+1

.gitignore

reviewed

··· 1 1 + .direnv/

+1

dns/dnsconfig.js

reviewed

··· 39 39 A('git', '69.61.2.203', TTL(300)), 40 40 A('bin', '69.61.2.203', TTL(300)), 41 41 A('ci', '69.61.2.203', TTL(300)), 42 42 + A('write', '69.61.2.203', TTL(300)), 42 43 // vultr -> nulled: lituus 43 44 A('@', '45.77.48.108', TTL(300)), 44 45 A('jitsi', '45.77.48.108', TTL(300)),

+18

hosts/profiles/blogg/default.nix

reviewed

··· 1 1 + {pkgs, ... }: 2 2 + { 3 3 + services.nginx = { 4 4 + enable = true; 5 5 + recommendedGzipSettings = true; 6 6 + recommendedOptimisation = true; 7 7 + recommendedProxySettings = true; 8 8 + recommendedTlsSettings = true; 9 9 + }; 10 10 + 11 11 + # Enables MySQL 12 12 + services.mysql = { 13 13 + enable = true; 14 14 + package = pkgs.mariadb; 15 15 + }; 16 16 + 17 17 + services."write.sealight.xyz".enable = true; 18 18 + }

+148

modules/nixos/blogging.nix

reviewed

··· 1 1 + { options, lib, config, pkgs, ... }: 2 2 + let 3 3 + # domain for the Ghost blog 4 4 + serverName = "write.sealight.xyz"; 5 5 + # port on which the Ghost service runs 6 6 + port = 1357; 7 7 + # user used to run the Ghost service 8 8 + userName = builtins.replaceStrings [ "." ] [ "_" ] serverName; 9 9 + # MySQL database used by Ghost 10 10 + dbName = userName; 11 11 + # MySQL user used by Ghost 12 12 + dbUser = userName; 13 13 + # directory used to save the blog content 14 14 + dataDir = "/var/lib/${userName}"; 15 15 + # Ghost package we created in the section above 16 16 + ghost = import ./ghost { inherit pkgs; }; 17 17 + # script that sets up the Ghost content directory 18 18 + setupScript = pkgs.writeScript "${serverName}-setup.sh" '' 19 19 + #! ${pkgs.stdenv.shell} -e 20 20 + chmod g+s "${dataDir}" 21 21 + [[ ! -d "${dataDir}/content" ]] && cp -r "${ghost}/content" "${dataDir}/content" 22 22 + chown -R "${userName}":"${userName}" "${dataDir}/content" 23 23 + chmod -R +w "${dataDir}/content" 24 24 + ln -f -s "/etc/${serverName}.json" "${dataDir}/config.production.json" 25 25 + [[ -d "${dataDir}/current" ]] && rm "${dataDir}/current" 26 26 + ln -f -s "${ghost}/current" "${dataDir}/current" 27 27 + [[ -d "${dataDir}/content/themes/casper" ]] && rm "${dataDir}/content/themes/casper" 28 28 + ln -f -s "${ghost}/current/content/themes/casper" "${dataDir}/content/themes/casper" 29 29 + ''; 30 30 + 31 31 + databaseService = "mysql.service"; 32 32 + 33 33 + serviceConfig = config.services."${serverName}"; 34 34 + options = { enable = lib.mkEnableOption "${serverName} service"; }; 35 35 + in { 36 36 + options.services.${serverName} = options; 37 37 + config = lib.mkIf serviceConfig.enable { 38 38 + # Creates the user and group 39 39 + users.users.${userName} = { 40 40 + isSystemUser = true; 41 41 + group = userName; 42 42 + createHome = true; 43 43 + home = dataDir; 44 44 + }; 45 45 + users.groups.${userName} = { }; 46 46 + 47 47 + # Creates the Ghost config 48 48 + environment.etc."${serverName}.json".text = '' 49 49 + { 50 50 + "url": "https://${serverName}", 51 51 + "server": { 52 52 + "port": ${port}, 53 53 + "host": "0.0.0.0" 54 54 + }, 55 55 + "database": { 56 56 + "client": "mysql", 57 57 + "connection": { 58 58 + "host": "localhost", 59 59 + "user": "${dbUser}", 60 60 + "database": "${dbName}", 61 61 + "password": "", 62 62 + "socketPath": "/run/mysqld/mysqld.sock" 63 63 + } 64 64 + }, 65 65 + "mail": { 66 66 + "transport": "sendmail" 67 67 + }, 68 68 + "logging": { 69 69 + "transports": ["stdout"] 70 70 + }, 71 71 + "paths": { 72 72 + "contentPath": "${dataDir}/content" 73 73 + } 74 74 + } 75 75 + ''; 76 76 + 77 77 + # Sets up the Systemd service 78 78 + systemd.services."