From 7838819c86bce193a86a18deabc5fcc289688758 Mon Sep 17 00:00:00 2001 From: Patrick Date: Fri, 13 Sep 2024 21:23:31 +0200 Subject: [PATCH] feat: blog hosting with signal to bot --- config/services/blog.nix | 73 ++++++++++++++----- flake.lock | 10 +-- flake.nix | 54 +++++--------- hosts/elisabeth/secrets/blog/secrets.nix.age | Bin 0 -> 840 bytes pkgs/default.nix | 29 ++++---- pkgs/signal-to-blog.nix | 13 ++++ 6 files changed, 103 insertions(+), 76 deletions(-) create mode 100644 hosts/elisabeth/secrets/blog/secrets.nix.age create mode 100644 pkgs/signal-to-blog.nix diff --git a/config/services/blog.nix b/config/services/blog.nix index 2949f71..7bd416f 100644 --- a/config/services/blog.nix +++ b/config/services/blog.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: let prestart = pkgs.writeShellScript "blog-pre" '' if [ ! -d ./.ssh ]; then @@ -8,20 +8,18 @@ let ssh-keygen -t ed25519 -N "" -f .ssh/id_ed25519 fi if [ ! -d ./blog ]; then - ${lib.getExe pkgs.git} clone --recurse-submodules ssh://git@forge.lel.lol:9922/patrick/blog.git |\ + ${ + lib.getExe pkgs.git + } clone --recurse-submodules ssh://git@forge.lel.lol:9922/patrick/blog.git ||\ echo "failed to clone the repository did you forget to add the ssh key?" fi ''; -in -{ +in { wireguard.elisabeth = { client.via = "elisabeth"; firewallRuleForNode.elisabeth.allowedTCPPorts = [ 80 ]; }; - environment.systemPackages = [ - pkgs.signal-cli - pkgs.cargo - ]; + environment.systemPackages = [ pkgs.signal-cli pkgs.cargo ]; services.nginx = { enable = true; user = "blog"; @@ -30,16 +28,15 @@ in }; }; programs.ssh.knownHosts = { - "[forge.lel.lol]:9922".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWoGqHwkLVFXJwYcKs3CjQognvlZmROUIgkvvUgNalx"; + "[forge.lel.lol]:9922".publicKey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWoGqHwkLVFXJwYcKs3CjQognvlZmROUIgkvvUgNalx"; }; - environment.persistence."/persist".directories = [ - { - directory = "/var/lib/blog"; - user = "blog"; - group = "blog"; - mode = "0700"; - } - ]; + environment.persistence."/persist".directories = [{ + directory = "/var/lib/blog"; + user = "blog"; + group = "blog"; + mode = "0700"; + }]; systemd.timers.blog-update = { wantedBy = [ "timers.target" ]; timerConfig = { @@ -56,10 +53,21 @@ in systemd.services.blog-update = { script = '' - ${lib.getExe pkgs.git} -C blog pull - ${lib.getExe pkgs.zola} -r blog/public build + cd blog + if (git add . && git diff --quiet && git diff --cached --quiet) + then + echo "Nothing to commit" + else + echo "Commiting newest changes" + git -c user.name="blog-bot" \ + -c user.email="blog-bot@${config.secrets.secrets.global.domains.mail_public}" \ + commit -m "Automatic commit for blog on $(date -u -I)" + fi + git pull --rebase + git push + ${lib.getExe pkgs.zola} -r public build ''; - path = [ pkgs.openssh ]; + path = [ pkgs.openssh pkgs.git ]; serviceConfig = { Requires = "blog"; Type = "oneshot"; @@ -75,4 +83,29 @@ in }; }; + systemd.services.signal-to-blog = { + script = '' + ${lib.getExe