|
|
|
|
@ -123,7 +123,72 @@ module that will set this up:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
```nix
|
|
|
|
|
# TODO: write this
|
|
|
|
|
{
|
|
|
|
|
config,
|
|
|
|
|
lib,
|
|
|
|
|
...
|
|
|
|
|
}:
|
|
|
|
|
let
|
|
|
|
|
cfg = config.my.static-site;
|
|
|
|
|
sitesDir = "/var/lib/static-site";
|
|
|
|
|
|
|
|
|
|
user = config.users.users.static-site.name;
|
|
|
|
|
group = config.users.groups.static-site.name;
|
|
|
|
|
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
options = with lib; {
|
|
|
|
|
my.static-site = {
|
|
|
|
|
enable = mkEnableOption "Enable static site deployments";
|
|
|
|
|
keys = mkOption {
|
|
|
|
|
description = "list of ssh keys to give push access";
|
|
|
|
|
type = with types; listOf str;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
|
users.users.static-site = {
|
|
|
|
|
inherit group;
|
|
|
|
|
isSystemUser = true;
|
|
|
|
|
# need shell access for deploys
|
|
|
|
|
useDefaultShell = true;
|
|
|
|
|
home = sitesDir;
|
|
|
|
|
openssh.authorizedKeys.keys = cfg.keys;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# make this user trusted (spooky)
|
|
|
|
|
nix.settings.trusted-users = [ user ];
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
users.groups.static-site = { };
|
|
|
|
|
services.nginx.virtualHosts = {
|
|
|
|
|
"saji.dev" = {
|
|
|
|
|
root = "${sitesDir}/public";
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
useACMEHost = "saji.dev";
|
|
|
|
|
locations."/" = {
|
|
|
|
|
tryFiles = "$uri $uri/ =404";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
# create the base static site directory, owned by the static-site user
|
|
|
|
|
systemd.tmpfiles.settings."static-site" = {
|
|
|
|
|
"${sitesDir}".d = {
|
|
|
|
|
user = user;
|
|
|
|
|
group = group;
|
|
|
|
|
mode = "0755";
|
|
|
|
|
};
|
|
|
|
|
# Create a dummy symlink to /dev/null
|
|
|
|
|
# this will not override an existing symlink, but it will
|
|
|
|
|
# make sure that the nginx configuration is valid
|
|
|
|
|
"${sitesDir}/public".L = {
|
|
|
|
|
argument = "/dev/null";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -215,4 +280,31 @@ called `LOCAL_KEY` which is a file that contains the signing key.
|
|
|
|
|
|
|
|
|
|
Regardless of the outcome you choose, when you re-deploy, it should work properly.
|
|
|
|
|
|
|
|
|
|
Let's follow the symlink.
|
|
|
|
|
Let's see what happened on the server:
|
|
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
$ ls /var/lib/static-site/ -lah
|
|
|
|
|
total 20K
|
|
|
|
|
drwxr-xr-x 4 static-site static-site 4.0K Apr 19 23:32 .
|
|
|
|
|
drwxr-xr-x 17 root root 4.0K Apr 21 03:00 ..
|
|
|
|
|
drwxr-xr-x 3 static-site static-site 4.0K Apr 17 19:57 .local
|
|
|
|
|
drwxr-xr-x 2 static-site static-site 4.0K Apr 17 19:57 .nix-defexpr
|
|
|
|
|
lrwxrwxrwx 1 static-site static-site 60 Apr 19 23:32 public -> /var/lib/static-site/.local/state/nix/profiles/mysite/public
|
|
|
|
|
|
|
|
|
|
$ ls /var/lib/static-site/.local/state/nix/profiles/ -lah
|
|
|
|
|
total 40K
|
|
|
|
|
drwxr-xr-x 2 static-site static-site 4.0K Apr 19 23:32 .
|
|
|
|
|
drwxr-xr-x 3 static-site static-site 4.0K Apr 17 19:57 ..
|
|
|
|
|
lrwxrwxrwx 1 static-site static-site 13 Apr 19 23:32 mysite -> mysite-8-link
|
|
|
|
|
lrwxrwxrwx 1 static-site static-site 62 Apr 17 19:57 mysite-1-link -> /nix/store/kbw9mna3934zqj0saz1snw1pbmxi95aq-activatable-myblog
|
|
|
|
|
lrwxrwxrwx 1 static-site static-site 62 Apr 17 19:59 mysite-2-link -> /nix/store/aa0ai7vwv59alfmhrk29frcbipr6iv9f-activatable-myblog
|
|
|
|
|
...
|
|
|
|
|
lrwxrwxrwx 1 static-site static-site 62 Apr 17 21:33 mysite-8-link -> /nix/store/f1qsglj5zm6v0vzlllci3jqsay476d5l-activatable-myblog
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
We can get an idea of how this works:
|
|
|
|
|
|
|
|
|
|
1. `/var/lib/static-site/public` points to the public folder in the `myblog` profile
|
|
|
|
|
2. The profile is itself a link to `mysite-8-link`.
|
|
|
|
|
3. `mysite-8-link` is also a link to a derivation in the nix store.
|
|
|
|
|
|
|
|
|
|
|
saji