xeiaso.net / site
The code and data behind xeiaso.net
5
fork

Configure Feed

Select the types of activity you want to include in your feed.

add xesite NixOS module

Signed-off-by: Xe Iaso <me@christine.website>

Xe Iaso 6171b772 7b1e0e83

+170 -384
+17 -129
flake.nix
··· 88 88 }; 89 89 90 90 frontend = let 91 - build = { entrypoint, name ? entrypoint, minify ? true }: pkgs.deno2nix.mkBundled { 92 - pname = "xesite-frontend-${name}"; 93 - inherit (bin) version; 91 + build = { entrypoint, name ? entrypoint, minify ? true }: 92 + pkgs.deno2nix.mkBundled { 93 + pname = "xesite-frontend-${name}"; 94 + inherit (bin) version; 94 95 95 - src = ./src/frontend; 96 - lockfile = ./src/frontend/deno.lock; 96 + src = ./src/frontend; 97 + lockfile = ./src/frontend/deno.lock; 97 98 98 - output = "${entrypoint}.js"; 99 - outPath = "static/js"; 100 - entrypoint = "./${entrypoint}.tsx"; 101 - importMap = "./import_map.json"; 102 - inherit minify; 103 - }; 104 - share-button = build { 105 - entrypoint = "mastodon_share_button"; 106 - }; 107 - wasiterm = build { 108 - entrypoint = "wasiterm"; 109 - }; 99 + output = "${entrypoint}.js"; 100 + outPath = "static/js"; 101 + entrypoint = "./${entrypoint}.tsx"; 102 + importMap = "./import_map.json"; 103 + inherit minify; 104 + }; 105 + share-button = build { entrypoint = "mastodon_share_button"; }; 106 + wasiterm = build { entrypoint = "wasiterm"; }; 110 107 in pkgs.symlinkJoin { 111 108 name = "xesite-frontend-${bin.version}"; 112 109 paths = [ share-button wasiterm ]; ··· 197 194 GITHUB_SHA = "devel"; 198 195 DHALL_PRELUDE = "${pkgs.dhallPackages.Prelude}"; 199 196 }; 200 - 201 - nixosModules.bot = { config, lib, ... }: 202 - with lib; 203 - let cfg = config.xeserv.services.xesite; 204 - in { 205 - options.within.services.xesite = { 206 - enable = mkEnableOption "Activates my personal website"; 207 - useACME = mkEnableOption "Enables ACME for cert stuff"; 208 - 209 - port = mkOption { 210 - type = types.port; 211 - default = 32837; 212 - example = 9001; 213 - description = 214 - "The port number xesite should listen on for HTTP traffic"; 215 - }; 216 - 217 - domain = mkOption { 218 - type = types.str; 219 - default = "xesite.akua"; 220 - example = "xeiaso.net"; 221 - description = 222 - "The domain name that nginx should check against for HTTP hostnames"; 223 - }; 224 - 225 - sockPath = mkOption rec { 226 - type = types.str; 227 - default = "/srv/within/run/xesite.sock"; 228 - example = default; 229 - description = 230 - "The unix domain socket that xesite should listen on"; 231 - }; 232 - }; 233 - 234 - config = mkIf cfg.enable { 235 - users.users.xesite = { 236 - createHome = true; 237 - description = "github.com/Xe/site"; 238 - isSystemUser = true; 239 - group = "within"; 240 - home = "/srv/within/xesite"; 241 - extraGroups = [ "keys" ]; 242 - }; 243 - 244 - systemd.services.xesite = { 245 - wantedBy = [ "multi-user.target" ]; 246 - 247 - serviceConfig = { 248 - User = "xesite"; 249 - Group = "within"; 250 - Restart = "on-failure"; 251 - WorkingDirectory = "/srv/within/xesite"; 252 - RestartSec = "30s"; 253 - Type = "notify"; 254 - 255 - # Security 256 - CapabilityBoundingSet = ""; 257 - DeviceAllow = [ ]; 258 - NoNewPrivileges = "true"; 259 - ProtectControlGroups = "true"; 260 - ProtectClock = "true"; 261 - PrivateDevices = "true"; 262 - PrivateUsers = "true"; 263 - ProtectHome = "true"; 264 - ProtectHostname = "true"; 265 - ProtectKernelLogs = "true"; 266 - ProtectKernelModules = "true"; 267 - ProtectKernelTunables = "true"; 268 - ProtectSystem = "true"; 269 - ProtectProc = "invisible"; 270 - RemoveIPC = "true"; 271 - RestrictSUIDSGID = "true"; 272 - RestrictRealtime = "true"; 273 - SystemCallArchitectures = "native"; 274 - SystemCallFilter = [ 275 - "~@reboot" 276 - "~@module" 277 - "~@mount" 278 - "~@swap" 279 - "~@resources" 280 - "~@cpu-emulation" 281 - "~@obsolete" 282 - "~@debug" 283 - "~@privileged" 284 - ]; 285 - UMask = "007"; 286 - }; 287 - 288 - script = let site = packages.default; 289 - in '' 290 - export SOCKPATH=${cfg.sockPath} 291 - export DOMAIN=${toString cfg.domain} 292 - cd ${site} 293 - exec ${site}/bin/xesite 294 - ''; 295 - }; 296 - 297 - services.nginx.virtualHosts."xesite" = { 298 - serverName = "${cfg.domain}"; 299 - locations."/" = { 300 - proxyPass = "http://unix:${toString cfg.sockPath}"; 301 - proxyWebsockets = true; 302 - }; 303 - forceSSL = cfg.useACME; 304 - useACMEHost = "xeiaso.net"; 305 - extraConfig = '' 306 - access_log /var/log/nginx/xesite.access.log; 307 - ''; 308 - }; 309 - }; 310 - }; 311 - }); 197 + }) // { 198 + nixosModules.default = import ./nix/xesite.nix self; 199 + }; 312 200 }
-5
nix/dhall-yaml.nix
··· 1 - let 2 - sources = import ./sources.nix; 3 - pkgs = import sources.nixpkgs { }; 4 - dhall = import sources.easy-dhall-nix { inherit pkgs; }; 5 - in dhall.dhall-yaml-simple
-10
nix/rust.nix
··· 1 - { sources ? import ./sources.nix }: 2 - 3 - let 4 - pkgs = 5 - import sources.nixpkgs { overlays = [ (import sources.nixpkgs-mozilla) ]; }; 6 - channel = "nightly"; 7 - date = "2022-08-08"; 8 - targets = [ ]; 9 - chan = pkgs.rustChannelOfTargets channel date targets; 10 - in chan
-69
nix/sources.json
··· 1 - { 2 - "easy-dhall-nix": { 3 - "branch": "master", 4 - "description": "Derivations for easily downloading Dhall binaries and putting them to use.", 5 - "homepage": "", 6 - "owner": "justinwoo", 7 - "repo": "easy-dhall-nix", 8 - "rev": "dce9acbb99776a7f1344db4751d6080380f76f57", 9 - "sha256": "0ckp6515gfvbxm08yyll87d9vg8sq2l21gwav2npzvwc3xz2lccf", 10 - "type": "tarball", 11 - "url": "https://github.com/justinwoo/easy-dhall-nix/archive/dce9acbb99776a7f1344db4751d6080380f76f57.tar.gz", 12 - "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" 13 - }, 14 - "naersk": { 15 - "branch": "master", 16 - "description": "Build rust crates in Nix. No configuration, no code generation, no IFD. Sandbox friendly.", 17 - "homepage": "", 18 - "owner": "nmattia", 19 - "repo": "naersk", 20 - "rev": "6944160c19cb591eb85bbf9b2f2768a935623ed3", 21 - "sha256": "01i282zrx651mpvnmlgk4fgwg56nbr1yljpzcj5irqxf18cqx3gn", 22 - "type": "tarball", 23 - "url": "https://github.com/nmattia/naersk/archive/6944160c19cb591eb85bbf9b2f2768a935623ed3.tar.gz", 24 - "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" 25 - }, 26 - "niv": { 27 - "branch": "master", 28 - "description": "Easy dependency management for Nix projects", 29 - "homepage": "https://github.com/nmattia/niv", 30 - "owner": "nmattia", 31 - "repo": "niv", 32 - "rev": "351d8bc316bf901a81885bab5f52687ec8ccab6e", 33 - "sha256": "1yzhz7ihkh6p2sxhp3amqfbmm2yqzaadqqii1xijymvl8alw5rrr", 34 - "type": "tarball", 35 - "url": "https://github.com/nmattia/niv/archive/351d8bc316bf901a81885bab5f52687ec8ccab6e.tar.gz", 36 - "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" 37 - }, 38 - "nixpkgs": { 39 - "branch": "nixpkgs-unstable", 40 - "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to", 41 - "homepage": "https://github.com/NixOS/nixpkgs", 42 - "owner": "NixOS", 43 - "repo": "nixpkgs-channels", 44 - "rev": "502845c3e31ef3de0e424f3fcb09217df2ce6df6", 45 - "sha256": "0fcqpsy6y7dgn0y0wgpa56gsg0b0p8avlpjrd79fp4mp9bl18nda", 46 - "type": "tarball", 47 - "url": "https://github.com/NixOS/nixpkgs-channels/archive/502845c3e31ef3de0e424f3fcb09217df2ce6df6.tar.gz", 48 - "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" 49 - }, 50 - "nixpkgs-mozilla": { 51 - "branch": "master", 52 - "description": "mozilla related nixpkgs (extends nixos/nixpkgs repo)", 53 - "homepage": null, 54 - "owner": "mozilla", 55 - "repo": "nixpkgs-mozilla", 56 - "rev": "80627b282705101e7b38e19ca6e8df105031b072", 57 - "sha256": "11g9lppm53f5aq7a0fnwh5hivdhn2p1wmhwgmz1052x10hfqjrah", 58 - "type": "tarball", 59 - "url": "https://github.com/mozilla/nixpkgs-mozilla/archive/80627b282705101e7b38e19ca6e8df105031b072.tar.gz", 60 - "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" 61 - }, 62 - "xepkgs": { 63 - "branch": "master", 64 - "ref": "master", 65 - "repo": "https://tulpa.dev/Xe/nixpkgs", 66 - "rev": "5621d41482bca79d05c97758bb86eeb9099e26c9", 67 - "type": "git" 68 - } 69 - }
-171
nix/sources.nix
··· 1 - # This file has been generated by Niv. 2 - 3 - let 4 - 5 - # 6 - # The fetchers. fetch_<type> fetches specs of type <type>. 7 - # 8 - 9 - fetch_file = pkgs: name: spec: 10 - let 11 - name' = sanitizeName name + "-src"; 12 - in 13 - if spec.builtin or true then 14 - builtins_fetchurl { inherit (spec) url sha256; name = name'; } 15 - else 16 - pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; 17 - 18 - fetch_tarball = pkgs: name: spec: 19 - let 20 - name' = sanitizeName name + "-src"; 21 - in 22 - if spec.builtin or true then 23 - builtins_fetchTarball { name = name'; inherit (spec) url sha256; } 24 - else 25 - pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; 26 - 27 - fetch_git = name: spec: 28 - let 29 - ref = 30 - if spec ? ref then spec.ref else 31 - if spec ? branch then "refs/heads/${spec.branch}" else 32 - if spec ? tag then "refs/tags/${spec.tag}" else 33 - abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; 34 - in 35 - builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; 36 - 37 - fetch_local = spec: spec.path; 38 - 39 - fetch_builtin-tarball = name: throw 40 - ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. 41 - $ niv modify ${name} -a type=tarball -a builtin=true''; 42 - 43 - fetch_builtin-url = name: throw 44 - ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. 45 - $ niv modify ${name} -a type=file -a builtin=true''; 46 - 47 - # 48 - # Various helpers 49 - # 50 - 51 - # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 52 - sanitizeName = name: 53 - ( 54 - concatMapStrings (s: if builtins.isList s then "-" else s) 55 - ( 56 - builtins.split "[^[:alnum:]+._?=-]+" 57 - ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name) 58 - ) 59 - ); 60 - 61 - # The set of packages used when specs are fetched using non-builtins. 62 - mkPkgs = sources: system: 63 - let 64 - sourcesNixpkgs = 65 - import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; }; 66 - hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; 67 - hasThisAsNixpkgsPath = <nixpkgs> == ./.; 68 - in 69 - if builtins.hasAttr "nixpkgs" sources 70 - then sourcesNixpkgs 71 - else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then 72 - import <nixpkgs> {} 73 - else 74 - abort 75 - '' 76 - Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or 77 - add a package called "nixpkgs" to your sources.json. 78 - ''; 79 - 80 - # The actual fetching function. 81 - fetch = pkgs: name: spec: 82 - 83 - if ! builtins.hasAttr "type" spec then 84 - abort "ERROR: niv spec ${name} does not have a 'type' attribute" 85 - else if spec.type == "file" then fetch_file pkgs name spec 86 - else if spec.type == "tarball" then fetch_tarball pkgs name spec 87 - else if spec.type == "git" then fetch_git name spec 88 - else if spec.type == "local" then fetch_local spec 89 - else if spec.type == "builtin-tarball" then fetch_builtin-tarball name 90 - else if spec.type == "builtin-url" then fetch_builtin-url name 91 - else 92 - abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; 93 - 94 - # If the environment variable NIV_OVERRIDE_${name} is set, then use 95 - # the path directly as opposed to the fetched source. 