Compare commits

..

6 Commits

Author SHA1 Message Date
Jill ce57ed6732 isso: fix; now it works :) 2023-02-01 02:41:42 +01:00
Jill ce5607c49e temporarily disable ipv6 2023-02-01 02:14:41 +01:00
Jill 4e92a5eae8 ghost: init 2023-02-01 02:14:27 +01:00
Jill 639d9a864d isso: temporarily disable; will fix later 2023-01-26 12:08:48 +01:00
Jill 213f11c31c update flake 2023-01-22 08:32:51 +01:00
Jill b16a1a7a19 actually switch nitter to unstable 2023-01-22 08:30:45 +01:00
10 changed files with 262 additions and 44 deletions

View File

@ -28,11 +28,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1674151952, "lastModified": 1674359560,
"narHash": "sha256-c0dwSGWi8LH2uBsv7ZJK11To1w8oFjTs+d2dtiusGug=", "narHash": "sha256-gobqd75ujP/zFH6kSZNB3bA3YS4NMXWpZgMo1RAFEdk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "emacs-overlay", "repo": "emacs-overlay",
"rev": "fa7dedfa5e1171a76ff78a1260064e1b20ec93bb", "rev": "184ae9c371a6251564e0b07391f7e9aaf310f002",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -147,11 +147,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1674143063, "lastModified": 1674296335,
"narHash": "sha256-CfP6ZYjxLeC1Q6W4f+RCd2sokIX8RnyTA8wYzYmx9XE=", "narHash": "sha256-jUvjOqKGuEk1XfZNPXU3hcPtIJKkSNzwUm5yN1EFYZA=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "Hyprland", "repo": "Hyprland",
"rev": "5112056fdbda989191310364444f328240bbf6f1", "rev": "fcbfd193930dd146b141531a9cf5301d55f26907",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -227,8 +227,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1669389833, "lastModified": 1674248483,
"narHash": "sha256-khId6aJCxyeR6jWNNywAqJ+eEoZXSZciH8kkSYG5Jf8=", "narHash": "sha256-2kjUS6LPN7bmxKsUrUwLwuzpF4IxxBweiO+8G1PKGKc=",
"ref": "refs/heads/main",
"rev": "a97f774ce46dcef5dd36b1f3fbf2711ceba24d6b",
"revCount": 29,
"type": "git", "type": "git",
"url": "file:///home/oatmealine/jillo" "url": "file:///home/oatmealine/jillo"
}, },
@ -266,11 +269,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1674092998, "lastModified": 1674352074,
"narHash": "sha256-NYB/PjEJ9W9VDVWScVFqooK20gDsNyPhCqQIP1Nn+AU=", "narHash": "sha256-IQxf+CCjuETu6psq6F9gxPBISf2RLwGL0MmlCgY1aX0=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "a55757a572e115459bbad449d2fde514d11a76e1", "rev": "acfd27fd83e9c3d56e649b98aef17974f29e7830",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -312,11 +315,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1673796341, "lastModified": 1674211260,
"narHash": "sha256-1kZi9OkukpNmOaPY7S5/+SlCDOuYnP3HkXHvNDyLQcc=", "narHash": "sha256-xU6Rv9sgnwaWK7tgCPadV6HhI2Y/fl4lKxJoG2+m9qs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6dccdc458512abce8d19f74195bb20fdb067df50", "rev": "5ed481943351e9fd354aeb557679624224de38d5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -343,11 +346,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1673796341, "lastModified": 1674211260,
"narHash": "sha256-1kZi9OkukpNmOaPY7S5/+SlCDOuYnP3HkXHvNDyLQcc=", "narHash": "sha256-xU6Rv9sgnwaWK7tgCPadV6HhI2Y/fl4lKxJoG2+m9qs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6dccdc458512abce8d19f74195bb20fdb067df50", "rev": "5ed481943351e9fd354aeb557679624224de38d5",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -183,7 +183,8 @@ in {
# for docs, start here # for docs, start here
# https://nixos.org/manual/nixos/stable/options.html#opt-networking.enableB43Firmware # https://nixos.org/manual/nixos/stable/options.html#opt-networking.enableB43Firmware
enableIPv6 = true; # true by default, but better safe than sorry # temporarily disabled
enableIPv6 = false;
interfaces.eno1.ipv4.addresses = [ interfaces.eno1.ipv4.addresses = [
{ address = "51.89.98.8"; { address = "51.89.98.8";
@ -194,22 +195,22 @@ in {
defaultGateway = "51.89.98.254"; defaultGateway = "51.89.98.254";
nameservers = [ "8.8.8.8" "1.1.1.1" ]; nameservers = [ "8.8.8.8" "1.1.1.1" ];
interfaces.eno1.ipv6.addresses = [ #interfaces.eno1.ipv6.addresses = [
{ address = "2001:41d0:0700:3308::"; # { address = "2001:41d0:0700:3308::";
prefixLength = 64; # prefixLength = 64;
} # }
#
# { address = "2001:41d0:0700:33ff::";
# prefixLength = 64;
# }
#];
{ address = "2001:41d0:0700:33ff::"; #defaultGateway6 = {
prefixLength = 64; # address = "2001:41d0:0700:33ff:00ff:00ff:00ff:00ff";
} # address = "33ff::1";
]; # address = "2001::1";
# interface = "eno1";
defaultGateway6 = { #};
address = "2001:41d0:0700:33ff:00ff:00ff:00ff:00ff";
# address = "33ff::1";
# address = "2001::1";
interface = "eno1";
};
firewall.allowPing = true; firewall.allowPing = true;
# minecraft proximity voice chat # minecraft proximity voice chat

