jet/website
jet/website
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: cleanup flake and repo

Browse source
This commit is contained in:
Jet 2026-03-28 20:13:12 -07:00
parent 17d708eb7a
commit 9a5256e8f0
No known key found for this signature in database
7 changed files with 197 additions and 530 deletions
Download patch file Download diff file Expand all files Collapse all files

226
module.nix
View file

@ -1,27 +1,118 @@
self:
{ config, lib, ... }:
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.jetpham-website;
package = self.packages.x86_64-linux.default;
qaApi = self.packages.x86_64-linux.qa-api;
webhookSecretPath =
if cfg.webhookSecretFile != null then
cfg.webhookSecretFile
else
config.age.secrets.webhook-secret.path;
package = cfg.package;
qaApi = cfg.apiPackage;
apiListen = "${cfg.apiListenAddress}:${toString cfg.apiListenPort}";
caddyCommonConfig = ''
header Cross-Origin-Opener-Policy "same-origin"
header Cross-Origin-Embedder-Policy "require-corp"
handle /api/* {
reverse_proxy ${apiListen}
}
handle /qa/rss.xml {
reverse_proxy ${apiListen}
}
handle {
root * ${package}
try_files {path} /index.html
file_server
}
${cfg.caddy.extraConfig}
'';
in
{
options.services.jetpham-website = {
enable = lib.mkEnableOption "Jet Pham's personal website";
package = lib.mkOption {
type = lib.types.package;
default = self.packages.${pkgs.system}.default;
defaultText = lib.literalExpression "self.packages.${pkgs.system}.default";
description = "Static site package served by Caddy.";
};
apiPackage = lib.mkOption {
type = lib.types.package;
default = self.packages.${pkgs.system}.qa-api;
defaultText = lib.literalExpression "self.packages.${pkgs.system}.qa-api";
description = "Q&A API package run by systemd.";
};
domain = lib.mkOption {
type = lib.types.str;
default = "jetpham.com";
description = "Domain to serve the website on.";
};
tor.enable = lib.mkEnableOption "Tor hidden service for the website";
openFirewall = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Open HTTP and HTTPS ports when Caddy is enabled.";
};
apiListenAddress = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = "Address for the local Q&A API listener.";
};
apiListenPort = lib.mkOption {
type = lib.types.port;
default = 3003;
description = "Port for the local Q&A API listener.";
};
caddy.enable = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Serve the static site and reverse proxy the API through Caddy.";
};
caddy.extraConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = "Extra Caddy directives appended inside the virtual host block.";
};
tor = {
enable = lib.mkEnableOption "Tor hidden service for the website";
port = lib.mkOption {
type = lib.types.port;
default = 8888;
description = "Local Caddy port exposed through the onion service.";
};
onionSecretKeyFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = "Path to the Tor hidden service secret key file.";
};
onionPublicKeyFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = "Path to the Tor hidden service public key file.";
};
onionHostnameFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = "Path to the Tor hidden service hostname file.";
};
};
qaNotifyEmail = lib.mkOption {
type = lib.types.str;
@ -42,36 +133,31 @@ in
};
webhookSecretFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
type = lib.types.path;
description = "File containing the WEBHOOK_SECRET for MTA Hook authentication.";
};
};
config = lib.mkIf cfg.enable {
age.secrets.webhook-secret = lib.mkIf (cfg.webhookSecretFile == null) {
file = "${self}/secrets/webhook-secret.age";
mode = "0400";
};
assertions = [
{
assertion =
!cfg.tor.enable
|| (
cfg.tor.onionSecretKeyFile != null
&& cfg.tor.onionPublicKeyFile != null