pkgs.signal-to-blog} \ + --allowed-sender "${config.secrets.secrets.local.allowedSender}" \ + --data-folder "data" \ + --output-folder ~/blog/public/content/journal/ \ + --url "https://blog.lel.lol/journal" \ + --timezone 2 + ''; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.signal-cli ]; + serviceConfig = { + Requires = "blog"; + Type = "oneshot"; + User = "blog"; + Group = "blog"; + StateDirectory = "blog"; + WorkingDirectory = "/var/lib/blog/signal"; + LimitNOFILE = "1048576"; + PrivateTmp = true; + PrivateDevices = true; + StateDirectoryMode = "0700"; + }; + }; + } diff --git a/flake.lock b/flake.lock index 38a1256..43d4407 100644 --- a/flake.lock +++ b/flake.lock @@ -1718,16 +1718,16 @@ "nixpkgs-stable": "nixpkgs-stable_5" }, "locked": { - "lastModified": 1724857454, - "narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=", + "lastModified": 1725513492, + "narHash": "sha256-tyMUA6NgJSvvQuzB7A1Sf8+0XCHyfSPRx/b00o6K0uo=", "owner": "cachix", - "repo": "pre-commit-hooks.nix", - "rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6", + "repo": "git-hooks.nix", + "rev": "7570de7b9b504cfe92025dd1be797bf546f66528", "type": "github" }, "original": { "owner": "cachix", - "repo": "pre-commit-hooks.nix", + "repo": "git-hooks.nix", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 46332af..b1880fc 100644 --- a/flake.nix +++ b/flake.nix @@ -62,7 +62,7 @@ }; pre-commit-hooks = { - url = "github:cachix/pre-commit-hooks.nix"; + url = "github:cachix/git-hooks.nix"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -108,13 +108,7 @@ }; outputs = - { - self, - nixos-generators, - nixos-extra-modules, - nix-topology, - ... - }@inputs: + { self, nixos-generators, nixos-extra-modules, nix-topology, ... }@inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } { imports = [ ./nix/agenix-rekey.nix @@ -124,36 +118,26 @@ nix-topology.flakeModule ]; - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; + systems = [ "x86_64-linux" "aarch64-linux" ]; - perSystem = - { pkgs, system, ... }: - { - topology.modules = [ ./nix/topology.nix ]; - apps.setupHetznerStorageBoxes = - import (nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") - { - inherit pkgs; - nixosConfigurations = inputs.self.nodes; - decryptIdentity = builtins.head self.secretsConfig.masterIdentities; - }; - packages.live-iso = nixos-generators.nixosGenerate { + perSystem = { pkgs, system, ... }: { + topology.modules = [ ./nix/topology.nix ]; + apps.setupHetznerStorageBoxes = import + (nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") { inherit pkgs; - modules = [ - ./nix/installer-configuration.nix - ./config/basic/ssh.nix - ]; - format = - { - x86_64-linux = "install-iso"; - aarch64-linux = "sd-aarch64-installer"; - } - .${system}; + nixosConfigurations = inputs.self.nodes; + decryptIdentity = builtins.head self.secretsConfig.masterIdentities; }; - + packages.live-iso = nixos-generators.nixosGenerate { + inherit pkgs; + modules = + [ ./nix/installer-configuration.nix ./config/basic/ssh.nix ]; + format = { + x86_64-linux = "install-iso"; + aarch64-linux = "sd-aarch64-installer"; + }.