show mobile menu toggle in mode-sensitive color

- move the impure single-node deploy helper here

  it's not used anywhere else

- reuse the pins from the website

  this needs to be cleaned up later

- don't copy the config to the server

  it's impure (can't even build that without jumping through hoops), and useless when building via SSH

Reviewed-on: Fediversity/Fediversity#1

.gitignore

@@ -0,0 +1,3 @@
+.envrc
+.direnv
+result

server/README.md

@@ -0,0 +1,15 @@
+# fediversity.eu webserver
+
+This directory contains the configuration for the server hosting https://fediversity.eu
+
+Build the configuration:
+
+```bash
+nix-build -A machine
+```
+
+Deploy via SSH:
+
+```bash
+env SSH_OPTS="..." nix-shell --run deploy-webserver
+```

server/configuration.nix

@@ -1,4 +1,3 @@
-
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
@@ -7,7 +6,8 @@
 
 {
   imports =
-    [ # Include the results of the hardware scan.
+    [
+      # Include the results of the hardware scan.
       ./hardware-configuration.nix
     ];
 
@@ -32,44 +32,44 @@
     forceSSL = true;
     globalRedirect = "www.fediversity.eu";
     locations."/.well-known/matrix/client" = {
-       extraConfig = ''
-	return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
-	default_type application/json;
-	add_header Access-Control-Allow-Origin "*";
-	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
-	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
+      extraConfig = ''
+        	return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
+        	default_type application/json;
+        	add_header Access-Control-Allow-Origin "*";
+        	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+        	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
       '';
     };
     locations."/.well-known/matrix/server" = {
-       extraConfig = ''
-	return 200 '{"m.server": "matrix.fediversity.eu:443"}';
-	default_type application/json;
-	add_header Access-Control-Allow-Origin "*";
-	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
-	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
+      extraConfig = ''
+        	return 200 '{"m.server": "matrix.fediversity.eu:443"}';
+        	default_type application/json;
+        	add_header Access-Control-Allow-Origin "*";
+        	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+        	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
       '';
     };
   };
   services.nginx.virtualHosts."www.fediversity.eu" = {
     enableACME = true;
     forceSSL = true;
-    root = "/var/www/www.fediversity.eu/fediversity.eu/public";
+    root = "${(import ../website { }).build}";
     locations."/.well-known/matrix/client" = {
-       extraConfig = ''
-	return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
-	default_type application/json;
-	add_header Access-Control-Allow-Origin "*";
-	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
-	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
+      extraConfig = ''
+        	return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
+        	default_type application/json;
+        	add_header Access-Control-Allow-Origin "*";
+        	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+        	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
       '';
     };
     locations."/.well-known/matrix/server" = {
-       extraConfig = ''
-	return 200 '{"m.server": "matrix.fediversity.eu:443"}';
-	default_type application/json;
-	add_header Access-Control-Allow-Origin "*";
-	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
-	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
+      extraConfig = ''
+        	return 200 '{"m.server": "matrix.fediversity.eu:443"}';
+        	default_type application/json;
+        	add_header Access-Control-Allow-Origin "*";
+        	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+        	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
       '';
     };
   };
@@ -197,13 +197,14 @@
   # Select internationalisation properties.
   i18n.defaultLocale = "en_US.UTF-8";
 
+  security.sudo.wheelNeedsPassword = false;
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.procolix = {
     isNormalUser = true;
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
     openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
-    "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
     ];
     packages = with pkgs; [
     ];
@@ -212,7 +213,7 @@
     isNormalUser = true;
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
     openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbK4ZB0Xnpf8yyK4QOI2HvjgQINI3GKi7/O2VEsYXUb laurenshof@Laurenss-MacBook-Air.local"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbK4ZB0Xnpf8yyK4QOI2HvjgQINI3GKi7/O2VEsYXUb laurenshof@Laurenss-MacBook-Air.local"
     ];
     packages = with pkgs; [
     ];
@@ -221,7 +222,7 @@
     isNormalUser = true;
     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
     openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
     ];
     packages = with pkgs; [
     ];
@@ -245,24 +246,17 @@
     })
     wget
     git
-    hugo
-    go
-    nodejs
   ];
 
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
 
   # Enable xe-guest-utilities
   services.xe-guest-utilities.enable = true;
 
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-  system.copySystemConfiguration = true;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
@@ -272,4 +266,3 @@
   system.stateVersion = "23.11"; # Did you read the comment?
 
 }
-

server/default.nix

@@ -0,0 +1,46 @@
+{ sources ? import ../website/npins
+, system ? builtins.currentSystem
+, pkgs ? import sources.nixpkgs {
+    inherit system;
+    config = { };
+    overlays = [ ];
+  }
+, lib ? import "${sources.nixpkgs}/lib"
+}:
+let
+  # TODO: don't hard code target hosts; wire all of it up with NixOps4
+  host = "vm02117.procolix.com";
+  deploy = pkgs.writeShellApplication {
+    name = "deploy-webserver";
+    text = ''
+      # HACK: decouple system evaluation from shell evaluation
+      # the structured way for using this hack is encoded in https://github.com/fricklerhandwerk/lazy-drv
+      result="$(nix-build ${toString ./.} -A machine --no-out-link --eval-store auto --store ssh-ng://${host})"
+      # shellcheck disable=SC2087
+      ssh ${host} << EOF
+      sudo nix-env -p /nix/var/nix/profiles/system --set "$result"
+      sudo "$result"/bin/switch-to-configuration switch
+      EOF
+    '';
+  };
+  nixos-configuration = config:
+    import "${pkgs.path}/nixos/lib/eval-config.nix" {
+      modules = [
+        config
+      ];
+      system = null;
+    };
+in
+rec {
+  nixos = nixos-configuration ./configuration.nix;
+  machine = nixos.config.system.build.toplevel;
+  shell = pkgs.mkShellNoCC {
+    packages = with pkgs; [
+      deploy
+    ];
+    env = {
+      # TODO: reusing other pins for now; wire up the whole repo to use the same dependencies
+      NPINS_DIRECTORY = toString ../website/npins;
+    };
+  };
+}