View File

@ -22,6 +22,15 @@
nix.settings.cores = 3; nix.settings.cores = 3;
nix.settings.max-jobs = 6; nix.settings.max-jobs = 6;
# disabling this is what's considered a "Bad Idea"
# however it is required by packages/ghost.nix, which
# is borrowed from https://notes.abhinavsarkar.net/2022/ghost-on-nixos
#
# i don't know of a cleaner way to do this, and i
# don't want to deal with ghost any longer than i
# already have, so This Will Do
nix.settings.sandbox = false;
modules.hardware.fs = { modules.hardware.fs = {
enable = true; enable = true;
ssd.enable = true; ssd.enable = true;

View File

@ -88,16 +88,24 @@ in {
enable = true; enable = true;
}; };
isso = {
enable = true;
port = 1995;
};
code-server = { code-server = {
enable = true; enable = true;
domain = "dev-firepit.oat.zone"; domain = "dev-firepit.oat.zone";
port = 4444; port = 4444;
}; };
ghost = {
enable = true;
domain = "blog.oat.zone";
port = 1357;
};
isso = {
enable = true;
port = 1995;
domain = "comments.oat.zone";
target = "blog.oat.zone";
};
}; };
}; };

View File

@ -26,8 +26,8 @@ in {
port = cfg.port; port = cfg.port;
# temporary # temporary
auth = "password"; auth = "password";
# temporary; be sure to remove trailing newline # temporary
hashedPassword = builtins.readFile /etc/code-server-password; hashedPassword = removeSuffix "\n" (builtins.readFile /etc/code-server-password);
extraPackages = with pkgs; [ git nix nixpkgs-fmt ]; extraPackages = with pkgs; [ git nix nixpkgs-fmt ];
}; };

158
modules/services/ghost.nix Normal file
View File

@ -0,0 +1,158 @@
{ pkgs, lib, config, options, ... }:
with lib;
let
cfg = config.modules.services.ghost;
# user used to run the Ghost service
userName = builtins.replaceStrings [ "." ] [ "_" ] cfg.domain;
in {
options.modules.services.ghost = {
enable = mkOption {
type = types.bool;
default = false;
};
package = mkOption {
type = types.package;
default = pkgs._.ghost;
};
domain = mkOption {
type = types.str;
default = "blog.oat.zone";
};
port = mkOption {
type = types.int;
default = 1357;
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/${userName}";
};
};
config = let
# directory used to save the blog content
dataDir = cfg.dataDir;
# script that sets up the Ghost content directory
setupScript = pkgs.writeScript "${cfg.domain}-setup.sh" ''
#! ${pkgs.stdenv.shell} -e
chmod g+s "${dataDir}"
[[ ! -d "${dataDir}/content" ]] && cp -r "${cfg.package}/content" "${dataDir}/content"
chown -R "${userName}":"${userName}" "${dataDir}/content"
chmod -R +w "${dataDir}/content"
ln -f -s "/etc/${cfg.domain}.json" "${dataDir}/config.production.json"
[[ -d "${dataDir}/current" ]] && rm "${dataDir}/current"
ln -f -s "${cfg.package}/current" "${dataDir}/current"
[[ -d "${dataDir}/content/themes/casper" ]] && rm "${dataDir}/content/themes/casper"
ln -f -s "${cfg.package}/current/content/themes/casper" "${dataDir}/content/themes/casper"
'';
in lib.mkIf cfg.enable {
# Creates the user and group
users.users.${userName} = {
isSystemUser = true;
group = userName;
createHome = true;
home = dataDir;
};
users.groups.${userName} = { };
# Creates the Ghost config
environment.etc."${cfg.domain}.json".text = ''
{
"url": "https://${cfg.domain}",
"server": {
"port": ${toString cfg.port},
"host": "0.0.0.0"
},
"database": {
"client": "mysql",
"connection": {
"host": "localhost",
"user": "${userName}",
"database": "${userName}",
"password": "",
"socketPath": "/run/mysqld/mysqld.sock"
}
},
"mail": {
"transport": "sendmail"
},
"logging": {
"transports": ["stdout"]
},
"paths": {
"contentPath": "${dataDir}/content"
}
}
'';
# Sets up the Systemd service
systemd.services."${cfg.domain}" = {
enable = true;
description = "${cfg.domain} ghost blog";
restartIfChanged = true;
restartTriggers =
[ cfg.package config.environment.etc."${cfg.domain}.json".source ];
requires = [ "mysql.service" ];
after = [ "mysql.service" ];
path = [ pkgs.nodejs pkgs.vips ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = userName;
Group = userName;
WorkingDirectory = dataDir;
# Executes the setup script before start
ExecStartPre = setupScript;
# Runs Ghost with node
ExecStart = "${pkgs.nodejs}/bin/node current/index.js";
# Sandboxes the Systemd service
AmbientCapabilities = [ ];
CapabilityBoundingSet = [ ];
KeyringMode = "private";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "full";
RemoveIPC = true;
RestrictAddressFamilies = [ ];
RestrictNamespaces = true;
RestrictRealtime = true;
};
environment = { NODE_ENV = "production"; };
};
# Sets up the blog virtual host on NGINX
services.nginx.virtualHosts.${cfg.domain} = {
# Sets up Lets Encrypt SSL certificates for the blog
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; };
extraConfig = ''
charset UTF-8;
add_header Strict-Transport-Security "max-age=2592000; includeSubDomains" always;
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
'';
};
# Sets up MySQL database and user for Ghost
services.mysql = {
ensureDatabases = [ userName ];
ensureUsers = [{
name = userName;
ensurePermissions = { "${userName}.*" = "ALL PRIVILEGES"; };
}];
};
};
}

