sloane
/
mat.services
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fly -> Netlify, drop some Nix code

pull/1/head
mat ess 2022-10-11 13:09:21 -04:00
parent dc4e0d6afa
commit ab222f3ec0
12 changed files with 63 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -6,4 +6,7 @@ result
# ignore folders where we link in files from the nix store
themes/
static/font/
static/style/fonts.css
static/style/fonts.css
# Local Netlify folder
.netlify

14
.woodpecker.yml
View File

@ -1,14 +0,0 @@
pipeline:
build:
image: nixos/nix
environment:
NIX_CONFIG: "experimental-features = nix-command flakes"
commands:
- nix --log-format raw -L build .#docker.x86_64-linux
deploy:
image: nixos/nix
environment:
NIX_CONFIG: "experimental-features = nix-command flakes"
secrets: [ fly_api_token ]
commands:
- nix --log-format raw -L run .#deploy

63
Caddyfile
View File

@ -1,63 +0,0 @@
{
# fly.io handles HTTPS for us
auto_https off
}
http://static-mat-services.fly.dev {
redir https://mat.services
}
:8080 {
root * {$SITE_ROOT}
encode gzip
file_server
handle_errors {
@404 {
expression {http.error.status_code} == 404
}
rewrite @404 /404.html
file_server
}
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
# currently ramping up max-age as per https://hstspreload.org/
Strict-Transport-Security max-age=2592000; includeSubDomains
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer
# content security policy
# style-src 'unsafe-inline': syntax highlighting in codefences
# sandbox allow-popups: enable target="_blank" links to open in new tabs
Content-Security-Policy "default-src 'none';
img-src 'self' https://stats.mat.services;
style-src 'self' 'unsafe-inline';
font-src 'self';
script-src 'self' https://stats.mat.services;
form-action 'none';
frame-ancestors 'none';
base-uri 'none';
upgrade-insecure-requests;
sandbox
allow-same-origin
allow-scripts
allow-popups
allow-popups-to-escape-sandbox"
}
# caching
@static {
path *.bmp *.jpg *.png *.svg *.gif *.pdf *.css *.js *.woff *.woff2 /style/* /font/* /image/*
}
route {
header @static Cache-Control max-age=31536000, immutable
header *.xml Cache-Control max-age=0
header ?Cache-Control max-age=360
}
}

4
content/privacy.md
View File

@ -8,7 +8,7 @@ i want to respect your pivacy, while still getting some insight into the readers
- goatcounter stats are collected via javascript or tracking pixel.
- no server logs are collected.
- the site is hosted by fly.io.
- the site is hosted by netlify.
- no data is shared.
## data that i collect
@ -30,7 +30,7 @@ goatcounter is intended to be privacy-friendly and respect your data. [take a lo
no server logs are collected.
## site hosting
this site is hosted on fly.io. [see this page for fly.io's privacy statement](https://fly.io/legal/privacy-policy/).
this site is hosted on netlify. [see this page for netlify's privacy policy](https://www.netlify.com/privacy/).
## data that i share
collected data is not shared with any third parties.

23
flake.lock
View File

@ -1,21 +1,5 @@
{
"nodes": {
"apollo": {
"flake": false,
"locked": {
"lastModified": 1665007857,
"narHash": "sha256-gmxW7inWm0DhISWYzj6KufArYIoTk4JWjEBHVJ0/HSA=",
"owner": "not-matthias",
"repo": "apollo",
"rev": "62e8667ffe2cbe62fb8000ba66c31a148dca24c0",
"type": "github"
},
"original": {
"owner": "not-matthias",
"repo": "apollo",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs": [
@ -58,11 +42,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1665081174,
"narHash": "sha256-6hsmzdhdy8Kbvl5e0xZNE83pW3fKQvNiobJkM6KQrgA=",
"lastModified": 1665259268,
"narHash": "sha256-ONFhHBLv5nZKhwV/F2GOH16197PbvpyWhoO0AOyktkU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "598f83ebeb2235435189cf84d844b8b73e858e0f",
"rev": "c5924154f000e6306030300592f4282949b2db6c",
"type": "github"
},
"original": {
@ -74,7 +58,6 @@
},
"root": {
"inputs": {
"apollo": "apollo",
"flake-parts": "flake-parts",
"gitignore": "gitignore",
"nixpkgs": "nixpkgs"

