From ab222f3ec09aa078b70ac41e2310af5736ef8876 Mon Sep 17 00:00:00 2001 From: mat ess Date: Tue, 11 Oct 2022 13:09:21 -0400 Subject: [PATCH] Fly -> Netlify, drop some Nix code --- .gitignore | 5 +++- .woodpecker.yml | 14 ----------- Caddyfile | 63 ---------------------------------------------- content/privacy.md | 4 +-- flake.lock | 23 +++-------------- flake.nix | 26 ++++--------------- fly.toml | 38 ---------------------------- netlify.toml | 49 ++++++++++++++++++++++++++++++++++++ nix/container.nix | 13 ---------- nix/default.nix | 3 --- nix/deploy.nix | 10 -------- nix/themes.nix | 14 ----------- 12 files changed, 63 insertions(+), 199 deletions(-) delete mode 100644 .woodpecker.yml delete mode 100644 Caddyfile delete mode 100644 fly.toml create mode 100644 netlify.toml delete mode 100644 nix/container.nix delete mode 100644 nix/deploy.nix delete mode 100644 nix/themes.nix diff --git a/.gitignore b/.gitignore index 08e5933..c49c73e 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,7 @@ result # ignore folders where we link in files from the nix store themes/ static/font/ -static/style/fonts.css \ No newline at end of file +static/style/fonts.css + +# Local Netlify folder +.netlify diff --git a/.woodpecker.yml b/.woodpecker.yml deleted file mode 100644 index f757ca1..0000000 --- a/.woodpecker.yml +++ /dev/null @@ -1,14 +0,0 @@ -pipeline: - build: - image: nixos/nix - environment: - NIX_CONFIG: "experimental-features = nix-command flakes" - commands: - - nix --log-format raw -L build .#docker.x86_64-linux - deploy: - image: nixos/nix - environment: - NIX_CONFIG: "experimental-features = nix-command flakes" - secrets: [ fly_api_token ] - commands: - - nix --log-format raw -L run .#deploy diff --git a/Caddyfile b/Caddyfile deleted file mode 100644 index d2f4bee..0000000 --- a/Caddyfile +++ /dev/null @@ -1,63 +0,0 @@ -{ - # fly.io handles HTTPS for us - auto_https off -} - -http://static-mat-services.fly.dev { - redir https://mat.services -} - -:8080 { - root * {$SITE_ROOT} - encode gzip - file_server - - handle_errors { - @404 { - expression {http.error.status_code} == 404 - } - rewrite @404 /404.html - file_server - } - - header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() - # enable HSTS - # currently ramping up max-age as per https://hstspreload.org/ - Strict-Transport-Security max-age=2592000; includeSubDomains - # disable clients from sniffing the media type - X-Content-Type-Options nosniff - # clickjacking protection - X-Frame-Options DENY - # keep referrer data off of HTTP connections - Referrer-Policy no-referrer - # content security policy - # style-src 'unsafe-inline': syntax highlighting in codefences - # sandbox allow-popups: enable target="_blank" links to open in new tabs - Content-Security-Policy "default-src 'none'; - img-src 'self' https://stats.mat.services; - style-src 'self' 'unsafe-inline'; - font-src 'self'; - script-src 'self' https://stats.mat.services; - form-action 'none'; - frame-ancestors 'none'; - base-uri 'none'; - upgrade-insecure-requests; - sandbox - allow-same-origin - allow-scripts - allow-popups - allow-popups-to-escape-sandbox" - } - - # caching - @static { - path *.bmp *.jpg *.png *.svg *.gif *.pdf *.css *.js *.woff *.woff2 /style/* /font/* /image/* - } - route { - header @static Cache-Control max-age=31536000, immutable - header *.xml Cache-Control max-age=0 - header ?Cache-Control max-age=360 - } -} diff --git a/content/privacy.md b/content/privacy.md index f640fab..16e060f 100644 --- a/content/privacy.md +++ b/content/privacy.md @@ -8,7 +8,7 @@ i want to respect your pivacy, while still getting some insight into the readers - goatcounter stats are collected via javascript or tracking pixel. - no server logs are collected. -- the site is hosted by fly.io. +- the site is hosted