View File

@ -13,10 +13,18 @@ in {
type = types.str; type = types.str;
default = "comments.oat.zone"; default = "comments.oat.zone";
}; };
target = mkOption {
type = types.str;
default = "blog.oat.zone";
};
port = mkOption { port = mkOption {
type = types.port; type = types.port;
default = 1550; default = 1550;
}; };
dataDir = mkOption {
type = types.str;
default = "/var/lib/isso";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -25,13 +33,14 @@ in {
enable = true; enable = true;
settings = { settings = {
general = { general = {
host = "https://blog.oat.zone/"; dbpath = "${cfg.dataDir}/comments.db";
host = "https://${cfg.target}";
latest-enabled = true; latest-enabled = true;
}; };
server = { server = {
listen = "http://localhost:${toString cfg.port}"; listen = "http://localhost:${toString cfg.port}";
samesite = "Lax"; samesite = "Lax";
public-endpoint = "https://comments.oat.zone"; public-endpoint = "https://${cfg.domain}";
}; };
guard = { guard = {
enabled = true; enabled = true;
@ -40,7 +49,7 @@ in {
}; };
admin = { admin = {
enabled = true; enabled = true;
password = "a8UYAH7jQQC3LjnG"; password = removeSuffix "\n" (builtins.readFile /etc/isso_admin_pass);
}; };
}; };
}; };
@ -59,5 +68,15 @@ in {
}; };
}; };
}; };
systemd.services.isso.serviceConfig = {
preStart = ''
umask u=rwx,g=rwx,o=rx
mkdir -p ${cfg.dataDir}
cd ${cfg.dataDir}
${pkgs.coreutils}/bin/chown -R isso:isso .
${pkgs.coreutils}/bin/chmod -R 775 .
'';
};
}; };
} }

View File

@ -11,7 +11,6 @@ in {
type = types.bool; type = types.bool;
default = false; default = false;
}; };
package = pkgs.unstable.nitter;
domain = mkOption { domain = mkOption {
type = types.str; type = types.str;
default = "nitter.oat.zone"; default = "nitter.oat.zone";
@ -34,6 +33,7 @@ in {
services = { services = {
nitter = { nitter = {
enable = true; enable = true;
package = pkgs.unstable.nitter;
server = { server = {
address = "127.0.0.1"; address = "127.0.0.1";
port = cfg.port; port = cfg.port;

View File

@ -0,0 +1,9 @@
source "$stdenv"/setup
export HOME=$(mktemp -d)
npm install --loglevel=info --logs-max=0 "ghost-cli@$ghostCliVersion"
mkdir --parents "$out"/
node_modules/ghost-cli/bin/ghost install "$version" --db=sqlite3 \
--no-enable --no-prompt --no-stack --no-setup --no-start --dir "$out"

View File

@ -0,0 +1,11 @@
{ pkgs }:
let
pname = "ghost";
version = "5.33.2";
in pkgs.stdenv.mkDerivation {
inherit pname version;
buildInputs = with pkgs; [ nodejs yarn vips ];
ghostCliVersion = "1.24.0";
builder = ./builder.sh;
}