26
flake.nix
View File

@ -7,10 +7,6 @@
flake-parts.inputs.nixpkgs.follows = "nixpkgs";
gitignore.url = "github:hercules-ci/gitignore.nix";
gitignore.inputs.nixpkgs.follows = "nixpkgs";
# theme - inlined now, not used
apollo.url = "github:not-matthias/apollo";
apollo.flake = false;
};
outputs = { self, flake-parts, gitignore, ... }@inputs:
@ -20,21 +16,16 @@
perSystem = { config, self', inputs', pkgs, system, ... }:
let
inherit (gitignore.lib) gitignoreSource;
# TODO: move these to a flake-module
inherit (pkgs.callPackage ./nix { }) container deploy fonts optimize-images themes;
inherit (pkgs.callPackage ./nix { }) fonts optimize-images;
inherit (fonts) copyFonts linkFonts;
inherit (themes {
theme = inputs.apollo;
themeEnabled = false;
}) copyTheme linkTheme;
in
{
packages.default = with pkgs; stdenv.mkDerivation {
pname = "personal-site";
version = "2022-09-06";
version = "2022-10-10";
src = gitignoreSource ./.;
nativeBuildInputs = [ optimize-images zola ];
configurePhase = copyTheme + copyFonts;
configurePhase = copyFonts;
buildPhase = ''
optimize-images
zola build --drafts
@ -44,16 +35,9 @@
'';
};
devShells.default = with pkgs; mkShell {
packages = [ flyctl optimize-images zola ];
shellHook = linkTheme + linkFonts;
packages = [ optimize-images zola ];
shellHook = linkFonts;
};
packages.container = container {
caddyfile = ./Caddyfile;
site = config.packages.default;
};
apps.deploy.program =
let deploy' = deploy { dockerImage = self.packages.x86_64-linux.container; };
in "${deploy'}/bin/deploy";
};
};
}

38
fly.toml
View File

@ -1,38 +0,0 @@
# fly.toml file generated for static-mat-services on 2022-08-08T01:01:25-04:00
app = "static-mat-services"
kill_signal = "SIGINT"
kill_timeout = 5
processes = []
[env]
[experimental]
allowed_public_ports = []
auto_rollback = true
[[services]]
http_checks = []
internal_port = 8080
processes = ["app"]
protocol = "tcp"
script_checks = []
[services.concurrency]
hard_limit = 25
soft_limit = 20
type = "connections"
[[services.ports]]
force_https = true
handlers = ["http"]
port = 80
[[services.ports]]
handlers = ["tls", "http"]
port = 443
[[services.tcp_checks]]
grace_period = "1s"
interval = "15s"
restart_limit = 0
timeout = "2s"

49
netlify.toml Normal file
View File

@ -0,0 +1,49 @@
[build]
command = "zola build"
publish = "public/"
[dev]
command = "zola serve --drafts"
publish = "public/"
port = 1111
[[redirects]]
from = "https://mat-services.netlify.app/*"
to = "https://mat.services/:splat"
force = true
[[headers]]
for = "/*"
[headers.values]
# disable FLoC tracking
Permissions-Policy = "interest-cohort=()"
# enable HSTS
Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options = "nosniff"
# clickjacking protection
X-Frame-Options = "DENY"
# keep referrer data off of HTTP connections
Referrer-Policy = "no-referrer"
# content security policy
# style-src 'unsafe-inline': syntax highlighting in codefences
# sandbox allow-popups: enable target="_blank" links to open in new tabs
Content-Security-Policy = '''
default-src 'none';
img-src 'self' https://mat.services https://stats.mat.services;
style-src 'self' https://mat.services 'unsafe-inline';
font-src 'self' https://mat.services;
script-src 'self' https://mat.services https://stats.mat.services;
form-action 'none';
frame-ancestors 'none';
base-uri 'none';
upgrade-insecure-requests;
sandbox
allow-same-origin
allow-scripts
allow-popups
allow-popups-to-escape-sandbox
'''

13
nix/container.nix
View File

@ -1,13 +0,0 @@
{ dockerTools, caddy, caddyfile, site }:
dockerTools.buildLayeredImage {
name = site.pname;
tag = site.version;
config = {
Cmd = [ "${caddy}/bin/caddy" "run" "-config" "${caddyfile}" ];
Env = [
"SITE_ROOT=${site}"
];
};
}

3
nix/default.nix
View File

@ -1,7 +1,4 @@
{ callPackage }: {
container = { caddyfile, site }: callPackage ./container.nix { inherit caddyfile site; };
deploy = { dockerImage }: callPackage ./deploy.nix { inherit dockerImage; };
fonts = callPackage ./fonts.nix { };
optimize-images = callPackage ./optimize-images.nix { };
themes = { theme, themeEnabled }: callPackage ./themes.nix { inherit theme themeEnabled; };
}

10
nix/deploy.nix
View File

@ -1,10 +0,0 @@
{ lib, docker, flyctl, formats, writeShellScriptBin, dockerImage }:
writeShellScriptBin "deploy" ''
set -euxo pipefail
export PATH="${lib.makeBinPath [(docker.override { clientOnly = true; }) flyctl]}:$PATH"
archive=${dockerImage}
# load archive, drop all output except last line (in case of warnings), print image name
image=$(docker load < $archive | tail -n1 | awk '{ print $3; }')
flyctl deploy --image $image --local-only
''

14
nix/themes.nix
View File

@ -1,14 +0,0 @@
{ lib, theme, themeEnabled }:
let
themeName = ((builtins.fromTOML (builtins.readFile "${theme}/theme.toml")).name);
in
{
copyTheme = lib.optionalString themeEnabled ''
mkdir -p themes/${themeName}
cp -r ${theme}/* themes/${themeName}
'';
linkTheme = lib.optionalString themeEnabled ''
mkdir -p themes
ln -snf "${theme}" "themes/${themeName}"
'';
}