Fly -> Netlify, drop some Nix code

.gitignore

@@ -7,3 +7,6 @@ result
 themes/
 static/font/
 static/style/fonts.css
+
+# Local Netlify folder
+.netlify

.woodpecker.yml

@@ -1,14 +0,0 @@
-pipeline:
-  build:
-    image: nixos/nix
-    environment:
-      NIX_CONFIG: "experimental-features = nix-command flakes"
-    commands:
-      - nix --log-format raw -L build .#docker.x86_64-linux
-  deploy:
-    image: nixos/nix
-    environment:
-      NIX_CONFIG: "experimental-features = nix-command flakes"
-    secrets: [ fly_api_token ]
-    commands:
-      - nix --log-format raw -L run .#deploy

Caddyfile

@@ -1,63 +0,0 @@
-{
-	# fly.io handles HTTPS for us
-	auto_https off
-}
-
-http://static-mat-services.fly.dev {
-	redir https://mat.services
-}
-
-:8080 {
-	root * {$SITE_ROOT}
-	encode gzip
-	file_server
-
-	handle_errors {
-		@404 {
-			expression {http.error.status_code} == 404
-		}
-		rewrite @404 /404.html
-		file_server
-	}
-
-	header {
-		# disable FLoC tracking
-		Permissions-Policy interest-cohort=()
-		# enable HSTS
-		# currently ramping up max-age as per https://hstspreload.org/
-		Strict-Transport-Security max-age=2592000; includeSubDomains
-		# disable clients from sniffing the media type
-		X-Content-Type-Options nosniff
-		# clickjacking protection
-		X-Frame-Options DENY
-		# keep referrer data off of HTTP connections
-		Referrer-Policy no-referrer
-		# content security policy
-		# style-src 'unsafe-inline': syntax highlighting in codefences
-		# sandbox allow-popups: enable target="_blank" links to open in new tabs
-		Content-Security-Policy "default-src 'none';
-      img-src 'self' https://stats.mat.services;
-      style-src 'self' 'unsafe-inline';
-      font-src 'self';
-			script-src 'self' https://stats.mat.services;
-      form-action 'none';
-      frame-ancestors 'none';
-      base-uri 'none';
-      upgrade-insecure-requests;
-      sandbox
-				allow-same-origin
-				allow-scripts
-				allow-popups 
-				allow-popups-to-escape-sandbox"
-	}
-
-	# caching
-	@static {
-		path *.bmp *.jpg *.png *.svg *.gif *.pdf *.css *.js *.woff *.woff2 /style/* /font/* /image/*
-	}
-	route {
-		header @static Cache-Control max-age=31536000, immutable
-		header *.xml Cache-Control max-age=0
-		header ?Cache-Control max-age=360
-	}
-}

content/privacy.md

@@ -8,7 +8,7 @@ i want to respect your pivacy, while still getting some insight into the readers
 
 - goatcounter stats are collected via javascript or tracking pixel.
 - no server logs are collected.
-- the site is hosted by fly.io.
+- the site is hosted by netlify.
 - no data is shared.
 
 ## data that i collect
@@ -30,7 +30,7 @@ goatcounter is intended to be privacy-friendly and respect your data. [take a lo
 no server logs are collected.
 
 ## site hosting
-this site is hosted on fly.io. [see this page for fly.io's privacy statement](https://fly.io/legal/privacy-policy/).
+this site is hosted on netlify. [see this page for netlify's privacy policy](https://www.netlify.com/privacy/).
 
 ## data that i share
 collected data is not shared with any third parties.

flake.lock

@@ -1,21 +1,5 @@
 {
   "nodes": {
-    "apollo": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1665007857,
-        "narHash": "sha256-gmxW7inWm0DhISWYzj6KufArYIoTk4JWjEBHVJ0/HSA=",
-        "owner": "not-matthias",
-        "repo": "apollo",
-        "rev": "62e8667ffe2cbe62fb8000ba66c31a148dca24c0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "not-matthias",
-        "repo": "apollo",
-        "type": "github"
-      }
-    },
     "flake-parts": {
       "inputs": {
         "nixpkgs": [
@@ -58,11 +42,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1665081174,
+        "lastModified": 1665259268,
-        "narHash": "sha256-6hsmzdhdy8Kbvl5e0xZNE83pW3fKQvNiobJkM6KQrgA=",
+        "narHash": "sha256-ONFhHBLv5nZKhwV/F2GOH16197PbvpyWhoO0AOyktkU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "598f83ebeb2235435189cf84d844b8b73e858e0f",
+        "rev": "c5924154f000e6306030300592f4282949b2db6c",
         "type": "github"
       },
       "original": {
@@ -74,7 +58,6 @@
     },
     "root": {
       "inputs": {
-        "apollo": "apollo",
         "flake-parts": "flake-parts",
         "gitignore": "gitignore",
         "nixpkgs": "nixpkgs"

flake.nix

@@ -7,10 +7,6 @@
     flake-parts.inputs.nixpkgs.follows = "nixpkgs";
     gitignore.url = "github:hercules-ci/gitignore.nix";
     gitignore.inputs.nixpkgs.follows = "nixpkgs";
-
-    # theme - inlined now, not used
-    apollo.url = "github:not-matthias/apollo";
-    apollo.flake = false;
   };
 
