Compare commits
6 Commits
1d5c375841
...
ce57ed6732
Author | SHA1 | Date |
---|---|---|
Jill | ce57ed6732 | |
Jill | ce5607c49e | |
Jill | 4e92a5eae8 | |
Jill | 639d9a864d | |
Jill | 213f11c31c | |
Jill | b16a1a7a19 |
37
flake.lock
37
flake.lock
|
@ -28,11 +28,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1674151952,
|
"lastModified": 1674359560,
|
||||||
"narHash": "sha256-c0dwSGWi8LH2uBsv7ZJK11To1w8oFjTs+d2dtiusGug=",
|
"narHash": "sha256-gobqd75ujP/zFH6kSZNB3bA3YS4NMXWpZgMo1RAFEdk=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "emacs-overlay",
|
"repo": "emacs-overlay",
|
||||||
"rev": "fa7dedfa5e1171a76ff78a1260064e1b20ec93bb",
|
"rev": "184ae9c371a6251564e0b07391f7e9aaf310f002",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -147,11 +147,11 @@
|
||||||
"xdph": "xdph"
|
"xdph": "xdph"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1674143063,
|
"lastModified": 1674296335,
|
||||||
"narHash": "sha256-CfP6ZYjxLeC1Q6W4f+RCd2sokIX8RnyTA8wYzYmx9XE=",
|
"narHash": "sha256-jUvjOqKGuEk1XfZNPXU3hcPtIJKkSNzwUm5yN1EFYZA=",
|
||||||
"owner": "hyprwm",
|
"owner": "hyprwm",
|
||||||
"repo": "Hyprland",
|
"repo": "Hyprland",
|
||||||
"rev": "5112056fdbda989191310364444f328240bbf6f1",
|
"rev": "fcbfd193930dd146b141531a9cf5301d55f26907",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -227,8 +227,11 @@
|
||||||
"nixpkgs": "nixpkgs_2"
|
"nixpkgs": "nixpkgs_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1669389833,
|
"lastModified": 1674248483,
|
||||||
"narHash": "sha256-khId6aJCxyeR6jWNNywAqJ+eEoZXSZciH8kkSYG5Jf8=",
|
"narHash": "sha256-2kjUS6LPN7bmxKsUrUwLwuzpF4IxxBweiO+8G1PKGKc=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "a97f774ce46dcef5dd36b1f3fbf2711ceba24d6b",
|
||||||
|
"revCount": 29,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "file:///home/oatmealine/jillo"
|
"url": "file:///home/oatmealine/jillo"
|
||||||
},
|
},
|
||||||
|
@ -266,11 +269,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1674092998,
|
"lastModified": 1674352074,
|
||||||
"narHash": "sha256-NYB/PjEJ9W9VDVWScVFqooK20gDsNyPhCqQIP1Nn+AU=",
|
"narHash": "sha256-IQxf+CCjuETu6psq6F9gxPBISf2RLwGL0MmlCgY1aX0=",
|
||||||
"owner": "Infinidoge",
|
"owner": "Infinidoge",
|
||||||
"repo": "nix-minecraft",
|
"repo": "nix-minecraft",
|
||||||
"rev": "a55757a572e115459bbad449d2fde514d11a76e1",
|
"rev": "acfd27fd83e9c3d56e649b98aef17974f29e7830",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -312,11 +315,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1673796341,
|
"lastModified": 1674211260,
|
||||||
"narHash": "sha256-1kZi9OkukpNmOaPY7S5/+SlCDOuYnP3HkXHvNDyLQcc=",
|
"narHash": "sha256-xU6Rv9sgnwaWK7tgCPadV6HhI2Y/fl4lKxJoG2+m9qs=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "6dccdc458512abce8d19f74195bb20fdb067df50",
|
"rev": "5ed481943351e9fd354aeb557679624224de38d5",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -343,11 +346,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_3": {
|
"nixpkgs_3": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1673796341,
|
"lastModified": 1674211260,
|
||||||
"narHash": "sha256-1kZi9OkukpNmOaPY7S5/+SlCDOuYnP3HkXHvNDyLQcc=",
|
"narHash": "sha256-xU6Rv9sgnwaWK7tgCPadV6HhI2Y/fl4lKxJoG2+m9qs=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "6dccdc458512abce8d19f74195bb20fdb067df50",
|
"rev": "5ed481943351e9fd354aeb557679624224de38d5",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -183,7 +183,8 @@ in {
|
||||||
# for docs, start here
|
# for docs, start here
|
||||||
# https://nixos.org/manual/nixos/stable/options.html#opt-networking.enableB43Firmware
|
# https://nixos.org/manual/nixos/stable/options.html#opt-networking.enableB43Firmware
|
||||||
|
|
||||||
enableIPv6 = true; # true by default, but better safe than sorry
|
# temporarily disabled
|
||||||
|
enableIPv6 = false;
|
||||||
|
|
||||||
