summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--flake.lock140
-rw-r--r--flake.nix7
-rw-r--r--modules/nixos/default.nix1
-rw-r--r--modules/nixos/hellohtml/default.nix121
4 files changed, 123 insertions, 146 deletions
diff --git a/flake.lock b/flake.lock
index 5d4a5c1..f541a33 100644
--- a/flake.lock
+++ b/flake.lock
@@ -65,73 +65,6 @@
"type": "github"
}
},
- "deno2nix": {
- "inputs": {
- "devshell": "devshell",
- "flake-compat": "flake-compat",
- "flake-utils": "flake-utils_2",
- "nixpkgs": [
- "hellohtml",
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1694341738,
- "narHash": "sha256-zEosA90LiNd3/EFpZNKs7XPdY7PIsat19I6uJb/MuYU=",
- "owner": "SnO2WMaN",
- "repo": "deno2nix",
- "rev": "38dcc186763ab930acd1d751b4bfe3c0bd606ef3",
- "type": "github"
- },
- "original": {
- "owner": "SnO2WMaN",
- "repo": "deno2nix",
- "type": "github"
- }
- },
- "devshell": {
- "inputs": {
- "flake-utils": [
- "hellohtml",
- "deno2nix",
- "flake-utils"
- ],
- "nixpkgs": [
- "hellohtml",
- "deno2nix",
- "nixpkgs"
- ]
- },
- "locked": {
- "lastModified": 1667210711,
- "narHash": "sha256-IoErjXZAkzYWHEpQqwu/DeRNJGFdR7X2OGbkhMqMrpw=",
- "owner": "numtide",
- "repo": "devshell",
- "rev": "96a9dd12b8a447840cc246e17a47b81a4268bba7",
- "type": "github"
- },
- "original": {
- "owner": "numtide",
- "repo": "devshell",
- "type": "github"
- }
- },
- "flake-compat": {
- "flake": false,
- "locked": {
- "lastModified": 1668681692,
- "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
- "owner": "edolstra",
- "repo": "flake-compat",
- "rev": "009399224d5e398d03b22badca40a37ac85412a1",
- "type": "github"
- },
- "original": {
- "owner": "edolstra",
- "repo": "flake-compat",
- "type": "github"
- }
- },
"flake-utils": {
"inputs": {
"systems": "systems"
@@ -151,43 +84,10 @@
}
},
"flake-utils_2": {
- "locked": {
- "lastModified": 1667395993,
- "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
- "owner": "numtide",
- "repo": "flake-utils",
- "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
- "type": "github"
- },
- "original": {
- "owner": "numtide",
- "repo": "flake-utils",
- "type": "github"
- }
- },
- "flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
- "lastModified": 1701680307,
- "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
- "owner": "numtide",
- "repo": "flake-utils",
- "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
- "type": "github"
- },
- "original": {
- "owner": "numtide",
- "repo": "flake-utils",
- "type": "github"
- }
- },
- "flake-utils_4": {
- "inputs": {
- "systems": "systems_3"
- },
- "locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
@@ -201,28 +101,6 @@
"type": "github"
}
},
- "hellohtml": {
- "inputs": {
- "deno2nix": "deno2nix",
- "flake-utils": "flake-utils_3",
- "nixpkgs": [
- "nixpkgs-unstable"
- ]
- },
- "locked": {
- "lastModified": 1703882017,
- "narHash": "sha256-2pu26Y+0oZfnbQ7/4KFUBzWYXj3PMkpkxIKaMI/xWAw=",
- "owner": "linnnus",
- "repo": "hellohtml",
- "rev": "57bcf2dd89d5f863520410278b9666725f2f9f77",
- "type": "github"
- },
- "original": {
- "owner": "linnnus",
- "repo": "hellohtml",
- "type": "github"
- }
- },
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -318,7 +196,7 @@
},
"push-notification-api": {
"inputs": {
- "flake-utils": "flake-utils_4",
+ "flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
]
@@ -341,7 +219,6 @@
"inputs": {
"agenix": "agenix",
"comma": "comma",
- "hellohtml": "hellohtml",
"home-manager": "home-manager_2",
"nix-darwin": "nix-darwin",
"nixpkgs": "nixpkgs",
@@ -378,21 +255,6 @@
"repo": "default",
"type": "github"
}
- },
- "systems_3": {
- "locked": {
- "lastModified": 1681028828,
- "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
- "owner": "nix-systems",
- "repo": "default",
- "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
- "type": "github"
- },
- "original": {
- "owner": "nix-systems",
- "repo": "default",
- "type": "github"
- }
}
},
"root": "root",
diff --git a/flake.nix b/flake.nix
index 10d0c9a..1698f2d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -27,11 +27,6 @@
url = "github:linnnus/comma-zsh";
inputs.nixpkgs.follows = "nixpkgs";
};
- hellohtml = {
- url = "github:linnnus/hellohtml";
- # url = "path:/home/linus/hellohtml";
- inputs.nixpkgs.follows = "nixpkgs-unstable";
- };
};
outputs = {
@@ -41,7 +36,6 @@
nix-darwin,
agenix,
push-notification-api,
- hellohtml,
...