&& cfg.tor.onionHostnameFile != null
);
message = "services.jetpham-website.tor requires onionSecretKeyFile, onionPublicKeyFile, and onionHostnameFile.";
}
];
age.secrets.tor-onion-secret-key = lib.mkIf cfg.tor.enable {
file = "${self}/secrets/tor-onion-secret-key.age";
owner = "tor";
group = "tor";
mode = "0400";
};
age.secrets.tor-onion-public-key = lib.mkIf cfg.tor.enable {
file = "${self}/secrets/tor-onion-public-key.age";
owner = "tor";
group = "tor";
mode = "0444";
};
age.secrets.tor-onion-hostname = lib.mkIf cfg.tor.enable {
file = "${self}/secrets/tor-onion-hostname.age";
owner = "tor";
group = "tor";
mode = "0444";
};
networking.firewall.allowedTCPPorts = lib.mkIf (cfg.caddy.enable && cfg.openFirewall) [
80
443
];
services.caddy.enable = cfg.caddy.enable;
services.tor = lib.mkIf cfg.tor.enable {
enable = true;
@ -81,7 +167,7 @@ in
port = 80;
target = {
addr = "127.0.0.1";
port = 8888;
port = cfg.tor.port;
};
}
];
@ -90,39 +176,45 @@ in
systemd.services.tor-onion-keys = lib.mkIf cfg.tor.enable {
description = "Copy Tor onion keys into place";
after = [ "agenix.service" ];
before = [ "tor.service" ];
wantedBy = [ "tor.service" ];
serviceConfig.Type = "oneshot";
script = ''
dir="/var/lib/tor/onion/jetpham-website"
mkdir -p "$dir"
cp ${config.age.secrets.tor-onion-secret-key.path} "$dir/hs_ed25519_secret_key"
cp ${config.age.secrets.tor-onion-public-key.path} "$dir/hs_ed25519_public_key"
cp ${config.age.secrets.tor-onion-hostname.path} "$dir/hostname"
cp ${cfg.tor.onionSecretKeyFile} "$dir/hs_ed25519_secret_key"
cp ${cfg.tor.onionPublicKeyFile} "$dir/hs_ed25519_public_key"
cp ${cfg.tor.onionHostnameFile} "$dir/hostname"
chown -R tor:tor "$dir"
chmod 700 "$dir"
chmod 400 "$dir/hs_ed25519_secret_key"
chmod 444 "$dir/hs_ed25519_public_key" "$dir/hostname"
'';
};
# Q&A API systemd service
systemd.services.jetpham-qa-api = {
description = "Jet Pham Q&A API";
after = [ "network.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
StateDirectory = "jetpham-qa";
WorkingDirectory = "/var/lib/jetpham-qa";
Environment = [
"QA_DB_PATH=/var/lib/jetpham-qa/qa.db"
"QA_NOTIFY_EMAIL=${cfg.qaNotifyEmail}"
"QA_MAIL_DOMAIN=${cfg.qaMailDomain}"
"QA_REPLY_DOMAIN=${cfg.qaReplyDomain}"
];
NoNewPrivileges = true;
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
ReadWritePaths = [ "/var/lib/jetpham-qa" ];
Restart = "on-failure";
RestartSec = 5;
LoadCredential = "webhook-secret:${webhookSecretPath}";
LoadCredential = "webhook-secret:${cfg.webhookSecretFile}";
};
script = ''
if [ ! -s "$CREDENTIALS_DIRECTORY/webhook-secret" ]; then
@ -131,51 +223,21 @@ in
fi
export WEBHOOK_SECRET="$(cat "$CREDENTIALS_DIRECTORY/webhook-secret")"
exec ${qaApi}/bin/jetpham-qa-api
exec ${lib.getExe qaApi}
'';
};
services.caddy.virtualHosts.${cfg.domain} = {
extraConfig = ''
header Cross-Origin-Opener-Policy "same-origin"
header Cross-Origin-Embedder-Policy "require-corp"
handle /api/* {
reverse_proxy 127.0.0.1:3003
}
handle /qa/rss.xml {
reverse_proxy 127.0.0.1:3003
}
handle {
root * ${package}
try_files {path} /index.html
file_server
}
'';
services.caddy.virtualHosts.${cfg.domain} = lib.mkIf cfg.caddy.enable {
extraConfig = caddyCommonConfig;
};
services.caddy.virtualHosts."http://:8888" = lib.mkIf cfg.tor.enable {
extraConfig = ''
bind 127.0.0.1
header Cross-Origin-Opener-Policy "same-origin"
header Cross-Origin-Embedder-Policy "require-corp"
handle /api/* {
reverse_proxy 127.0.0.1:3003
}
handle /qa/rss.xml {
reverse_proxy 127.0.0.1:3003
}
handle {
root * ${package}
try_files {path} /index.html
file_server
}
'';
};
services.caddy.virtualHosts."http://:${toString cfg.tor.port}" =
lib.mkIf (cfg.caddy.enable && cfg.tor.enable)
{
extraConfig = ''
bind 127.0.0.1
${caddyCommonConfig}
'';
};
};
}