by netlify. - no data is shared. ## data that i collect @@ -30,7 +30,7 @@ goatcounter is intended to be privacy-friendly and respect your data. [take a lo no server logs are collected. ## site hosting -this site is hosted on fly.io. [see this page for fly.io's privacy statement](https://fly.io/legal/privacy-policy/). +this site is hosted on netlify. [see this page for netlify's privacy policy](https://www.netlify.com/privacy/). ## data that i share collected data is not shared with any third parties. diff --git a/flake.lock b/flake.lock index 8486067..3bf74c3 100644 --- a/flake.lock +++ b/flake.lock @@ -1,21 +1,5 @@ { "nodes": { - "apollo": { - "flake": false, - "locked": { - "lastModified": 1665007857, - "narHash": "sha256-gmxW7inWm0DhISWYzj6KufArYIoTk4JWjEBHVJ0/HSA=", - "owner": "not-matthias", - "repo": "apollo", - "rev": "62e8667ffe2cbe62fb8000ba66c31a148dca24c0", - "type": "github" - }, - "original": { - "owner": "not-matthias", - "repo": "apollo", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs": [ @@ -58,11 +42,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1665081174, - "narHash": "sha256-6hsmzdhdy8Kbvl5e0xZNE83pW3fKQvNiobJkM6KQrgA=", + "lastModified": 1665259268, + "narHash": "sha256-ONFhHBLv5nZKhwV/F2GOH16197PbvpyWhoO0AOyktkU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "598f83ebeb2235435189cf84d844b8b73e858e0f", + "rev": "c5924154f000e6306030300592f4282949b2db6c", "type": "github" }, "original": { @@ -74,7 +58,6 @@ }, "root": { "inputs": { - "apollo": "apollo", "flake-parts": "flake-parts", "gitignore": "gitignore", "nixpkgs": "nixpkgs" diff --git a/flake.nix b/flake.nix index e8fe4ca..7e22f7f 100644 --- a/flake.nix +++ b/flake.nix @@ -7,10 +7,6 @@ flake-parts.inputs.nixpkgs.follows = "nixpkgs"; gitignore.url = "github:hercules-ci/gitignore.nix"; gitignore.inputs.nixpkgs.follows = "nixpkgs"; - - # theme - inlined now, not used - apollo.url = "github:not-matthias/apollo"; - apollo.flake = false; }; outputs = { self, flake-parts, gitignore, ... }@inputs: @@ -20,21 +16,16 @@ perSystem = { config, self', inputs', pkgs, system, ... }: let inherit (gitignore.lib) gitignoreSource; - # TODO: move these to a flake-module - inherit (pkgs.callPackage ./nix { }) container deploy fonts optimize-images themes; + inherit (pkgs.callPackage ./nix { }) fonts optimize-images; inherit (fonts) copyFonts linkFonts; - inherit (themes { - theme = inputs.apollo; - themeEnabled = false; - }) copyTheme linkTheme; in { packages.default = with pkgs; stdenv.mkDerivation { pname = "personal-site"; - version = "2022-09-06"; + version = "2022-10-10"; src = gitignoreSource ./.; nativeBuildInputs = [ optimize-images zola ]; - configurePhase = copyTheme + copyFonts; + configurePhase = copyFonts; buildPhase = '' optimize-images zola build --drafts @@ -44,16 +35,9 @@ ''; }; devShells.default = with pkgs; mkShell { - packages = [ flyctl optimize-images zola ]; - shellHook = linkTheme + linkFonts; + packages = [ optimize-images zola ]; + shellHook = linkFonts; }; - packages.container = container { - caddyfile = ./Caddyfile; - site = config.packages.default; - }; - apps.deploy.program = - let deploy' = deploy { dockerImage = self.packages.x86_64-linux.container; }; - in "${deploy'}/bin/deploy"; }; }; } diff --git a/fly.toml b/fly.toml deleted file mode 100644 index 31dbfda..0000000 --- a/fly.toml +++ /dev/null @@ -1,38 +0,0 @@ -# fly.toml file generated for static-mat-services on 2022-08-08T01:01:25-04:00 - -app = "static-mat-services" -kill_signal = "SIGINT" -kill_timeout = 5 -processes = [] - -[env] - -[experimental] - allowed_public_ports = [] - auto_rollback = true - -[[services]] - http_checks = [] - internal_port = 8080 - processes = ["app"] - protocol = "tcp" - script_checks = [] - [services.concurrency] - hard_limit = 25 - soft_limit = 20 - type = "connections" - - [[services.ports]] - force_https = true - handlers = ["http"] - port = 80 - - [[services.ports]] - handlers = ["tls", "http"] - port = 443 - - [[services.tcp_checks]] - grace_period = "1s" - interval = "15s" - restart_limit = 0 - timeout = "2s" diff --git a/netlify.toml b/netlify.toml new file mode 100644 index 0000000..71294f5 --- /dev/null +++ b/netlify.toml @@ -0,0 +1,49 @@ +[build] + command = "zola build" + publish = "public/" + +[dev] + command = "zola serve --drafts" + publish = "public/" + port = 1111 + +[[redirects]] + from = "https://mat-services.netlify.app/*" + to = "https://mat.services/:splat" + force = true + +[[headers]] + for = "/*" + + [headers.values] + # disable FLoC tracking + Permissions-Policy = "interest-cohort=()" + # enable HSTS + Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload" + # disable clients from sniffing the media type + X-Content-Type-Options = "nosniff" + # clickjacking protection + X-Frame-Options = "DENY" + # keep referrer data off of HTTP connections + Referrer-Policy = "no-referrer" + # content security policy + # style-src 'unsafe-inline': syntax highlighting in codefences + # sandbox allow-popups: enable target="_blank" links to open in new tabs + Content-Security-Policy = ''' + default-src 'none'; + img-src 'self' https://mat.services https://stats.mat.services; + style-src 'self' https://mat.services 'unsafe-inline'; + font-src 'self' https://mat.services; + script-src 'self' https://mat.services https://stats.mat.services; + form-action 'none'; + frame-ancestors 'none'; + base-uri 'none'; + upgrade-insecure-requests; + sandbox + allow-same-origin + allow-scripts + allow-popups + allow-popups-to-escape-sandbox + ''' + + diff --git a/nix/container.nix b/nix/container.nix deleted file mode 100644 index 0d9a9eb..0000000 --- a/nix/container.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ dockerTools, caddy, caddyfile, site }: - -dockerTools.buildLayeredImage { - name = site.pname; - tag = site.version; - - config = { - Cmd = [ "${caddy}/bin/caddy" "run" "-config" "${caddyfile}" ]; - Env = [ - "SITE_ROOT=${site}" - ]; - }; -} diff --git a/nix/default.nix b/nix/default.nix index 1bbf0be..1dbe344 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,7 +1,4 @@ { callPackage }: { - container = { caddyfile, site }: callPackage ./container.nix { inherit caddyfile site; }; - deploy = { dockerImage }: callPackage ./deploy.nix { inherit dockerImage; }; fonts = callPackage ./fonts.nix { }; optimize-images = callPackage ./optimize-images.nix { }; - themes = { theme, themeEnabled }: callPackage ./themes.nix { inherit theme themeEnabled; }; } diff --git a/nix/deploy.nix b/nix/deploy.nix deleted file mode 100644 index 5b2e286..0000000 --- a/nix/deploy.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ lib, docker, flyctl, formats, writeShellScriptBin, dockerImage }: - -writeShellScriptBin "deploy" '' - set -euxo pipefail - export PATH="${lib.makeBinPath [(docker.override { clientOnly = true; }) flyctl]}:$PATH" - archive=${dockerImage} - # load archive, drop all output except last line (in case of warnings), print image name - image=$(docker load < $archive | tail -n1 | awk '{ print $3; }') - flyctl deploy --image $image --local-only -'' diff --git a/nix/themes.nix b/nix/themes.nix deleted file mode 100644 index b04cd6f..0000000 --- a/nix/themes.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ lib, theme, themeEnabled }: -let - themeName = ((builtins.fromTOML (builtins.readFile "${theme}/theme.toml")).name); -in -{ - copyTheme = lib.optionalString themeEnabled '' - mkdir -p themes/${themeName} - cp -r ${theme}/* themes/${themeName} - ''; - linkTheme = lib.optionalString themeEnabled '' - mkdir -p themes - ln -snf "${theme}" "themes/${themeName}" - ''; -}