content/blog/nix-unprivileged-deployments.md

@@ -123,72 +123,7 @@ module that will set this up:
 
 
 ```nix
-{
+# TODO: write this
-  config,
-  lib,
-  ...
-}:
-let
-  cfg = config.my.static-site;
-  sitesDir = "/var/lib/static-site";
-
-  user = config.users.users.static-site.name;
-  group = config.users.groups.static-site.name;
-
-in
-{
-  options = with lib; {
-    my.static-site = {
-      enable = mkEnableOption "Enable static site deployments";
-      keys = mkOption {
-        description = "list of ssh keys to give push access";
-        type = with types; listOf str;
-      };
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    users.users.static-site = {
-      inherit group;
-      isSystemUser = true;
-      # need shell access for deploys
-      useDefaultShell = true;
-      home = sitesDir;
-      openssh.authorizedKeys.keys = cfg.keys;
-    };
-
-    # make this user trusted (spooky)
-    nix.settings.trusted-users = [ user ];
-
-
-    users.groups.static-site = { };
-    services.nginx.virtualHosts = {
-      "saji.dev" = {
-        root = "${sitesDir}/public";
-        forceSSL = true;
-        useACMEHost = "saji.dev";
-        locations."/" = {
-          tryFiles = "$uri $uri/ =404";
-        };
-      };
-    };
-    # create the base static site directory, owned by the static-site user
-    systemd.tmpfiles.settings."static-site" = {
-      "${sitesDir}".d = {
-        user = user;
-        group = group;
-        mode = "0755";
-      };
-      # Create a dummy symlink to /dev/null
-      # this will not override an existing symlink, but it will
-      # make sure that the nginx configuration is valid
-      "${sitesDir}/public".L = {
-        argument = "/dev/null";
-      };
-
-
-    };
-  };
-}
 ```
 
 
@@ -280,31 +215,4 @@ called `LOCAL_KEY` which is a file that contains the signing key.
 
 Regardless of the outcome you choose, when you re-deploy, it should work properly.
 
-Let's see what happened on the server:
+Let's follow the symlink.
-
-```bash
-$ ls /var/lib/static-site/ -lah
-total 20K
-drwxr-xr-x  4 static-site static-site 4.0K Apr 19 23:32 .
-drwxr-xr-x 17 root        root        4.0K Apr 21 03:00 ..
-drwxr-xr-x  3 static-site static-site 4.0K Apr 17 19:57 .local
-drwxr-xr-x  2 static-site static-site 4.0K Apr 17 19:57 .nix-defexpr
-lrwxrwxrwx  1 static-site static-site   60 Apr 19 23:32 public -> /var/lib/static-site/.local/state/nix/profiles/mysite/public
-
-$ ls /var/lib/static-site/.local/state/nix/profiles/ -lah
-total 40K
-drwxr-xr-x 2 static-site static-site 4.0K Apr 19 23:32 .
-drwxr-xr-x 3 static-site static-site 4.0K Apr 17 19:57 ..
-lrwxrwxrwx 1 static-site static-site   13 Apr 19 23:32 mysite -> mysite-8-link
-lrwxrwxrwx 1 static-site static-site   62 Apr 17 19:57 mysite-1-link -> /nix/store/kbw9mna3934zqj0saz1snw1pbmxi95aq-activatable-myblog
-lrwxrwxrwx 1 static-site static-site   62 Apr 17 19:59 mysite-2-link -> /nix/store/aa0ai7vwv59alfmhrk29frcbipr6iv9f-activatable-myblog
-...
-lrwxrwxrwx 1 static-site static-site   62 Apr 17 21:33 mysite-8-link -> /nix/store/f1qsglj5zm6v0vzlllci3jqsay476d5l-activatable-myblog
-```
-
-We can get an idea of how this works:
-
-1. `/var/lib/static-site/public` points to the public folder in the `myblog` profile
-2. The profile is itself a link to `mysite-8-link`.
-3. `mysite-8-link` is also a link to a derivation in the nix store.
-

public/css/index.css

@@ -103,7 +103,7 @@ main :first-child {
 }
 
 header {
-	border-bottom: 1px dashed var(--color-white);
+	border-bottom: 1px dashed var(--color-gray-20);
 }
 header:after {
 	content: "";
@@ -113,7 +113,7 @@ header:after {
 
 .links-nextprev {
 	list-style: none;
-	border-top: 1px dashed var(--color-white);
+	border-top: 1px dashed var(--color-gray-20);
 	padding: 1em 0;
 }
 
@@ -283,7 +283,7 @@ h1, h2, h3 {
 }
 
 
-/* blockquote styling */
+/* Callout styles */
 
 blockquote {
   padding: 2em; /* Adjust padding as needed */