interfaces.eno1.ipv4.addresses = [
|
interfaces.eno1.ipv4.addresses = [
|
||||||
{ address = "51.89.98.8";
|
{ address = "51.89.98.8";
|
||||||
|
@ -194,22 +195,22 @@ in {
|
||||||
defaultGateway = "51.89.98.254";
|
defaultGateway = "51.89.98.254";
|
||||||
nameservers = [ "8.8.8.8" "1.1.1.1" ];
|
nameservers = [ "8.8.8.8" "1.1.1.1" ];
|
||||||
|
|
||||||
interfaces.eno1.ipv6.addresses = [
|
#interfaces.eno1.ipv6.addresses = [
|
||||||
{ address = "2001:41d0:0700:3308::";
|
# { address = "2001:41d0:0700:3308::";
|
||||||
prefixLength = 64;
|
# prefixLength = 64;
|
||||||
}
|
# }
|
||||||
|
#
|
||||||
|
# { address = "2001:41d0:0700:33ff::";
|
||||||
|
# prefixLength = 64;
|
||||||
|
# }
|
||||||
|
#];
|
||||||
|
|
||||||
{ address = "2001:41d0:0700:33ff::";
|
#defaultGateway6 = {
|
||||||
prefixLength = 64;
|
# address = "2001:41d0:0700:33ff:00ff:00ff:00ff:00ff";
|
||||||
}
|
# address = "33ff::1";
|
||||||
];
|
# address = "2001::1";
|
||||||
|
# interface = "eno1";
|
||||||
defaultGateway6 = {
|
#};
|
||||||
address = "2001:41d0:0700:33ff:00ff:00ff:00ff:00ff";
|
|
||||||
# address = "33ff::1";
|
|
||||||
# address = "2001::1";
|
|
||||||
interface = "eno1";
|
|
||||||
};
|
|
||||||
|
|
||||||
firewall.allowPing = true;
|
firewall.allowPing = true;
|
||||||
# minecraft proximity voice chat
|
# minecraft proximity voice chat
|
||||||
|
|
|
@ -22,6 +22,15 @@
|
||||||
nix.settings.cores = 3;
|
nix.settings.cores = 3;
|
||||||
nix.settings.max-jobs = 6;
|
nix.settings.max-jobs = 6;
|
||||||
|
|
||||||
|
# disabling this is what's considered a "Bad Idea"
|
||||||
|
# however it is required by packages/ghost.nix, which
|
||||||
|
# is borrowed from https://notes.abhinavsarkar.net/2022/ghost-on-nixos
|
||||||
|
#
|
||||||
|
# i don't know of a cleaner way to do this, and i
|
||||||
|
# don't want to deal with ghost any longer than i
|
||||||
|
# already have, so This Will Do
|
||||||
|
nix.settings.sandbox = false;
|
||||||
|
|
||||||
modules.hardware.fs = {
|
modules.hardware.fs = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ssd.enable = true;
|
ssd.enable = true;
|
||||||
|
|
|
@ -88,16 +88,24 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
isso = {
|
|
||||||
enable = true;
|
|
||||||
port = 1995;
|
|
||||||
};
|
|
||||||
|
|
||||||
code-server = {
|
code-server = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "dev-firepit.oat.zone";
|
domain = "dev-firepit.oat.zone";
|
||||||
port = 4444;
|
port = 4444;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ghost = {
|
||||||
|
enable = true;
|
||||||
|
domain = "blog.oat.zone";
|
||||||
|
port = 1357;
|
||||||
|
};
|
||||||
|
|
||||||
|
isso = {
|
||||||
|
enable = true;
|
||||||
|
port = 1995;
|
||||||
|
domain = "comments.oat.zone";
|
||||||
|
target = "blog.oat.zone";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -26,8 +26,8 @@ in {
|
||||||
port = cfg.port;
|
port = cfg.port;
|
||||||
# temporary
|
# temporary
|
||||||
auth = "password";
|
auth = "password";
|
||||||
# temporary; be sure to remove trailing newline
|
# temporary
|
||||||
hashedPassword = builtins.readFile /etc/code-server-password;
|
hashedPassword = removeSuffix "\n" (builtins.readFile /etc/code-server-password);
|
||||||
|
|
||||||
extraPackages = with pkgs; [ git nix nixpkgs-fmt ];
|
extraPackages = with pkgs; [ git nix nixpkgs-fmt ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -0,0 +1,158 @@
|
||||||
|
{ pkgs, lib, config, options, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
cfg = config.modules.services.ghost;
|
||||||
|
# user used to run the Ghost service
|
||||||
|
userName = builtins.replaceStrings [ "." ] [ "_" ] cfg.domain;
|
||||||
|
in {
|
||||||
|
options.modules.services.ghost = {
|
||||||
|
enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
package = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = pkgs._.ghost;
