|
|
|
|
default = pkgs.symlinkJoin {
|
|
name = "xesite-${bin.version}";
|
|
paths = [ config posts static bin ];
|
|
};
|
|
};
|
|
|
|
devShell = pkgs.mkShell {
|
|
buildInputs = with pkgs; [
|
|
# Rust
|
|
rustc
|
|
cargo
|
|
rust-analyzer
|
|
cargo-watch
|
|
rustfmt
|
|
|
|
# system dependencies
|
|
openssl
|
|
pkg-config
|
|
|
|
# kubernetes deployment
|
|
dhall
|
|
dhall-json
|
|
|
|
# dependency manager
|
|
niv
|
|
|
|
# tools
|
|
ispell
|
|
];
|
|
|
|
SITE_PREFIX = "devel.";
|
|
CLACK_SET = "Ashlynn,Terry Davis,Dennis Ritchie";
|
|
RUST_LOG = "debug";
|
|
RUST_BACKTRACE = "1";
|
|
GITHUB_SHA = "devel";
|
|
};
|
|
|
|
nixosModules.bot = { config, lib, ... }:
|
|
with lib;
|
|
let cfg = config.xeserv.services.xesite;
|
|
in {
|
|
options.within.services.xesite = {
|
|
enable = mkEnableOption "Activates my personal website";
|
|
useACME = mkEnableOption "Enables ACME for cert stuff";
|
|
|
|
port = mkOption {
|
|
type = types.port;
|
|
default = 32837;
|
|
example = 9001;
|
|
description =
|
|
"The port number xesite should listen on for HTTP traffic";
|
|
};
|
|
|
|
domain = mkOption {
|
|
type = types.str;
|
|
default = "xesite.akua";
|
|
example = "xeiaso.net";
|
|
description =
|
|
"The domain name that nginx should check against for HTTP hostnames";
|
|
};
|
|
|
|
sockPath = mkOption rec {
|
|
type = types.str;
|
|
default = "/srv/within/run/xesite.sock";
|
|
example = default;
|
|
description =
|
|
"The unix domain socket that xesite should listen on";
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
users.users.xesite = {
|
|
createHome = true;
|
|
description = "github.com/Xe/site";
|
|
isSystemUser = true;
|
|
group = "within";
|
|
home = "/srv/within/xesite";
|
|
extraGroups = [ "keys" ];
|
|
};
|
|
|
|
systemd.services.xesite = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
User = "xesite";
|
|
Group = "within";
|
|
Restart = "on-failure";
|
|
WorkingDirectory = "/srv/within/xesite";
|
|
RestartSec = "30s";
|
|
Type = "notify";
|
|
|
|
# Security
|
|
CapabilityBoundingSet = "";
|
|
DeviceAllow = [ ];
|
|
NoNewPrivileges = "true";
|
|
ProtectControlGroups = "true";
|
|
ProtectClock = "true";
|
|
PrivateDevices = "true";
|
|
PrivateUsers = "true";
|
|
ProtectHome = "true";
|
|
ProtectHostname = "true";
|
|
ProtectKernelLogs = "true";
|
|
ProtectKernelModules = "true";
|
|
ProtectKernelTunables = "true";
|
|
ProtectSystem = "true";
|
|
ProtectProc = "invisible";
|
|
RemoveIPC = "true";
|
|
RestrictSUIDSGID = "true";
|
|
RestrictRealtime = "true";
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"~@reboot"
|
|
"~@module"
|
|
"~@mount"
|
|
"~@swap"
|
|
"~@resources"
|
|
"~@cpu-emulation"
|
|
"~@obsolete"
|
|
"~@debug"
|
|
"~@privileged"
|
|
];
|
|
UMask = "007";
|
|
};
|
|
|
|
script = let site = packages.default;
|
|
in ''
|
|
export SOCKPATH=${cfg.sockPath}
|
|
export DOMAIN=${toString cfg.domain}
|
|
cd ${site}
|
|
exec ${site}/bin/xesite
|
|
'';
|
|
};
|
|
|
|
services.nginx.virtualHosts."xesite" = {
|
|
serverName = "${cfg.domain}";
|
|
locations."/" = {
|
|
proxyPass = "http://unix:${toString cfg.sockPath}";
|
|
proxyWebsockets = true;
|
|
};
|
|
forceSSL = cfg.useACME;
|
|
useACMEHost = "xeiaso.net";
|
|
extraConfig = ''
|
|
access_log /var/log/nginx/xesite.access.log;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
});
|
|
}
|