10 changed files with 101 additions and 138 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +0,0 @@
-.envrc
-.direnv
-result
--- a/server/README.md
+++ b/server/README.md
@ -1,15 +0,0 @@
-# fediversity.eu webserver
-
-This directory contains the configuration for the server hosting https://fediversity.eu
-
-Build the configuration:
-
-```bash
-nix-build -A machine
-```
-
-Deploy via SSH:
-
-```bash
-env SSH_OPTS="..." nix-shell --run deploy-webserver
-```
--- a/server/configuration.nix
+++ b/server/configuration.nix
@ -1,3 +1,4 @@
+
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
@ -6,8 +7,7 @@

 {
  imports =
-    [
-      # Include the results of the hardware scan.
+    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

@ -32,44 +32,44 @@
    forceSSL = true;
    globalRedirect = "www.fediversity.eu";
    locations."/.well-known/matrix/client" = {
-      extraConfig = ''
-        	return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
-        	default_type application/json;
-        	add_header Access-Control-Allow-Origin "*";
-        	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
-        	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
+       extraConfig = ''
+	return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
+	default_type application/json;
+	add_header Access-Control-Allow-Origin "*";
+	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
      '';
    };
    locations."/.well-known/matrix/server" = {
-      extraConfig = ''
-        	return 200 '{"m.server": "matrix.fediversity.eu:443"}';
-        	default_type application/json;
-        	add_header Access-Control-Allow-Origin "*";
-        	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
-        	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
+       extraConfig = ''
+	return 200 '{"m.server": "matrix.fediversity.eu:443"}';
+	default_type application/json;
+	add_header Access-Control-Allow-Origin "*";
+	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
      '';
    };
  };
  services.nginx.virtualHosts."www.fediversity.eu" = {
    enableACME = true;
    forceSSL = true;
-    root = "${(import ../website { }).build}";
+    root = "/var/www/www.fediversity.eu/fediversity.eu/public";
    locations."/.well-known/matrix/client" = {
-      extraConfig = ''
-        	return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
-        	default_type application/json;
-        	add_header Access-Control-Allow-Origin "*";
-        	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
-        	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
+       extraConfig = ''
+	return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
+	default_type application/json;
+	add_header Access-Control-Allow-Origin "*";
+	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
      '';
    };
    locations."/.well-known/matrix/server" = {
-      extraConfig = ''
-        	return 200 '{"m.server": "matrix.fediversity.eu:443"}';
-        	default_type application/json;
-        	add_header Access-Control-Allow-Origin "*";
-        	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
-        	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
+       extraConfig = ''
+	return 200 '{"m.server": "matrix.fediversity.eu:443"}';
+	default_type application/json;
+	add_header Access-Control-Allow-Origin "*";
+	add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+	add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
      '';
    };
  };
@ -80,7 +80,7 @@
    certs."oid.foundation".extraDomainNames = [ "www.oid.foundation" ];
  };

-  networking = {
+  networking = {  
    hostName = "vm02117";
    domain = "procolix.com";
    interfaces = {
@ -117,9 +117,9 @@
      enable = true;
      ruleset = ''
        #!/usr/sbin/nft -f
-
+      
        flush ruleset
-
+      
        ########### define usefull variables here #####################
        define wan        = eth0
        define ssh_allow  = {
@ -137,38 +137,38 @@
        define nrpe_allow = {
                    95.215.185.34/32,   # nagios2 ipv4
                }
-
+      
        ########### here starts the automated bit #####################
        table inet filter {
            chain input {
-                type filter hook input priority 0;
+                type filter hook input priority 0; 
                policy drop;
-
+      
                # established/related connections
                ct state established,related accept
                ct state invalid drop
-
+      
                # Limit ping requests.
                ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
                ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop
-
+      
                # loopback interface
                iifname lo accept
-
+                
                # icmp
                ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
                # Without the nd-* ones ipv6 will not work.
                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
-
+      
                # open tcp ports: sshd (22)
                ip saddr $ssh_allow tcp dport {ssh} accept
-
+      
                # open tcp ports: snmp (161)
                ip saddr $snmp_allow udp dport {snmp} accept
-
+      
                # open tcp ports: nrpe (5666)
                ip saddr $nrpe_allow tcp dport {nrpe} accept
-
+      
                # open tcp ports: http (80,443)
                tcp dport {http,https} accept
            }
@ -179,13 +179,13 @@
                type filter hook output priority 0;
            }
        }
-
+      
        table ip nat {
            chain postrouting {
-            }
+            }   
            chain prerouting {
            }
-        }
+        }  
      '';
    };
  };
@ -197,14 +197,13 @@
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