|
||||||
|
};
|
||||||
|
domain = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "blog.oat.zone";
|
||||||
|
};
|
||||||
|
port = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
default = 1357;
|
||||||
|
};
|
||||||
|
dataDir = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/var/lib/${userName}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = let
|
||||||
|
# directory used to save the blog content
|
||||||
|
dataDir = cfg.dataDir;
|
||||||
|
# script that sets up the Ghost content directory
|
||||||
|
setupScript = pkgs.writeScript "${cfg.domain}-setup.sh" ''
|
||||||
|
#! ${pkgs.stdenv.shell} -e
|
||||||
|
chmod g+s "${dataDir}"
|
||||||
|
[[ ! -d "${dataDir}/content" ]] && cp -r "${cfg.package}/content" "${dataDir}/content"
|
||||||
|
chown -R "${userName}":"${userName}" "${dataDir}/content"
|
||||||
|
chmod -R +w "${dataDir}/content"
|
||||||
|
ln -f -s "/etc/${cfg.domain}.json" "${dataDir}/config.production.json"
|
||||||
|
[[ -d "${dataDir}/current" ]] && rm "${dataDir}/current"
|
||||||
|
ln -f -s "${cfg.package}/current" "${dataDir}/current"
|
||||||
|
[[ -d "${dataDir}/content/themes/casper" ]] && rm "${dataDir}/content/themes/casper"
|
||||||
|
ln -f -s "${cfg.package}/current/content/themes/casper" "${dataDir}/content/themes/casper"
|
||||||
|
'';
|
||||||
|
in lib.mkIf cfg.enable {
|
||||||
|
# Creates the user and group
|
||||||
|
users.users.${userName} = {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = userName;
|
||||||
|
createHome = true;
|
||||||
|
home = dataDir;
|
||||||
|
};
|
||||||
|
users.groups.${userName} = { };
|
||||||
|
|
||||||
|
# Creates the Ghost config
|
||||||
|
environment.etc."${cfg.domain}.json".text = ''
|
||||||
|
{
|
||||||
|
"url": "https://${cfg.domain}",
|
||||||
|
"server": {
|
||||||
|
"port": ${toString cfg.port},
|
||||||
|
"host": "0.0.0.0"
|
||||||
|
},
|
||||||
|
"database": {
|
||||||
|
"client": "mysql",
|
||||||
|
"connection": {
|
||||||
|
"host": "localhost",
|
||||||
|
"user": "${userName}",
|
||||||
|
"database": "${userName}",
|
||||||
|
"password": "",
|
||||||
|
"socketPath": "/run/mysqld/mysqld.sock"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"mail": {
|
||||||
|
"transport": "sendmail"
|
||||||
|
},
|
||||||
|
"logging": {
|
||||||
|
"transports": ["stdout"]
|
||||||
|
},
|
||||||
|
"paths": {
|
||||||
|
"contentPath": "${dataDir}/content"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
|
# Sets up the Systemd service
|
||||||
|
systemd.services."${cfg.domain}" = {
|
||||||
|
enable = true;
|
||||||
|
description = "${cfg.domain} ghost blog";
|
||||||
|
restartIfChanged = true;
|
||||||
|
restartTriggers =
|
||||||
|
[ cfg.package config.environment.etc."${cfg.domain}.json".source ];
|
||||||
|
requires = [ "mysql.service" ];
|
||||||
|
after = [ "mysql.service" ];
|
||||||
|
path = [ pkgs.nodejs pkgs.vips ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
User = userName;
|
||||||
|
Group = userName;
|
||||||
|
WorkingDirectory = dataDir;
|
||||||
|
# Executes the setup script before start
|
||||||
|
ExecStartPre = setupScript;
|
||||||
|
# Runs Ghost with node
|
||||||
|
ExecStart = "${pkgs.nodejs}/bin/node current/index.js";
|
||||||
|
# Sandboxes the Systemd service
|
||||||
|
AmbientCapabilities = [ ];
|
||||||
|
CapabilityBoundingSet = [ ];
|
||||||
|
KeyringMode = "private";
|
||||||
|
LockPersonality = true;
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectSystem = "full";
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictAddressFamilies = [ ];
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
};
|
||||||
|
environment = { NODE_ENV = "production"; };
|
||||||
|
};
|
||||||
|
|
||||||
|
# Sets up the blog virtual host on NGINX
|
||||||
|
services.nginx.virtualHosts.${cfg.domain} = {
|
||||||
|
