Added www configuration

aftix · May 12, 2024 · 556f463 · 556f463
1 parent 12679a5
commit 556f463
Show file tree

Hide file tree

Showing 15 changed files with 537 additions and 189 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -8,7 +8,7 @@ on:
 jobs:
   deploy-fermi:
     name: Deploy fermi NixOS server
-    runs-on: ubuntu-lastest
+    runs-on: ubuntu-latest
     if: ${{ github.ref == 'refs/head/main' }}
     concurrency:
       group: deploy-fermi-${{ github.ref }}

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -8,7 +8,7 @@ on:
 jobs:
   check:
     name: check nix flake
-    runs-on: ubuntu-lastest
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main

diff --git a/.sops.yaml b/.sops.yaml
@@ -10,11 +10,11 @@ creation_rules:
     - age:
       - *aftix
       - *hamilton
-  - path_regex: home/.+secrets.yaml$
+  - path_regex: home/.*secrets\.yaml$
     key_groups:
     - age:
       - *fermi
-  - path_regex: host/srv_secrets.yaml$
+  - path_regex: srv_secrets\.yaml$
     key_groups:
     - age:
       - *fermi
diff --git a/home/aftix-minimal.nix b/home/aftix-minimal.nix
@@ -1,4 +1,4 @@
-_: {
+{lib, ...}: {
   imports = [
     ./common
 
@@ -7,6 +7,7 @@ _: {
     ./opt/development.nix
     ./opt/helix.nix
     ./opt/neoutils.nix
+    ./opt/stylix.nix
   ];
 
   home = {
@@ -15,6 +16,8 @@ _: {
     stateVersion = "23.11"; # DO NOT CHANGE
   };
 
+  xdg.userDirs.createDirectories = lib.mkForce false;
+
   my = {
     shell.elvish.enable = false;
     docs = {

diff --git a/home/common/xdg.nix b/home/common/xdg.nix
@@ -19,7 +19,7 @@ in {
 
     userDirs = {
       enable = hasSuffix "-linux" pkgs.system;
-      createDirectories = true;
+      createDirectories = mkDefault true;
 
       desktop = mkDefault null;
       templates = mkDefault null;

diff --git a/home/opt/development.nix b/home/opt/development.nix
@@ -30,6 +30,7 @@ in {
           gnupatch
           gnumake
           gawk
+          just
         ]
         ++ optionals cfg.nix
         [statix alejandra]

diff --git a/home/opt/kitty.nix b/home/opt/kitty.nix
@@ -459,7 +459,14 @@
 
   inherit (config.my.lib) paragraph example mergeTaggedAttrs mergeSubsections;
 in {
-  home.packages = with pkgs; [kitty-img kitty-themes];
+  home = {
+    packages = with pkgs; [kitty-img kitty-themes];
+
+    sessionVariables = rec {
+      TERM = "kitty";
+      TERMINAL = TERM;
+    };
+  };
 
   my.docs.pages.kitty = {
     _docsName = "kitty \\- The fast, feature rich terminal emulator";

diff --git a/home/secrets.yaml b/home/secrets.yaml
diff --git a/host/common/default.nix b/host/common/default.nix
@@ -109,7 +109,13 @@ in {
     };
 
     users.mutableUsers = false;
-    i18n.defaultLocale = "en_US.UTF-8";
+    i18n = rec {
+      defaultLocale = "en_US.UTF-8";
+      extraLocaleSettings = {
+        LC_ALL = "C.UTF-8";
+        LANGUAGE = defaultLocale;
+      };
+    };
     console.font = "Lat2-Terminus16";
   };
 }
diff --git a/host/fermi.nix b/host/fermi.nix
@@ -9,6 +9,7 @@ in {
     ./opt/clamav.nix
     ./opt/docker.nix
     ./opt/openssh.nix
+    ./opt/www
   ];
 
   sops = {
@@ -20,6 +21,13 @@ in {
     flake = "/home/aftix/cfg";
 
     users.aftix.extraGroups = [];
+
+    www = {
+      adventofcode = true;
+      aftgraphs = true;
+      blog = true;
+      searx.enable = true;
+    };
   };
 
   security.sudo.extraRules = [
@@ -70,7 +78,11 @@ in {
     groups.docker = {};
   };
 
