dotfiles/system/nixos/websites-tanker.nix
Daniel Kempkens 8ce1d3ca78
All checks were successful
Build / build-arm64-linux (push) Successful in 11m17s
Build / build-amd64-linux (push) Successful in 48m17s
Update deps
2023-11-05 13:39:55 +01:00

178 lines
5.5 KiB
Nix

{ pkgs, ... }:
let
kempkens-io = pkgs.stdenvNoCC.mkDerivation {
pname = "website-kempkens-io";
version = "2023-09-18";
src = pkgs.fetchFromGitea {
domain = "git.kempkens.io";
owner = "daniel";
repo = "kempkens.io";
rev = "3d351cb5d5c32fc1f7e97af45846c977e16f39bf";
hash = "sha256-83tTDWJCbg5CEXjXiH+dpmBu/4pQsjHBOVMj4j7nsWc=";
fetchSubmodules = true;
};
nativeBuildInputs = with pkgs; [ brotli hugo ];
installPhase = ''
mkdir $out
hugo
find public -type f -regextype posix-extended -iregex '.*\.(css|js|json|html|txt|woff|woff2|xml)' \
-exec gzip --best --keep {} ';'
find public -type f -regextype posix-extended -iregex '.*\.(css|js|json|html|txt|woff|woff2|xml)' \
-exec brotli --best --keep {} ';'
mv public $out/
'';
};
blog-kempkens-io = pkgs.stdenvNoCC.mkDerivation {
pname = "website-blog-kempkens-io";
version = "2023-09-18";
src = pkgs.fetchFromGitea {
domain = "git.kempkens.io";
owner = "daniel";
repo = "blog.kempkens.io";
rev = "781c9479051ec7a096a36f51b96030b8cd49b165";
hash = "sha256-H/To8dcbEbYklpZAr5mQxAjneNd7vPsNBhfeocJ9amo=";
fetchSubmodules = true;
};
nativeBuildInputs = with pkgs; [ brotli hugo ];
installPhase = ''
mkdir $out
hugo
find public -type f -regextype posix-extended -iregex '.*\.(css|js|json|html|txt|woff|woff2|xml)' \
-exec gzip --best --keep {} ';'
find public -type f -regextype posix-extended -iregex '.*\.(css|js|json|html|txt|woff|woff2|xml)' \
-exec brotli --best --keep {} ';'
mv public $out/
'';
};
docs-nifoc-pw = pkgs.stdenvNoCC.mkDerivation {
pname = "website-docs-nifoc-pw";
version = "2021-08-30";
src = pkgs.fetchFromGitHub {
owner = "nifoc";
repo = "nifoc.pw-docs";
rev = "24034da912e3d7fddc447734ca4c9a5951a0fa32";
sha256 = "sha256-GwVwbLUbxpFidOU1CTHFbYs/MscHpsqiYmnyvLtnYjM=";
fetchSubmodules = false;
};
nativeBuildInputs = with pkgs; [ brotli ];
installPhase = ''
mkdir $out
find site -type f -regextype posix-extended -iregex '.*\.(css|js|json|html|txt|woff|woff2|xml)' \
-exec gzip --best --keep {} ';'
find site -type f -regextype posix-extended -iregex '.*\.(css|js|json|html|txt|woff|woff2|xml)' \
-exec brotli --best --keep {} ';'
mv site $out/
'';
};
in
{
services.nginx = {
virtualHosts = {
# kempkens.io
"kempkens.io" = {
quic = true;
http3 = true;
kTLS = true;
root = "${kempkens-io}/public";
forceSSL = true;
useACMEHost = "kempkens.io";
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy no-referrer;
add_header Content-Security-Policy "default-src 'none'; manifest-src https://kempkens.io; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; font-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'";
'';
locations = {
"/id".return = "307 https://keyoxide.org/028BCE9BABB5145AAAA1FB8410BE1D47E5ADFF92";
"/.well-known/host-meta".return = "301 https://mastodon.kempkens.io/.well-known/host-meta";
"/.well-known/webfinger".return = "301 https://mastodon.kempkens.io$request_uri";
"/.well-known/matrix/server".extraConfig = ''
default_type application/json;
'';
"/.well-known/matrix/client".extraConfig = ''
default_type application/json;
'';
};
};
"www.kempkens.io" = {
quic = true;
http3 = true;
addSSL = true;
useACMEHost = "kempkens.io";
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
'';
globalRedirect = "kempkens.io";
};
# blog.kempkens.io
"blog.kempkens.io" = {
quic = true;
http3 = true;
kTLS = true;
root = "${blog-kempkens-io}/public";
forceSSL = true;
useACMEHost = "kempkens.io";
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy no-referrer;
add_header Content-Security-Policy "default-src 'none'; manifest-src https://blog.kempkens.io; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'";
'';
};
} // builtins.listToAttrs (builtins.map
# Documentation
(domain: {
name = domain;
value = {
quic = true;
http3 = true;
kTLS = true;
root = "${docs-nifoc-pw}/site/${domain}";
forceSSL = true;
useACMEHost = "nifoc.pw";
extraConfig = ''
autoindex on;
autoindex_format html;
'';
};
}) [ "katja.nifoc.pw" "katja_vmstats.nifoc.pw" "noesis.nifoc.pw" "propagator.nifoc.pw" ]);
};
}