96 - replace = name: drv: 97 - let 98 - saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name; 99 - ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; 100 - in 101 - if ersatz == "" then drv else ersatz; 102 - 103 - # Ports of functions for older nix versions 104 - 105 - # a Nix version of mapAttrs if the built-in doesn't exist 106 - mapAttrs = builtins.mapAttrs or ( 107 - f: set: with builtins; 108 - listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) 109 - ); 110 - 111 - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 112 - range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1); 113 - 114 - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 115 - stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); 116 - 117 - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 118 - stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); 119 - concatMapStrings = f: list: concatStrings (map f list); 120 - concatStrings = builtins.concatStringsSep ""; 121 - 122 - # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 123 - optionalAttrs = cond: as: if cond then as else {}; 124 - 125 - # fetchTarball version that is compatible between all the versions of Nix 126 - builtins_fetchTarball = { url, name ? null, sha256 }@attrs: 127 - let 128 - inherit (builtins) lessThan nixVersion fetchTarball; 129 - in 130 - if lessThan nixVersion "1.12" then 131 - fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) 132 - else 133 - fetchTarball attrs; 134 - 135 - # fetchurl version that is compatible between all the versions of Nix 136 - builtins_fetchurl = { url, name ? null, sha256 }@attrs: 137 - let 138 - inherit (builtins) lessThan nixVersion fetchurl; 139 - in 140 - if lessThan nixVersion "1.12" then 141 - fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; })) 142 - else 143 - fetchurl attrs; 144 - 145 - # Create the final "sources" from the config 146 - mkSources = config: 147 - mapAttrs ( 148 - name: spec: 149 - if builtins.hasAttr "outPath" spec 150 - then abort 151 - "The values in sources.json should not have an 'outPath' attribute" 152 - else 153 - spec // { outPath = replace name (fetch config.pkgs name spec); } 154 - ) config.sources; 155 - 156 - # The "config" used by the fetchers 157 - mkConfig = 158 - { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null 159 - , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile) 160 - , system ? builtins.currentSystem 161 - , pkgs ? mkPkgs sources system 162 - }: rec { 163 - # The sources, i.e. the attribute set of spec name to spec 164 - inherit sources; 165 - 166 - # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers 167 - inherit pkgs; 168 - }; 169 - 170 - in 171 - mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
+153
xesite.nix
··· 1 + self: 2 + { config, lib, ... }: 3 + with lib; 4 + let cfg = config.xeserv.services.xesite; 5 + in { 6 + options.xeserv.services.xesite = { 7 + enable = mkEnableOption "Activates my personal website"; 8 + useACME = mkEnableOption "Enables ACME for cert stuff"; 9 + 10 + port = mkOption { 11 + type = types.port; 12 + default = 32837; 13 + example = 9001; 14 + description = "The port number xesite should listen on for HTTP traffic"; 15 + }; 16 + 17 + domain = mkOption { 18 + type = types.str; 19 + default = "${config.networking.hostName}.shark-harmonic.ts.net"; 20 + example = "xeiaso.net"; 21 + description = 22 + "The domain name that nginx should check against