ctucx.git: nixfiles

ctucx' nixfiles

commit 13726201db6e9d3c4fca7cbf45703a999eaea31b
parent ef00dd9f684361b2ba0c17a84aae02dab955a38d
Author: Leah (ctucx) <git@ctu.cx>
Date: Wed, 26 Oct 2022 22:21:56 +0200

machines/lollo/websites/wiki.home.ctu.cx: use hugo instead of pinedocs
1 file changed, 44 insertions(+), 102 deletions(-)
M
machines/lollo/websites/wiki.home.ctu.cx.nix
|
146
++++++++++++++++++++++++-------------------------------------------------------
diff --git a/machines/lollo/websites/wiki.home.ctu.cx.nix b/machines/lollo/websites/wiki.home.ctu.cx.nix
@@ -1,120 +1,62 @@
 { config, pkgs, lib, ... }:
 
-let
-  PineDocsConfig = {
-    title                = "ctucx.wiki";
-    content_dir          = "/mnt/wiki";
-    index                = "index.md";
-    layout               = "wiki";
-    color_scheme         = "pinedocs";
-    highlight_theme      = "darcula";
-    code_transparent_bg  = false;
-    open_dirs            = "all";
-    render_footer        = true;
-    exclude_files        = [ ".DS_Store" ".git" ".db" ".swp" ".stfolder" ".stversions" ];
-    show_file_extension  = true;
-    menu_link_format     = "default";
-    render_max_file_size = 50;
-  };
-
-  fetcher      = (args: pkgs.fetchurl { inherit (args) name urls sha256; });
-  cacheEntries = [
-    { name = "stephank_composer-plugin-nixify-1.1.0.0"; filename = "stephank/composer-plugin-nixify/6b00aedf28221acbb64a87222a0eb819404901f2.zip"; sha256 = "ac7cc480698f8717fb9fce4077b81303d37fe6ab2b89c8547cd7f9451598ee1e"; urls = [ "https://api.github.com/repos/stephank/composer-plugin-nixify/zipball/d93c4348388d714d7d81b41e34ccb2ae9c2131c2" ]; }
-    { name = "symfony_deprecation-contracts-2.5.0.0"; filename = "symfony/deprecation-contracts/65820bb896af30226f07d6c785944a3fd9f41635.zip"; sha256 = "6a7d29db04c54db4fd883b5e2c451c46887ac817a715c7d74942b3495ed05c16"; urls = [ "https://api.github.com/repos/symfony/deprecation-contracts/zipball/6f981ee24cf69ee7ce9736146d1c57c2780598a8" ]; }
-    { name = "symfony_polyfill-ctype-1.25.0.0"; filename = "symfony/polyfill-ctype/82b95b53aa89f5407fe26365ef24fa6d1a3f5ab6.zip"; sha256 = "8bdf0d13df0786a5c4517b165f956e055b44f8a6a06f84e4da8880871c11d035"; urls = [ "https://api.github.com/repos/symfony/polyfill-ctype/zipball/30885182c981ab175d4d034db0f6f469898070ab" ]; }
-    { name = "symfony_polyfill-mbstring-1.25.0.0"; filename = "symfony/polyfill-mbstring/f533d749810b86d80da55ac1180b740d98c58440.zip"; sha256 = "a84c7217bf91d5648f4003e2079fb18162f166f9bf2233153ac7ba62c87127fc"; urls = [ "https://api.github.com/repos/symfony/polyfill-mbstring/zipball/0abb51d2f102e00a4eefcf46ba7fec406d245825" ]; }
-    { name = "symfony_yaml-5.4.3.0"; filename = "symfony/yaml/e7ba161d1f02817ac2e52bcc2c18720d13521c01.zip"; sha256 = "29cfe44835d1360c2e8758d9e86b6f81a6e8161dfee7e0120b674aa4a1d24615"; urls = [ "https://api.github.com/repos/symfony/yaml/zipball/e80f87d2c9495966768310fc531b487ce64237a2" ]; }
-    { name = "twig_twig-3.4.1.0"; filename = "twig/twig/43fd0fd015ae40459e42cf41b7e7b1798ff18fdc.zip"; sha256 = "968e84055e6736fe3ebbaa1d8cb3351aad92a8a9e93cbb711dd24519c022c55e"; urls = [ "https://api.github.com/repos/twigphp/Twig/zipball/e939eae92386b69b49cfa4599dd9bead6bf4a342" ]; }
-    { name = "phpstan_phpstan-1.7.0.0"; filename = "phpstan/phpstan/a65115de4806c461bc1a05e6b287b4c3ff626a64.zip"; sha256 = "13da49a543312c425f70f0d9a28e9100723e1d7f529cf92ff6a327c38d79bd9b"; urls = [ "https://api.github.com/repos/phpstan/phpstan/zipball/509b3d6da631de31494dc21adedb30d73970e5aa" ]; }
-  ];
-
-  # Shell snippet to collect all project dependencies.
-  collectCacheScript = pkgs.writeText "collect-cache.sh" (
-    pkgs. lib.strings.concatMapStrings (args: ''
-      (
-        cacheFile=${lib.strings.escapeShellArg args.filename}
-        cacheFilePath="$COMPOSER_CACHE_DIR/files/$cacheFile"
-        mkdir -p "$(dirname "$cacheFilePath")"
-        cp ${lib.strings.escapeShellArg (fetcher args)} "$cacheFilePath"
-      )
-    '') cacheEntries
-  );
-
-  PineDocs = pkgs.stdenv.mkDerivation rec {
-    pname    = "PineDocs";
-    version  = "1.2.5";
-    src      = pkgs.fetchFromGitHub {
-      owner  = "xy2z";
-      repo   = "PineDocs";
-      rev    = "${version}";
-      sha256 = "sha256-eJfxUNSXJG1D1GvRC+s3Z8fmVlx38lIDeEkXGt/9Fkc=";
-    };
-
-    buildInputs = with pkgs; [ php unzip ];
-
-    # Defines the shell alias to run Composer.
-    postHook = ''composer () {
-      php "$NIX_COMPOSER_PATH" "$@"
-    }'';
-
-    configurePhase = ''
-      # Set the cache directory for Composer.
-      export COMPOSER_CACHE_DIR="$NIX_BUILD_TOP/.composer/cache";
-
-      # Build the cache directory contents.
-      source ${collectCacheScript};
-
-      # Store the absolute path to Composer for the 'composer' alias.
-      export NIX_COMPOSER_PATH="$(readlink -f ${lib.strings.escapeShellArg pkgs.phpPackages.composer.src})";
-
-      # Run normal Composer install to complete dependency installation.
-      composer install;
-    '';
-
-    installPhase = ''
-      mv $PWD $out;
-      touch $out/config/config.yaml;
-      echo '${builtins.toJSON PineDocsConfig}' > $out/config/config.yaml;
-    '';
-  };
-
-in {
-
-  environment.systemPackages = [ pkgs.bindfs ];
+{
 