+  programs.dconf.enable = true;
+
   networking = {
+    hostName = "fermi";
+
     dhcpcd = {
       IPv6rs = true;
       persistent = true;

diff --git a/host/opt/www/blog.nix b/host/opt/www/blog.nix
@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+  inherit (lib.options) mkEnableOption;
+  inherit (lib.lists) optional;
+  cfg = config.my.www;
+in {
+  options.my.www = {
+    adventofcode = mkEnableOption "adventofcode";
+    aftgraphs = mkEnableOption "aftgraphs";
+    blog = mkEnableOption "blog";
+  };
+
+  config = mkIf cfg.blog {
+    systemd.tmpfiles.rules =
+      [
+        "d ${cfg.root}/${cfg.hostname} 0775 ${cfg.user} ${cfg.group} -"
+      ]
+      ++ optional cfg.adventofcode "d ${cfg.root}/advent2023 0775 ${cfg.user} ${cfg.group} -"
+      ++ optional cfg.aftgraphs "d ${cfg.root}/simulations 0775 ${cfg.user} ${cfg.group} -";
+
+    services.nginx.virtualHosts.${cfg.hostname} = {
+      root = "${cfg.root}/${cfg.hostname}";
+      serverName = "${cfg.hostname} www.${cfg.hostname}";
+      kTLS = true;
+      forceSSL = true;
+      useACMEHost = cfg.hostname;
+
+      locations =
+        {
+          "/".tryFiles = "$uri $uri/ =404";
+
+          "/searx/${cfg.searx.subdomain}".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/static/?$args";
+          "/searx".return = mkIf cfg.searx.enable "https://${cfg.searx.subdomain}.${cfg.hostname}/?$args";
+
+          "/advent2023/" = mkIf cfg.adventofcode {
+            alias = "${cfg.root}/advent2023/";
+            extraConfig = ''
+              fancyindex on;
+              fancyindex_exact_size off;
+              fancyindex_localtime on;
+            '';
+          };
+
+          "/aftgraphs/" = mkIf cfg.aftgraphs {
+            alias = "${cfg.root}/simulations/";
+            extraConfig = ''
+              fancyindex on;
+              fancyindex_exact_size off;
+              fancyindex_localtime on;
+              add_header "Cross-Origin-Opener-Policy" "same-origin";
+              add_header "Cross-Origin-Embedder-Policy" "require-corp";
+            '';
+          };
+        }
+        // cfg.acme-location-block;
+    };
+  };
+}
diff --git a/host/opt/www/default.nix b/host/opt/www/default.nix
@@ -0,0 +1,92 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib.options) mkOption;
+  cfg = config.my.www;
+in {
+  imports = [
+    ./blog.nix
+    ./searx.nix
+  ];
+
+  options.my.www = {
+    hostname = mkOption {
+      default = "aftix.xyz";
+      type = lib.types.str;
+    };
+
+    root = mkOption {
+      default = "/srv";
+      type = lib.types.str;
+    };
+
+    user = mkOption {
+      default = "www";
+      type = lib.types.str;
+    };
+
+    group = mkOption {
+      default = "www";
+      type = lib.types.str;
+    };
+
+    acme-location-block = mkOption {
+      default = {
+        "^~ /.well-known/acme-challenge".extraConfig = ''
+          location ^~ /.well-known/acme-challenge/ {
+            default_type "text/plain";
+            root ${cfg.root}/acme;
+          }
+        '';
+      };
+      readOnly = true;
+    };
+  };
+
+  config = {
+    users = {
+      users.${cfg.user} = {
+        inherit (cfg) group;
+        password = "";
+        shell = "/run/current-system/sw/bin/nologin";
+        isSystemUser = true;
+      };
+
+      groups.${cfg.group} = {};
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [80 443];
+      allowedUDPPorts = [80 443];
+    };
+
+    services.nginx = {
+      inherit (cfg) user group;
+      enable = true;
+      enableReload = true;
+
+      additionalModules = with pkgs.nginxModules; [fancyindex];
+    };
+
+    systemd.tmpfiles.rules = [
+      "d ${cfg.root} 0775 ${cfg.user} ${cfg.group} -"
+      "d ${cfg.root}/acme 0775 ${cfg.user} ${cfg.group} -"
+    ];
+
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "[email protected]";
+        webroot = cfg.root + "/acme";
+      };
+
+      certs.${cfg.hostname} = {
+        inherit (cfg) group;
+        extraDomainNames = ["www.${cfg.hostname}"];
+      };
+    };
+  };
+}