for HTTP hostnames"; 23 + }; 24 + 25 + sockPath = mkOption rec { 26 + type = types.str; 27 + default = "/srv/within/run/xesite.sock"; 28 + example = default; 29 + description = "The unix domain socket that xesite should listen on"; 30 + }; 31 + }; 32 + 33 + config = mkIf cfg.enable { 34 + users.users.xesite = { 35 + createHome = true; 36 + description = "github.com/Xe/site"; 37 + isSystemUser = true; 38 + group = "within"; 39 + home = "/srv/within/xesite"; 40 + extraGroups = [ "keys" ]; 41 + }; 42 + 43 + systemd.services.xesite = { 44 + wantedBy = [ "multi-user.target" ]; 45 + 46 + serviceConfig = { 47 + User = "xesite"; 48 + Group = "within"; 49 + Restart = "on-failure"; 50 + WorkingDirectory = "/srv/within/xesite"; 51 + RestartSec = "30s"; 52 + Type = "notify"; 53 + 54 + # Security 55 + CapabilityBoundingSet = ""; 56 + DeviceAllow = [ ]; 57 + NoNewPrivileges = "true"; 58 + ProtectControlGroups = "true"; 59 + ProtectClock = "true"; 60 + PrivateDevices = "true"; 61 + PrivateUsers = "true"; 62 + ProtectHome = "true"; 63 + ProtectHostname = "true"; 64 + ProtectKernelLogs = "true"; 65 + ProtectKernelModules = "true"; 66 + ProtectKernelTunables = "true"; 67 + ProtectSystem = "true"; 68 + ProtectProc = "invisible"; 69 + RemoveIPC = "true"; 70 + RestrictSUIDSGID = "true"; 71 + RestrictRealtime = "true"; 72 + SystemCallArchitectures = "native"; 73 + SystemCallFilter = [ 74 + "~@reboot" 75 + "~@module" 76 + "~@mount" 77 + "~@swap" 78 + "~@resources" 79 + "~@cpu-emulation" 80 + "~@obsolete" 81 + "~@debug" 82 + "~@privileged" 83 + ]; 84 + UMask = "007"; 85 + }; 86 + 87 + script = let site = self.packages.${system}.default; 88 + in '' 89 + [ -f /srv/within/xesite/.env ] && export $(cat /srv/within/xesite/.env | xargs) 90 + export SOCKPATH=${cfg.sockPath} 91 + export DOMAIN=${toString cfg.domain} 92 + cd ${site} 93 + exec ${site}/bin/xesite 94 + ''; 95 + }; 96 + 97 + services.nginx.virtualHosts."xelaso.net" = let 98 + proxyOld = { 99 + proxyPass = "http://unix:${toString cfg.sockPath}"; 100 + proxyWebsockets = true; 101 + }; 102 + in { 103 + locations."/jsonfeed" = proxyOld; 104 + locations."/.within/health" = proxyOld; 105 + locations."/.within/website.within.xesite/new_post" = proxyOld; 106 + locations."/blog.rss" = proxyOld; 107 + locations."/blog.atom" = proxyOld; 108 + locations."/blog.json" = proxyOld; 109 + locations."/".extraConfig = '' 110 + return 301 https://xeiaso.net$request_uri; 111 + ''; 112 + forceSSL = cfg.useACME; 113 + useACMEHost = "xeiaso.net"; 114 + extraConfig = '' 115 + access_log /var/log/nginx/xesite_old.access.log; 116 + ''; 117 + }; 118 + 119 + services.nginx.virtualHosts."christine.website" = let 120 + proxyOld = { 121 + proxyPass = "http://unix:${toString cfg.sockPath}"; 122 + proxyWebsockets = true; 123 + }; 124 + in { 125 + locations."/jsonfeed" = proxyOld; 126 + locations."/.within/health" = proxyOld; 127 + locations."/.within/website.within.xesite/new_post" = proxyOld; 128 + locations."/blog.rss" = proxyOld; 129 + locations."/blog.atom" = proxyOld; 130 + locations."/blog.json" = proxyOld; 131 + locations."/".extraConfig = '' 132 + return 301 https://xeiaso.net$request_uri; 133 + ''; 134 + forceSSL = cfg.useACME; 135 + useACMEHost = "christine.website"; 136 + extraConfig = '' 137 + access_log /var/log/nginx/xesite_old.access.log; 138 + ''; 139 + }; 140 + 141 + services.nginx.virtualHosts."xeiaso.net" = { 142 + locations."/" = { 143 + proxyPass = "http://unix:${toString cfg.sockPath}"; 144 + proxyWebsockets = true; 145 + }; 146 + forceSSL = cfg.useACME; 147 + useACMEHost = "xeiaso.net"; 148 + extraConfig = '' 149 + access_log /var/log/nginx/xesite.access.log; 150 + ''; 151 + }; 152 + }; 153 + }