   fileSystems."/mnt/wiki" = {
     device = "/home/leah/syncthing/Wiki";
-    fsType = "fuse.bindfs";
-    options = [ "ro" "perms=0000:a+rX" ];
+    options = [ "bind" "ro" ];
+  };
+
+  users.users.hugo-wiki = {
+    isSystemUser = true;
+    home         = "/var/lib/hugo-wiki";
+    group        = "nginx";
   };
 
-  services.phpfpm.pools.pinedocs  = {
-    user  = config.services.nginx.user;
-    group = config.services.nginx.group;
-    settings = {
-      pm                     = "dynamic";
-      "listen.owner"         = config.services.nginx.user;
-      "pm.max_children"      = 2;
-      "pm.start_servers"     = 2;
-      "pm.min_spare_servers" = 1;
-      "pm.max_spare_servers" = 2;
-      "pm.max_requests"      = 500;
+  systemd.services.hugo-wiki = {
+    wantedBy  = [ "multi-user.target" ];
+    onFailure = [ "email-notify@%i.service" ];
+
+    serviceConfig = {
+      User                    = "hugo-wiki";
+      Group                   = "nginx";
+
+      StateDirectory          = "hugo-wiki";
+      WorkingDirectory        = "/var/lib/hugo-wiki";
+      ReadWritePaths          = [ "/var/lib/hugo-wiki" ];
+
+      PrivateTmp              = true;
+      ProtectHome             = true;
+      ProtectSystem           = "strict";
+      ProtectKernelTunables   = true;
+      ProtectHostname         = true;
+      ProtectClock            = true;
+      ProtectControlGroups    = true;
+      RestrictAddressFamilies = "";
+
+      NoNewPrivileges         = true;
+      PrivateDevices          = true;
+      RestrictSUIDSGID        = true;
+      ProtectKernelModules    = true;
+      MemoryDenyWriteExecute  = true;
+      RestrictNamespaces      = true;
+      RestrictRealtime        = true;
+      LockPersonality         = true;
+
+      ExecStart               = "${pkgs.unstable.hugo}/bin/hugo --source /mnt/wiki --destination /var/lib/hugo-wiki --noBuildLock --watch --cleanDestinationDir --verbose --minify";
+
+      Restart                 = "on-failure";
+      RestartSec              = "5";
     };
   };
 
+
   services.nginx = {
     enable = true;
     virtualHosts."wiki.home.ctu.cx" = {
       enableACME = true;
       forceSSL   = true;
-      root       = "${PineDocs}/public";
-      locations  = {
-        "/".index              = "index.php index.html";
-        "~ \.php$".extraConfig = ''
-          fastcgi_pass  unix:${config.services.phpfpm.pools.pinedocs.socket};
-          fastcgi_index index.php;
-        '';
-      };
+      root       = "/var/lib/hugo-wiki";
     };
   };