${system}; }; + + }; }; } diff --git a/hosts/elisabeth/secrets/blog/secrets.nix.age b/hosts/elisabeth/secrets/blog/secrets.nix.age new file mode 100644 index 0000000000000000000000000000000000000000..9b1e4c52f1b7276c0b023a98a83d17194ce45508 GIT binary patch literal 840 zcmY+XQ|}aiS77qCq9m=Q}CC>UmRcJTkK=29T@4* zp&Jtj#BE?>VF9tQuvCbZp+A6u?T7{Fz;J%S^S&Y6kM{Yt>Wd~mJw$zq zWyvY3@dFm7#YS`cB3{=xz^19x$hf*3gV-Tbf0lrAu7@k3L%pyyF+10cSFk^Glack=} zR=W!tk!9oUYpbzGu-b?99wj=o`ylmX^uZkZ*(3DvJ#PN)WrDOFZ2Zi0VBp3!AU7Uc z>}VeZjoV_*(qqU#izVGwlD$Dhs<|IuoojohrcELxsTUQ9*o$WE(BfuLCNX5(X(|kJ zcBv|D?icz_oUeEZUR;dhbB&BfBUBY5AuK3mESV~nR$9qhr4d%iYI5)!tlo*NHql+e z4J!`mUyjl@zq$O8dH&bWQ|%?Qk^Xsg>#p;|dvCn;sc`)A!|+aU`RBU4{`{T$&%R1H z`|Zbf3HSDQ@1u__`qgjc*Pj^AuAdgeM?Zb<{{6*^J0Ji0Jo^3HKR&yE{bc?N{_tN+ CPa44h literal 0 HcmV?d00001 diff --git a/pkgs/default.nix b/pkgs/default.nix index b3fd76d..ab24f33 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -6,26 +6,23 @@ _inputs: [ actual = prev.callPackage ./actual.nix { }; pr-tracker = prev.callPackage ./pr-tracker.nix { }; deploy = prev.callPackage ./deploy.nix { }; + signal-to-blog = prev.callPackage ./signal-to-blog.nix { }; minion = prev.callPackage ./minion.nix { }; mongodb-bin = prev.callPackage ./mongodb-bin.nix { }; awakened-poe-trade = prev.callPackage ./awakened-poe-trade.nix { }; - neovim-clean = prev.neovim-unwrapped.overrideAttrs ( - _neovimFinal: neovimPrev: { - nativeBuildInputs = (neovimPrev.nativeBuildInputs or [ ]) ++ [ prev.makeWrapper ]; - postInstall = - (neovimPrev.postInstall or "") - + '' - wrapProgram $out/bin/nvim --add-flags "--clean" - ''; - } - ); - path-of-building = prev.path-of-building.overrideAttrs (old: { - postFixup = - (old.postFixup or "") - + '' - wrapProgram $out/bin/pobfrontend \ - --set QT_QPA_PLATFORM xcb + neovim-clean = prev.neovim-unwrapped.overrideAttrs + (_neovimFinal: neovimPrev: { + nativeBuildInputs = (neovimPrev.nativeBuildInputs or [ ]) + ++ [ prev.makeWrapper ]; + postInstall = (neovimPrev.postInstall or "") + '' + wrapProgram $out/bin/nvim --add-flags "--clean" ''; + }); + path-of-building = prev.path-of-building.overrideAttrs (old: { + postFixup = (old.postFixup or "") + '' + wrapProgram $out/bin/pobfrontend \ + --set QT_QPA_PLATFORM xcb + ''; }); #pythonPackagesExtension = prev.pythonPackagesExtension ++ [ # (_pythonFinal: pythonPrev: { diff --git a/pkgs/signal-to-blog.nix b/pkgs/signal-to-blog.nix new file mode 100644 index 0000000..f04535e --- /dev/null +++ b/pkgs/signal-to-blog.nix @@ -0,0 +1,13 @@ +{ rustPlatform, fetchgit, }: +rustPlatform.buildRustPackage { + name = "signal-to-blog"; + + src = fetchgit { + url = "https://forge.lel.lol/patrick/signal-to-blog.git"; + rev = "b2c44e90030b1333e20012641904080def43b6dd"; + hash = "sha256-H846+65ImZqbUHt91xc8GCcNszXMnvTi+4jAs+JYLLA="; + }; + + cargoHash = "sha256-0LLSxVpql6bFoSS3hsns5JuptJCmn4LxKjG7clPDrm8="; + +}