# Sets up Lets Encrypt SSL certificates for the blog
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; };
|
||||||
|
extraConfig = ''
|
||||||
|
charset UTF-8;
|
||||||
|
|
||||||
|
add_header Strict-Transport-Security "max-age=2592000; includeSubDomains" always;
|
||||||
|
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# Sets up MySQL database and user for Ghost
|
||||||
|
services.mysql = {
|
||||||
|
ensureDatabases = [ userName ];
|
||||||
|
ensureUsers = [{
|
||||||
|
name = userName;
|
||||||
|
ensurePermissions = { "${userName}.*" = "ALL PRIVILEGES"; };
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -13,10 +13,18 @@ in {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "comments.oat.zone";
|
default = "comments.oat.zone";
|
||||||
};
|
};
|
||||||
|
target = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "blog.oat.zone";
|
||||||
|
};
|
||||||
port = mkOption {
|
port = mkOption {
|
||||||
type = types.port;
|
type = types.port;
|
||||||
default = 1550;
|
default = 1550;
|
||||||
};
|
};
|
||||||
|
dataDir = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/var/lib/isso";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
@ -25,13 +33,14 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
general = {
|
general = {
|
||||||
host = "https://blog.oat.zone/";
|
dbpath = "${cfg.dataDir}/comments.db";
|
||||||
|
host = "https://${cfg.target}";
|
||||||
latest-enabled = true;
|
latest-enabled = true;
|
||||||
};
|
};
|
||||||
server = {
|
server = {
|
||||||
listen = "http://localhost:${toString cfg.port}";
|
listen = "http://localhost:${toString cfg.port}";
|
||||||
samesite = "Lax";
|
samesite = "Lax";
|
||||||
public-endpoint = "https://comments.oat.zone";
|
public-endpoint = "https://${cfg.domain}";
|
||||||
};
|
};
|
||||||
guard = {
|
guard = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
|
@ -40,7 +49,7 @@ in {
|
||||||
};
|
};
|
||||||
admin = {
|
admin = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
password = "a8UYAH7jQQC3LjnG";
|
password = removeSuffix "\n" (builtins.readFile /etc/isso_admin_pass);
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -59,5 +68,15 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services.isso.serviceConfig = {
|
||||||
|
preStart = ''
|
||||||
|
umask u=rwx,g=rwx,o=rx
|
||||||
|
mkdir -p ${cfg.dataDir}
|
||||||
|
cd ${cfg.dataDir}
|
||||||
|
${pkgs.coreutils}/bin/chown -R isso:isso .
|
||||||
|
${pkgs.coreutils}/bin/chmod -R 775 .
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,7 +11,6 @@ in {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
};
|
};
|
||||||
package = pkgs.unstable.nitter;
|
|
||||||
domain = mkOption {
|
domain = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "nitter.oat.zone";
|
default = "nitter.oat.zone";
|
||||||
|
@ -34,6 +33,7 @@ in {
|
||||||
services = {
|
services = {
|
||||||
nitter = {
|
nitter = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
package = pkgs.unstable.nitter;
|
||||||
server = {
|
server = {
|
||||||
address = "127.0.0.1";
|
address = "127.0.0.1";
|
||||||
port = cfg.port;
|
port = cfg.port;
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
source "$stdenv"/setup
|
||||||
|
|
||||||
|
export HOME=$(mktemp -d)
|
||||||
|
|
||||||
|
npm install --loglevel=info --logs-max=0 "ghost-cli@$ghostCliVersion"
|
||||||
|
|
||||||
|
mkdir --parents "$out"/
|
||||||
|
node_modules/ghost-cli/bin/ghost install "$version" --db=sqlite3 \
|
||||||
|
--no-enable --no-prompt --no-stack --no-setup --no-start --dir "$out"
|
|
@ -0,0 +1,11 @@
|
||||||
|
{ pkgs }:
|
||||||
|
|
||||||
|
let
|
||||||
|
pname = "ghost";
|
||||||
|
version = "5.33.2";
|
||||||
|
in pkgs.stdenv.mkDerivation {
|
||||||
|
inherit pname version;
|
||||||
|
buildInputs = with pkgs; [ nodejs yarn vips ];
|
||||||
|
ghostCliVersion = "1.24.0";
|
||||||
|
builder = ./builder.sh;
|
||||||
|
}
|
Loading…
Reference in New Issue