   outputs = { self, flake-parts, gitignore, ... }@inputs:
@@ -20,21 +16,16 @@
       perSystem = { config, self', inputs', pkgs, system, ... }:
         let
           inherit (gitignore.lib) gitignoreSource;
-          # TODO: move these to a flake-module
+          inherit (pkgs.callPackage ./nix { }) fonts optimize-images;
-          inherit (pkgs.callPackage ./nix { }) container deploy fonts optimize-images themes;
           inherit (fonts) copyFonts linkFonts;
-          inherit (themes {
-            theme = inputs.apollo;
-            themeEnabled = false;
-          }) copyTheme linkTheme;
         in
         {
           packages.default = with pkgs; stdenv.mkDerivation {
             pname = "personal-site";
-            version = "2022-09-06";
+            version = "2022-10-10";
             src = gitignoreSource ./.;
             nativeBuildInputs = [ optimize-images zola ];
-            configurePhase = copyTheme + copyFonts;
+            configurePhase = copyFonts;
             buildPhase = ''
               optimize-images
               zola build --drafts
@@ -44,16 +35,9 @@
             '';
           };
           devShells.default = with pkgs; mkShell {
-            packages = [ flyctl optimize-images zola ];
+            packages = [ optimize-images zola ];
-            shellHook = linkTheme + linkFonts;
+            shellHook = linkFonts;
           };
-          packages.container = container {
-            caddyfile = ./Caddyfile;
-            site = config.packages.default;
-          };
-          apps.deploy.program =
-            let deploy' = deploy { dockerImage = self.packages.x86_64-linux.container; };
-            in "${deploy'}/bin/deploy";
         };
     };
 }

fly.toml

@@ -1,38 +0,0 @@
-# fly.toml file generated for static-mat-services on 2022-08-08T01:01:25-04:00
-
-app = "static-mat-services"
-kill_signal = "SIGINT"
-kill_timeout = 5
-processes = []
-
-[env]
-
-[experimental]
-  allowed_public_ports = []
-  auto_rollback = true
-
-[[services]]
-  http_checks = []
-  internal_port = 8080
-  processes = ["app"]
-  protocol = "tcp"
-  script_checks = []
-  [services.concurrency]
-    hard_limit = 25
-    soft_limit = 20
-    type = "connections"
-
-  [[services.ports]]
-    force_https = true
-    handlers = ["http"]
-    port = 80
-
-  [[services.ports]]
-    handlers = ["tls", "http"]
-    port = 443
-
-  [[services.tcp_checks]]
-    grace_period = "1s"
-    interval = "15s"
-    restart_limit = 0
-    timeout = "2s"

netlify.toml

@@ -0,0 +1,49 @@
+[build]
+  command = "zola build"
+  publish = "public/"
+
+[dev]
+  command = "zola serve --drafts"
+  publish = "public/"
+  port = 1111
+
+[[redirects]]
+  from = "https://mat-services.netlify.app/*"
+  to = "https://mat.services/:splat"
+  force = true
+
+[[headers]]
+  for = "/*"
+
+  [headers.values]
+		# disable FLoC tracking
+    Permissions-Policy = "interest-cohort=()"
+    # enable HSTS
+    Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
+    # disable clients from sniffing the media type
+    X-Content-Type-Options = "nosniff"
+    # clickjacking protection
+    X-Frame-Options = "DENY"
+    # keep referrer data off of HTTP connections
+    Referrer-Policy = "no-referrer"
+    # content security policy
+		# style-src 'unsafe-inline': syntax highlighting in codefences
+		# sandbox allow-popups: enable target="_blank" links to open in new tabs
+		Content-Security-Policy = '''
+    default-src 'none';
+    img-src 'self' https://mat.services https://stats.mat.services;
+    style-src 'self' https://mat.services 'unsafe-inline';
+    font-src 'self' https://mat.services;
+    script-src 'self' https://mat.services https://stats.mat.services;
+    form-action 'none';
+    frame-ancestors 'none';
+    base-uri 'none';
+    upgrade-insecure-requests;
+    sandbox
+      allow-same-origin
+      allow-scripts
+      allow-popups 
+      allow-popups-to-escape-sandbox
+    '''
+
+

nix/container.nix

@@ -1,13 +0,0 @@
-{ dockerTools, caddy, caddyfile, site }:
-
-dockerTools.buildLayeredImage {
-  name = site.pname;
-  tag = site.version;
-
-  config = {
-    Cmd = [ "${caddy}/bin/caddy" "run" "-config" "${caddyfile}" ];
-    Env = [
-      "SITE_ROOT=${site}"
-    ];
-  };
-}

nix/default.nix

@@ -1,7 +1,4 @@
 { callPackage }: {
-  container = { caddyfile, site }: callPackage ./container.nix { inherit caddyfile site; };
-  deploy = { dockerImage }: callPackage ./deploy.nix { inherit dockerImage; };
   fonts = callPackage ./fonts.nix { };
   optimize-images = callPackage ./optimize-images.nix { };
-  themes = { theme, themeEnabled }: callPackage ./themes.nix { inherit theme themeEnabled; };
 }

nix/deploy.nix

@@ -1,10 +0,0 @@
-{ lib, docker, flyctl, formats, writeShellScriptBin, dockerImage }:
-
-writeShellScriptBin "deploy" ''
-  set -euxo pipefail
-  export PATH="${lib.makeBinPath [(docker.override { clientOnly = true; }) flyctl]}:$PATH"
-  archive=${dockerImage}
-  # load archive, drop all output except last line (in case of warnings), print image name
-  image=$(docker load < $archive | tail -n1 | awk '{ print $3; }')
-  flyctl deploy --image $image --local-only
-''

nix/themes.nix

@@ -1,14 +0,0 @@
-{ lib, theme, themeEnabled }:
-let
-  themeName = ((builtins.fromTOML (builtins.readFile "${theme}/theme.toml")).name);
-in
-{
-  copyTheme = lib.optionalString themeEnabled ''
-    mkdir -p themes/${themeName}
-    cp -r ${theme}/* themes/${themeName}
-  '';
-  linkTheme = lib.optionalString themeEnabled ''
-    mkdir -p themes
-    ln -snf "${theme}" "themes/${themeName}"
-  '';
-}