diff --git a/.envrc b/.envrc index be81fed..4a4726a 100644 --- a/.envrc +++ b/.envrc @@ -1 +1 @@ -eval "$(lorri direnv)" \ No newline at end of file +use_nix diff --git a/.gitignore b/.gitignore index 049d0ed..fed8779 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ cw.tar .#* /target .patreon.json +.direnv diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..5d18956 --- /dev/null +++ b/flake.lock @@ -0,0 +1,75 @@ +{ + "nodes": { + "flake-utils": { + "locked": { + "lastModified": 1649676176, + "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "naersk": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1650265945, + "narHash": "sha256-SO8+1db4jTOjnwP++29vVgImLIfETSXyoz0FuLkiikE=", + "owner": "nix-community", + "repo": "naersk", + "rev": "e8f9f8d037774becd82fce2781e1abdb7836d7df", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "naersk", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1650647760, + "narHash": "sha256-Ng8CGYLSTxeI+oEux0x+tSRA6K7ydoyfJNQf56ld+Uo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b80f570a92d04e8ace67ff09c34aa48708a5c88c", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1650161686, + "narHash": "sha256-70ZWAlOQ9nAZ08OU6WY7n4Ij2kOO199dLfNlvO/+pf8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1ffba9f2f683063c2b14c9f4d12c55ad5f4ed887", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "naersk": "naersk", + "nixpkgs": "nixpkgs_2" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..186fbe9 --- /dev/null +++ b/flake.nix @@ -0,0 +1,215 @@ +{ + description = "A very basic flake"; + + inputs = { + nixpkgs.url = "nixpkgs/nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + naersk.url = "github:nix-community/naersk"; + }; + + outputs = { self, nixpkgs, flake-utils, naersk }: + flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system: + let + pkgs = import nixpkgs { inherit system; }; + naersk-lib = naersk.lib."${system}"; + src = ./.; + in rec { + packages = rec { + bin = naersk-lib.buildPackage { + pname = "xesite-bin"; + root = src; + buildInputs = with pkgs; [ pkg-config openssl git ]; + }; + + config = pkgs.stdenv.mkDerivation { + pname = "xesite-config"; + inherit (bin) version; + inherit src; + buildInputs = with pkgs; [ dhall ]; + + phases = "installPhase"; + + installPhase = '' + cd $src + mkdir -p $out + dhall resolve < $src/config.dhall >> $out/config.dhall + ''; + }; + + static = pkgs.stdenv.mkDerivation { + pname = "xesite-static"; + inherit (bin) version; + inherit src; + + phases = "installPhase"; + + installPhase = '' + mkdir -p $out + cp -vrf $src/static $out + cp -vrf $src/css $out + ''; + }; + + posts = pkgs.stdenv.mkDerivation { + pname = "xesite-posts"; + inherit (bin) version; + inherit src; + + phases = "installPhase"; + + installPhase = '' + mkdir -p $out + cp -vrf $src/blog $out + cp -vrf $src/gallery $out + cp -vrf $src/talks $out + ''; + }; + + default = pkgs.symlinkJoin { + name = "xesite-${bin.version}"; + paths = [ config posts static bin ]; + }; + }; + + devShells.default = pkgs.mkShell { + buildInputs = with pkgs; [ + # Rust + rustc + cargo + rust-analyzer + cargo-watch + + # system dependencies + openssl + pkg-config + + # kubernetes deployment + dhall + dhall-json + + # dependency manager + niv + + # tools + ispell + ]; + + SITE_PREFIX = "devel."; + CLACK_SET = "Ashlynn,Terry Davis,Dennis Ritchie"; + RUST_LOG = "debug"; + RUST_BACKTRACE = "1"; + GITHUB_SHA = "devel"; + }; + + nixosModules.bot = { config, lib, ... }: + with lib; + let cfg = config.xeserv.services.xesite; + in { + options.within.services.xesite = { + enable = mkEnableOption "Activates my personal website"; + useACME = mkEnableOption "Enables ACME for cert stuff"; + + port = mkOption { + type = types.port; + default = 32837; + example = 9001; + description = + "The port number xesite should listen on for HTTP traffic"; + }; + + domain = mkOption { + type = types.str; + default = "xesite.akua"; + example = "christine.website"; + description = + "The domain name that nginx should check against for HTTP hostnames"; + }; + + sockPath = mkOption rec { + type = types.str; + default = "/srv/within/run/xesite.sock"; + example = default; + description = + "The unix domain socket that xesite should listen on"; + }; + }; + + config = mkIf cfg.enable { + users.users.xesite = { + createHome = true; + description = "github.com/Xe/site"; + isSystemUser = true; + group = "within"; + home = "/srv/within/xesite"; + extraGroups = [ "keys" ]; + }; + + systemd.services.xesite = { + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + User = "xesite"; + Group = "within"; + Restart = "on-failure"; + WorkingDirectory = "/srv/within/xesite"; + RestartSec = "30s"; + Type = "notify"; + + # Security + CapabilityBoundingSet = ""; + DeviceAllow = [ ]; + NoNewPrivileges = "true"; + ProtectControlGroups = "true"; + ProtectClock = "true"; + PrivateDevices = "true"; + PrivateUsers = "true"; + ProtectHome = "true"; + ProtectHostname = "true"; + ProtectKernelLogs = "true"; + ProtectKernelModules = "true"; + ProtectKernelTunables = "true"; + ProtectSystem = "true"; + ProtectProc = "invisible"; + RemoveIPC = "true"; + RestrictSUIDSGID = "true"; + RestrictRealtime = "true"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "~@reboot" + "~@module" + "~@mount" + "~@swap" + "~@resources" + "~@cpu-emulation" + "~@obsolete" + "~@debug" + "~@privileged" + ]; + UMask = "007"; + }; + + script = let site = packages.default; + in '' + export SOCKPATH=${cfg.sockPath} + export DOMAIN=${toString cfg.domain} + cd ${site} + exec ${site}/bin/xesite + ''; + }; + + services.nginx.virtualHosts."xesite" = { + serverName = "${cfg.domain}"; + locations."/" = { + proxyPass = "http://unix:${toString cfg.sockPath}"; + proxyWebsockets = true; + }; + forceSSL = cfg.useACME; + useACMEHost = "christine.website"; + extraConfig = '' + access_log /var/log/nginx/xesite.access.log; + ''; + }; + }; + }; + }); +} diff --git a/shell.nix b/shell.nix deleted file mode 100644 index 59bbdc9..0000000 --- a/shell.nix +++ /dev/null @@ -1,40 +0,0 @@ -let - sources = import ./nix/sources.nix; - pkgs = - import sources.nixpkgs { overlays = [ (import sources.nixpkgs-mozilla) ]; }; - dhallpkgs = import sources.easy-dhall-nix { inherit pkgs; }; - dhall-yaml = dhallpkgs.dhall-yaml-simple; - dhall = dhallpkgs.dhall-simple; - xepkgs = import sources.xepkgs { inherit pkgs; }; - rust = pkgs.callPackage ./nix/rust.nix { }; -in with pkgs; -with xepkgs; -mkShell { - buildInputs = [ - # Rust - rust - cargo-watch - - # system dependencies - openssl - pkg-config - - # kubernetes deployment - dhall - dhall-yaml - - # dependency manager - niv - - # tools - ispell - ]; - - SITE_PREFIX = "devel."; - CLACK_SET = "Ashlynn,Terry Davis,Dennis Ritchie"; - RUST_LOG = "debug"; - RUST_BACKTRACE = "1"; - RUST_SRC_PATH = - "${pkgs.latest.rustChannels.nightly.rust-src}/lib/rustlib/src/rust/library"; - GITHUB_SHA = "devel"; -}