-  security.sudo.wheelNeedsPassword = false;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.procolix = {
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
-      "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
+    "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
    ];
    packages = with pkgs; [
    ];
@ -213,7 +212,7 @@
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbK4ZB0Xnpf8yyK4QOI2HvjgQINI3GKi7/O2VEsYXUb laurenshof@Laurenss-MacBook-Air.local"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbK4ZB0Xnpf8yyK4QOI2HvjgQINI3GKi7/O2VEsYXUb laurenshof@Laurenss-MacBook-Air.local"
    ];
    packages = with pkgs; [
    ];
@ -222,7 +221,7 @@
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
    ];
    packages = with pkgs; [
    ];
@ -246,17 +245,24 @@
    })
    wget
    git
+    hugo
+    go
+    nodejs
  ];

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
-  services.openssh.settings.PasswordAuthentication = false;

  # Enable xe-guest-utilities
  services.xe-guest-utilities.enable = true;

+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  system.copySystemConfiguration = true;
+
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
@ -266,3 +272,4 @@
  system.stateVersion = "23.11"; # Did you read the comment?

 }
+
--- a/server/default.nix
+++ b/server/default.nix
@ -1,46 +0,0 @@
-{ sources ? import ../website/npins
-, system ? builtins.currentSystem
-, pkgs ? import sources.nixpkgs {
-    inherit system;
-    config = { };
-    overlays = [ ];
-  }
-, lib ? import "${sources.nixpkgs}/lib"
-}:
-let
-  # TODO: don't hard code target hosts; wire all of it up with NixOps4
-  host = "vm02117.procolix.com";
-  deploy = pkgs.writeShellApplication {
-    name = "deploy-webserver";
-    text = ''
-      # HACK: decouple system evaluation from shell evaluation
-      # the structured way for using this hack is encoded in https://github.com/fricklerhandwerk/lazy-drv
-      result="$(nix-build ${toString ./.} -A machine --no-out-link --eval-store auto --store ssh-ng://${host})"
-      # shellcheck disable=SC2087
-      ssh ${host} << EOF
-      sudo nix-env -p /nix/var/nix/profiles/system --set "$result"
-      sudo "$result"/bin/switch-to-configuration switch
-      EOF
-    '';
-  };
-  nixos-configuration = config:
-    import "${pkgs.path}/nixos/lib/eval-config.nix" {
-      modules = [
-        config
-      ];
-      system = null;
-    };
-in
-rec {
-  nixos = nixos-configuration ./configuration.nix;
-  machine = nixos.config.system.build.toplevel;
-  shell = pkgs.mkShellNoCC {
-    packages = with pkgs; [
-      deploy
-    ];
-    env = {
-      # TODO: reusing other pins for now; wire up the whole repo to use the same dependencies
-      NPINS_DIRECTORY = toString ../website/npins;
-    };
-  };
-}
--- a/server/shell.nix
+++ b/server/shell.nix
@ -1 +0,0 @@
-(import ./. { }).shell
--- a/services/README.md
+++ b/services/README.md
@ -57,6 +57,16 @@ nix build .#installers.peertube
 Upload the image in `./result` to Proxmox when creating a VM.
 Booting the image will format the disk and install NixOS with the desired configuration.