} @ inputs: let
args = {
@@ -94,7 +88,6 @@
home-manager.nixosModules.home-manager
agenix.nixosModules.default
push-notification-api.nixosModules.default
- hellohtml.nixosModules.default
./hosts/ahmed/configuration.nix
./hosts/common.nix
./home
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 4651c56..1393627 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -4,6 +4,7 @@
on-demand-minecraft = import ./on-demand-minecraft;
cloudflare-proxy = import ./cloudflare-proxy;
disable-screen = import ./disable-screen;
+ hellohtml = import ./hellohtml;
};
personal = {
diff --git a/modules/nixos/hellohtml/default.nix b/modules/nixos/hellohtml/default.nix
new file mode 100644
index 0000000..294244e
--- /dev/null
+++ b/modules/nixos/hellohtml/default.nix
@@ -0,0 +1,121 @@
+{ config, lib, pkgs, ... }:
+
+# FIXME: It is wasteful to always run the service. We should run on-demand instead.
+# This is usually achieved using SystemD sockets [4] but we are blocked on missing
+# features in Deno [1, 5].
+#
+# We have to be able to listen on a socket that's already been created by binding
+# an open file descriptor (or listening on stdin) [3]. This is not possible in Deno
+# as it is now [1, 2, 6].
+#
+# Once it becomes a possibility, we should mirror the way push-notification-api works
+# as of b9ed407 [8, 7].
+#
+# [1]: https://github.com/denoland/deno/issues/6529
+# [2]: https://github.com/denoland/deno/blob/1dd1aba2448c6c8a5a0370c4066a68aca06b859b/ext/net/ops_unix.rs#L207C34-L207C34
+# [3]: https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html#Description:~:text=Note%20that%20the,the%20service%20file).
+# [4]: https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html#Description:~:text=Socket%20units%20may%20be%20used%20to%20implement%20on%2Ddemand%20starting%20of%20services%2C%20as%20well%20as%20parallelized%20starting%20of%20services.%20See%20the%20blog%20stories%20linked%20at%20the%20end%20for%20an%20introduction.
+# [5]: https://github.com/denoland/deno/issues/14214
+# [6]: https://github.com/tokio-rs/tokio/issues/5678
+# [7]: https://github.com/benoitc/gunicorn/blob/660fd8d850f9424d5adcd50065e6060832a200d4/gunicorn/arbiter.py#L142-L155
+# [8]: https://github.com/linnnus/push-notification-api/tree/b9ed4071a4500a26b3b348a7f5fbc549e9694562
+
+let
+ cfg = config.services.hellohtml;
+in
+{
+ options.services.hellohtml = {
+ enable = lib.mkEnableOption "hellohtml service";
+
+ port = lib.mkOption {
+ description = "The port where hellohtml should listen.";
+ type = lib.types.port;
+ default = 8538;
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ # Create a user for running service.
+ users.users.hellohtml = {
+ group = "hellohtml";
+ description = "Runs hellohtml service";
+ isSystemUser = true;
+ home = "/srv/hellohtml";
+ createHome = true; # Store DB here.
+ };
+ users.groups.hellohtml = { };
+
+ # Create hellohtml service.
+ systemd.services.hellohtml = {
+ description = "HelloHTML server!!!";
+
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+
+ serviceConfig =
+ let
+ src = pkgs.fetchFromGitHub {
+ owner = "linnnus";
+ repo = "hellohtml";
+ rev = "8505b271f0db4e8b26c95fe04855ce88954d67f7";
+ hash = "sha256-om8w8K6EVxQ0Hn6VkCPtrc1qV48BpHzPQckOLpAiosI=";
+ };
+
+ hellohtml-vendor = pkgs.stdenv.mkDerivation {
+ name = "hellohtml-vendor";
+ nativeBuildInputs = [ pkgs.unstable.deno ];
+ inherit src;
+ buildCommand = ''
+ # Deno wants to create cache directories.
+ HOME="$(mktemp -d)"
+ # Thought this wasn't necessary???
+ cd $src
+ # Build directory containing offline deps + import map.
+ deno vendor --output=$out ./src/server.ts
+ '';
+ outputHashAlgo = "sha256";
+ outputHashMode = "recursive";
+ outputHash = "sha256-TMijSneZhvkAQb6TXF5mgf+nAcYogEfNYYpnui6i7PI";
+ };
+
+ hellohtml-drv = pkgs.writeShellScript "hellohtml" ''
+ export HELLOHTML_DB_PATH="${config.users.users.hellohtml.home}"/hello.db
+ export HELLOHTML_PORT=${toString cfg.port}
+ export HELLOHTML_BASE_DIR="${src}"
+
+ ${pkgs.unstable.deno}/bin/deno run \
+ --allow-read=$HELLOHTML_BASE_DIR,$HELLOHTML_DB_PATH,. \
+ --allow-write=$HELLOHTML_DB_PATH \
+ --allow-net=0.0.0.0:$HELLOHTML_PORT \
+ --allow-env \
+ --no-prompt \
+ --unstable-kv \
+ --import-map=${hellohtml-vendor}/import_map.json \
+ --no-remote \
+ ${src}/src/server.ts
+ '';
+ in
+ {
+ Type = "simple";
+ User = config.users.users.hellohtml.name;
+ Group = config.users.users.hellohtml.group;
+ ExecStart = "${hellohtml-drv}";
+
+ # Harden service
+ # NoNewPrivileges = "yes";
+ # PrivateTmp = "yes";
+ # PrivateDevices = "yes";
+ # DevicePolicy = "closed";
+ # ProtectControlGroups = "yes";
+ # ProtectKernelModules = "yes";
+ # ProtectKernelTunables = "yes";
+ # RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+ # RestrictNamespaces = "yes";
+ # RestrictRealtime = "yes";
+ # RestrictSUIDSGID = "yes";
+ # MemoryDenyWriteExecute = "yes";
+ # LockPersonality = "yes";
+ };
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 23:31:11 +0000