server/shell.nix

@@ -0,0 +1 @@
+(import ./. { }).shell

services/README.md

@@ -57,16 +57,6 @@ nix build .#installers.peertube
 Upload the image in `./result` to Proxmox when creating a VM.
 Booting the image will format the disk and install NixOS with the desired configuration.
 
-# Deploying an updated machine configuration
-
-> TODO: There is currently no way to specify an actual target machine by name.
-
-Assuming you have SSH configuration with access to the remote `root` user stored for a machine called e.g. `peertube`, deploy the configuration by the same name:
-
-```bash
-nix run .#deploy.peertube
-```
-
 ## debugging notes
 
 - it is sometimes useful to `cat result/bin/run-nixos-vm` to see what's really going on (e.g. which ports are getting forwarded)

services/deploy.nix

@@ -1,13 +0,0 @@
-{ writeShellApplication }:
-name: _config:
-writeShellApplication {
-  name = "deploy";
-  text = ''
-    result="$(nix build --print-out-paths ${./.}#nixosConfigurations#${name} --eval-store auto --store ssh-ng://${name})"
-    # shellcheck disable=SC2087
-    ssh ${name} << EOF
-    nix-env -p /nix/var/nix/profiles/system --set "$result"
-    "$result"/bin/switch-to-configuration switch
-    EOF
-  '';
-}

services/flake.nix

@@ -114,12 +114,6 @@
       mkInstaller = import ./installer.nix;
       installers = lib.mapAttrs (_: config: self.mkInstaller nixpkgs config) self.nixosConfigurations;
 
-      deploy =
-        let
-          deployCommand = (pkgs.callPackage ./deploy.nix { });
-        in
-        lib.mapAttrs (name: config: deployCommand name config) self.nixosConfigurations;
-
       checks.${system} = {
         mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs self; };
         pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs self; };

website/presentation/style.css

@@ -127,8 +127,10 @@ header > nav > ul > li > details > nav ul li {
   padding: 0.25em 0;
 }
 
-#menu-toggle {
+#menu-toggle,
+#menu-toggle + label {
   display: none;
+  appearance: none;
 }
 
 @media (max-width: 50em) {
@@ -136,14 +138,22 @@ header > nav > ul > li > details > nav ul li {
     display: block;
   }
 
-  #menu-toggle::before {
-    content: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 20 20'%3E%3Cpath d='M0 3h20v2H0V3z m0 6h20v2H0V9z m0 6h20v2H0V0z'/%3E%3C/svg%3E");
+  #menu-toggle ~ label {
+    position: absolute;
+    right: 1em;
+    top: 0.5em;
+    cursor: pointer;
     display: block;
   }
 
-  #menu-toggle:checked::before {
-    content: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 20 20'%3E%3Cpolygon points='11 9 22 9 22 11 11 11 11 22 9 22 9 11 -2 11 -2 9 9 9 9 -2 11 -2' transform='rotate(45 10 10)'/%3E%3C/svg%3E");
+  .menu-close,
+  .menu-open {
+    cursor: pointer;
+    fill: var(--text-color);
   }
+  .menu-close { display: none; }
+  #menu-toggle:checked + label .menu-close { display: block; }
+  #menu-toggle:checked + label .menu-open { display: none; }
 
   header > nav {
     margin-bottom: 1em;
@@ -210,14 +220,4 @@ header > nav > ul > li > details > nav ul li {
   header {
     position: relative;
   }
-
-  /* for some reason this must be at the end to work */
-  #menu-toggle {
-    display: block;
-    position: absolute;
-    right: 1em;
-    top: 0.5em;
-    appearance: none;
-    cursor: pointer;
-  }
 }

website/structure/page.nix

@@ -63,7 +63,15 @@ in
       body.content = [
         ''
           <header>
-            <input type="checkbox" id="menu-toggle">
+            <input type="checkbox" id="menu-toggle" hidden>
+            <label for="menu-toggle" hidden>
+              <svg class="menu-open" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 20 20">
+                <path d="M0 3h20v2H0V3z m0 6h20v2H0V9z m0 6h20v2H0V0z"/>
+              </svg>
+              <svg class="menu-close" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 20 20">
+                <polygon points="11 9 22 9 22 11 11 11 11 22 9 22 9 11 -2 11 -2 9 9 9 9 -2 11 -2" transform="rotate(45 10 10)"/>
+              </svg>
+            </label>
             ${lib.indent "  " (cfg.menus.main.outputs.html page)}
           </header>
         ''