${serverName}" = { 79 79 + enable = true; 80 80 + description = "${serverName} ghost blog"; 81 81 + restartIfChanged = true; 82 82 + restartTriggers = 83 83 + [ ghost config.environment.etc."${serverName}.json".source ]; 84 84 + requires = [ databaseService ]; 85 85 + after = [ databaseService ]; 86 86 + path = [ pkgs.nodejs pkgs.vips ]; 87 87 + wantedBy = [ "multi-user.target" ]; 88 88 + serviceConfig = { 89 89 + User = userName; 90 90 + Group = userName; 91 91 + WorkingDirectory = dataDir; 92 92 + # Executes the setup script before start 93 93 + ExecStartPre = setupScript; 94 94 + # Runs Ghost with node 95 95 + ExecStart = "${pkgs.nodejs}/bin/node current/index.js"; 96 96 + # Sandboxes the Systemd service 97 97 + AmbientCapabilities = [ ]; 98 98 + CapabilityBoundingSet = [ ]; 99 99 + KeyringMode = "private"; 100 100 + LockPersonality = true; 101 101 + NoNewPrivileges = true; 102 102 + PrivateDevices = true; 103 103 + PrivateMounts = true; 104 104 + PrivateTmp = true; 105 105 + ProtectClock = true; 106 106 + ProtectControlGroups = true; 107 107 + ProtectHome = true; 108 108 + ProtectHostname = true; 109 109 + ProtectKernelLogs = true; 110 110 + ProtectKernelModules = true; 111 111 + ProtectKernelTunables = true; 112 112 + ProtectSystem = "full"; 113 113 + RemoveIPC = true; 114 114 + RestrictAddressFamilies = [ ]; 115 115 + RestrictNamespaces = true; 116 116 + RestrictRealtime = true; 117 117 + }; 118 118 + environment = { NODE_ENV = "production"; }; 119 119 + }; 120 120 + 121 121 + # Sets up the blog virtual host on NGINX 122 122 + services.nginx.virtualHosts.${serverName} = { 123 123 + # Sets up Lets Encrypt SSL certificates for the blog 124 124 + forceSSL = true; 125 125 + enableACME = true; 126 126 + locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; }; 127 127 + extraConfig = '' 128 128 + charset UTF-8; 129 129 + 130 130 + add_header Strict-Transport-Security "max-age=2592000; includeSubDomains" always; 131 131 + add_header Referrer-Policy "strict-origin-when-cross-origin"; 132 132 + add_header X-Frame-Options "SAMEORIGIN"; 133 133 + add_header X-XSS-Protection "1; mode=block"; 134 134 + add_header X-Content-Type-Options nosniff; 135 135 + ''; 136 136 + }; 137 137 + 138 138 + # Sets up MySQL database and user for Ghost 139 139 + services.mysql = { 140 140 + ensureDatabases = [ dbName ]; 141 141 + ensureUsers = [{ 142 142 + name = dbUser; 143 143 + ensurePermissions = { "${dbName}.*" = "ALL PRIVILEGES"; }; 144 144 + }]; 145 145 + }; 146 146 + }; 147 147 + } 148 148 +

+14

pkgs/gpodder2go.nix

reviewed

··· 1 1 + { pkgs, ... }: 2 2 + 3 3 + pkgs.buildGoModule rec { 4 4 + name = "gpodder2go"; 5 5 + src = pkgs.fetchFromGitHub { 6 6 + owner = "oxtyped"; 7 7 + repo = "gpodder2go"; 8 8 + rev = "v0.1.2"; 9 9 + hash = "sha256-RAt0rd4DZwI7b7IEFd1o4s4ivADzgzBzBaeGVL8OmYo"; 10 10 + }; 11 11 + 12 12 + vendorHash = "sha256-mbSgY5WjIAesT27uRgaiRF3N06yuUntjTp6kjUMh6Bw"; 13 13 + doCheck = false; 14 14 + }