+# Deploying an updated machine configuration
+
+> TODO: There is currently no way to specify an actual target machine by name.
+
+Assuming you have SSH configuration with access to the remote `root` user stored for a machine called e.g. `peertube`, deploy the configuration by the same name:
+
+```bash
+nix run .#deploy.peertube
+```
+
 ## debugging notes

 - it is sometimes useful to `cat result/bin/run-nixos-vm` to see what's really going on (e.g. which ports are getting forwarded)
--- a/services/deploy.nix
+++ b/services/deploy.nix
@ -0,0 +1,13 @@
+{ writeShellApplication }:
+name: _config:
+writeShellApplication {
+  name = "deploy";
+  text = ''
+    result="$(nix build --print-out-paths ${./.}#nixosConfigurations#${name} --eval-store auto --store ssh-ng://${name})"
+    # shellcheck disable=SC2087
+    ssh ${name} << EOF
+    nix-env -p /nix/var/nix/profiles/system --set "$result"
+    "$result"/bin/switch-to-configuration switch
+    EOF
+  '';
+}
--- a/services/flake.nix
+++ b/services/flake.nix
@ -114,6 +114,12 @@
      mkInstaller = import ./installer.nix;
      installers = lib.mapAttrs (_: config: self.mkInstaller nixpkgs config) self.nixosConfigurations;

+      deploy =
+        let
+          deployCommand = (pkgs.callPackage ./deploy.nix { });
+        in
+        lib.mapAttrs (name: config: deployCommand name config) self.nixosConfigurations;
+
      checks.${system} = {
        mastodon-garage = import ./tests/mastodon-garage.nix { inherit pkgs self; };
        pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit pkgs self; };
--- a/website/presentation/style.css
+++ b/website/presentation/style.css
@ -127,10 +127,8 @@ header > nav > ul > li > details > nav ul li {
  padding: 0.25em 0;
 }

-#menu-toggle,
-#menu-toggle + label {
+#menu-toggle {
  display: none;
-  appearance: none;
 }

@media (max-width: 50em) {
@ -138,22 +136,14 @@ header > nav > ul > li > details > nav ul li {
    display: block;
  }

-  #menu-toggle ~ label {
-    position: absolute;
-    right: 1em;
-    top: 0.5em;
-    cursor: pointer;
+  #menu-toggle::before {
+    content: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 20 20'%3E%3Cpath d='M0 3h20v2H0V3z m0 6h20v2H0V9z m0 6h20v2H0V0z'/%3E%3C/svg%3E");
    display: block;
  }

-  .menu-close,
-  .menu-open {
-    cursor: pointer;
-    fill: var(--text-color);
+  #menu-toggle:checked::before {
+    content: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 20 20'%3E%3Cpolygon points='11 9 22 9 22 11 11 11 11 22 9 22 9 11 -2 11 -2 9 9 9 9 -2 11 -2' transform='rotate(45 10 10)'/%3E%3C/svg%3E");
  }
-  .menu-close { display: none; }
-  #menu-toggle:checked + label .menu-close { display: block; }
-  #menu-toggle:checked + label .menu-open { display: none; }

  header > nav {
    margin-bottom: 1em;
@ -220,4 +210,14 @@ header > nav > ul > li > details > nav ul li {
  header {
    position: relative;
  }
+
+  /* for some reason this must be at the end to work */
+  #menu-toggle {
+    display: block;
+    position: absolute;
+    right: 1em;
+    top: 0.5em;
+    appearance: none;
+    cursor: pointer;
+  }
 }
--- a/website/structure/page.nix
+++ b/website/structure/page.nix
@ -63,15 +63,7 @@ in
      body.content = [
        ''
          <header>
-            <input type="checkbox" id="menu-toggle" hidden>
-            <label for="menu-toggle" hidden>
-              <svg class="menu-open" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 20 20">
-                <path d="M0 3h20v2H0V3z m0 6h20v2H0V9z m0 6h20v2H0V0z"/>
-              </svg>
-              <svg class="menu-close" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 20 20">
-                <polygon points="11 9 22 9 22 11 11 11 11 22 9 22 9 11 -2 11 -2 9 9 9 9 -2 11 -2" transform="rotate(45 10 10)"/>
-              </svg>
-            </label>
+            <input type="checkbox" id="menu-toggle">
            ${lib.indent "  " (cfg.menus.main.outputs.html page)}
          </header>
        ''