RGBCube/Site
1
Fork 0
mirror of https://github.com/RGBCube/Site synced 2025-08-01 13:37:49 +00:00
Code Issues Activity Actions
Site/flake.nix
RGBCube 97d41827c7
Add image thumbnail
2024-01-18 16:14:52 +03:00

227 lines
7.1 KiB
Nix
Raw Permalink Blame History

{
description = "The official website and link portal of RGBCube and his work.";
nixConfig = {
extra-substituters = "https://cache.garnix.io/";
extra-trusted-public-keys = "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=";
};
inputs = {
nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
tools = {
url = "github:RGBCube/FlakeTools";
inputs.nixpkgs.follows = "nixpkgs";
};
crane = {
url = "github:ipetkov/crane";
inputs.nixpkgs.follows = "nixpkgs";
};
fenix = {
url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.rust-analyzer-src.follows = "";
};
advisory-db = {
url = "github:rustsec/advisory-db";
flake = false;
};
};
outputs = { self, nixpkgs, tools, fenix, advisory-db, ... } @ inputs: tools.eachDefaultLinuxArch (system: let
lib = nixpkgs.lib;
toolchain = fenix.packages.${system}.complete.withComponents [
"cargo"
"clippy"
"rust-src"
"rustc"
"rustfmt"
];
crane = inputs.crane.lib.${system}.overrideToolchain toolchain;
cssFilter = path: type: builtins.match ".*css$" path != null;
gifFilter = path: type: builtins.match ".*gif$" path != null;
jsFilter = path: type: builtins.match ".*js$" path != null;
mdFilter = path: type: builtins.match ".*md$" path != null;
pngFilter = path: type: builtins.match ".*png$" path != null;
txtFilter = path: type: builtins.match ".*txt$" path != null;
woff2Filter = path: type: builtins.match ".*woff2$" path != null;
src = lib.cleanSourceWith {
src = crane.path ./.;
filter = path: type: (crane.filterCargoSources path type)
|| (cssFilter path type)
|| (gifFilter path type)
|| (jsFilter path type)
|| (mdFilter path type)
|| (pngFilter path type)
|| (txtFilter path type)
|| (woff2Filter path type);
};
srcArgs = {
inherit src;
};
commonArgs = srcArgs // {
strictDeps = true;
};
cargoArtifacts = crane.buildDepsOnly commonArgs;
site = crane.buildPackage (commonArgs // {
inherit cargoArtifacts;
});
in {
devShells.${system}.default = crane.devShell {};
checks.${system} = {
inherit site;
clippy = crane.cargoClippy (commonArgs // {
inherit cargoArtifacts;
cargoClippyExtraArgs = "--all-targets -- --deny warnings";
});
fmt = crane.cargoFmt srcArgs;
audit = crane.cargoAudit (srcArgs // {
inherit advisory-db;
});
};
packages.${system} = {
inherit site;
default = site;
};
nixosModules.default = { config, lib, pkgs, ... }: with lib; let
cfg = config.services.site;
in {
options = {
services.site = {
enable = mkEnableOption (mdDoc "site service");
port = mkOption {
type = types.port;
default = 4777;
example = 80;
description = mdDoc ''
Specifies on which port the site service listens for connections.
'';
};
logLevel = mkOption {
type = types.enum [ "off" "error" "warn" "info" "debug" "trace" ];
default = "info";
example = "warn";
description = mdDoc ''
Specifies the log level that the site service will log stuff with.
'';
};
url = mkOption {
type = types.str;
example = "rgbcu.be";
description = mdDoc ''
The url the site is running at.
Should not have a protocol speficier or trailing slashes.
'';
};
configureNginx = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Whether to configure Nginx and set the reverse proxy settings.
'';
};
};
};
config = mkIf cfg.enable {
services.nginx = mkIf cfg.configureNginx {
virtualHosts.${cfg.url} = {
forceSSL = true;
useACMEHost = cfg.url;
locations."/".proxyPass = "http://[::]:${toString cfg.port}";
};
virtualHosts."www.${cfg.url}" = {
forceSSL = true;
useACMEHost = cfg.url;
locations."/".extraConfig = ''
return 301 https://${cfg.url}$request_uri;
'';
};
virtualHosts._ = {
forceSSL = true;
useACMEHost = cfg.url;
locations."/".proxyPass = "http://[::]:${toString cfg.port}/404";
locations."/assets".proxyPass = "http://[::]:${toString cfg.port}/assets";
};
};
systemd.services.site = {
description = "RGBCube's Homepage";
requires = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = let
needsPrivilidges = cfg.port < 1024;
capabilities = [ "" ] ++ optionals needsPrivilidges [ "CAP_NET_BIND_SERVICE" ];
rootDirectory = "/run/site";
in {
ExecStart = "${self.packages.${pkgs.system}.site}/bin/site --port ${toString cfg.port} --log-level ${cfg.logLevel}";
Restart = "always";
DynamicUser = true;
RootDirectory = rootDirectory;
BindReadOnlyPaths = [ builtins.storeDir ];
InaccessiblePaths = [ "-+${rootDirectory}"];
RuntimeDirectory = builtins.baseNameOf rootDirectory;
RuntimeDirectoryMode = 700;
AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities;
UMask = "0077";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = !needsPrivilidges;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ProtectProc = "noaccess";
ProcSubset = "pid";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
};
};
};
};
});
}
Reference in a new issue View git blame Copy permalink