.
This commit is contained in:
parent
32d81f0138
commit
c4dcb6e38b
78 changed files with 2739 additions and 110 deletions
|
|
@ -6,12 +6,106 @@
|
|||
<description>Recent content on James' Blog :-)</description>
|
||||
<generator>Hugo -- gohugo.io</generator>
|
||||
<language>en-GB</language>
|
||||
<lastBuildDate>Tue, 25 Jun 2024 00:00:00 +0000</lastBuildDate>
|
||||
<lastBuildDate>Mon, 11 Aug 2025 00:00:00 +0000</lastBuildDate>
|
||||
|
||||
<atom:link href="https://nonsense.dymc.win/index.xml" rel="self" type="application/rss+xml" />
|
||||
|
||||
|
||||
|
||||
<item>
|
||||
<title>over-engineered (?) nixos blog deployment setup</title>
|
||||
<link>https://nonsense.dymc.win/over-engineered-nixos-blog-deployment-setup/</link>
|
||||
<pubDate>Mon, 11 Aug 2025 00:00:00 +0000</pubDate>
|
||||
|
||||
<guid>https://nonsense.dymc.win/over-engineered-nixos-blog-deployment-setup/</guid>
|
||||
<description><p>As is traditional with people hosting their own blog I&rsquo;m going to do a post detailing EXACTLY how I&rsquo;m hosting my blog.
|
||||
Down to the last dirty detail.
|
||||
I have nothing better to talk about.
|
||||
Here is a diagram I edited to illustrate (credit to xkcd I think?).</p>
|
||||
<p><img src="https://nonsense.dymc.win/image/self-hosting.png" alt="self-hosting"></p>
|
||||
<p>I host my site on a hetzner vps running nixos.
|
||||
I also have a git repo where all the static files for my blog live.
|
||||
I had previously been manually rsyncing the website up to my vps from my laptop.
|
||||
Qute an easy, efficient solution; it worked well.
|
||||
But not very nixos; far too simple, not sufficiently over-engineered.
|
||||
So in true nixos fashion I decided I&rsquo;d spend a couple of hours sorting the problem so I&rsquo;d maybe save a minute once a year when I write a blog post.</p>
|
||||
<h3 id="remote-rebuilds">Remote Rebuilds</h3>
|
||||
<p>First, I&rsquo;ll show the fancy way to rebuild your remote nixos systems via ssh.
|
||||
In my case, this means I can rebuild my hetzner box from my laptop.
|
||||
You can read the wiki about it <a href="https://wiki.nixos.org/wiki/Nixos-rebuild#Deploying_on_other_machines">here</a>.</p>
|
||||
<p>This sets up ssh with key-based authentication and lets our local user in.
|
||||
This config belongs on the remote machine.</p>
|
||||
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="n">users</span><span class="o">.</span><span class="n">users</span><span class="o">.</span><span class="n">blog-king</span><span class="o">.</span><span class="n">openssh</span><span class="o">.</span><span class="n">authorizedKeys</span><span class="o">.</span><span class="n">keys</span> <span class="o">=</span> <span class="p">[</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="c1"># ssh public key on computer you&#39;re deploying from</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="s2">&#34;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzFa1hmmmmmPL5HvJZhXVEaWiZIMi34oR6AOcaaaaaaa&#34;</span>
|
||||
</span></span><span class="line"><span class="cl"><span class="p">];</span>
|
||||
</span></span><span class="line"><span class="cl">
|
||||
</span></span><span class="line"><span class="cl"><span class="n">nix</span><span class="o">.</span><span class="n">settings</span><span class="o">.</span><span class="n">trusted-users</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;blog-king&#34;</span> <span class="p">];</span>
|
||||
</span></span><span class="line"><span class="cl">
|
||||
</span></span><span class="line"><span class="cl"><span class="c1"># ssh daemon</span>
|
||||
</span></span><span class="line"><span class="cl"><span class="n">services</span><span class="o">.</span><span class="n">openssh</span> <span class="o">=</span> <span class="p">{</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">enable</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">openFirewall</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">settings</span> <span class="o">=</span> <span class="p">{</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">PasswordAuthentication</span> <span class="o">=</span> <span class="no">false</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">PermitRootLogin</span> <span class="o">=</span> <span class="s2">&#34;no&#34;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="p">};</span>
|
||||
</span></span><span class="line"><span class="cl"><span class="p">};</span>
|
||||
</span></span></code></pre></div><p>Once you have this going on your remote machine (in my case the hetzner vps) you should be able to rebuild the remote machine with <code>nixos-rebuild --target-host blog-king@remote-ip-here --ask-sudo-password switch</code>.
|
||||
The <code>--ask-sudo-password</code> is not required if you ssh in as root though that would be a touch gauche.</p>
|
||||
<h3 id="caddy">Caddy</h3>
|
||||
<p>You can do this with whatever your preferred webserver is.
|
||||
I am a caddy stan.
|
||||
This opens the necessary ports in the firewall and sets up caddy in file server mode pointing at <code>/etc/blog</code>.</p>
|
||||
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="n">networking</span><span class="o">.</span><span class="n">firewall</span><span class="o">.</span><span class="n">allowedTCPPorts</span> <span class="o">=</span> <span class="p">[</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="mi">80</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="mi">443</span>
|
||||
</span></span><span class="line"><span class="cl"><span class="p">];</span>
|
||||
</span></span><span class="line"><span class="cl">
|
||||
</span></span><span class="line"><span class="cl"><span class="n">services</span><span class="o">.</span><span class="n">caddy</span> <span class="o">=</span> <span class="p">{</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">enable</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">extraConfig</span> <span class="o">=</span> <span class="s1">&#39;&#39;
|
||||
</span></span></span><span class="line"><span class="cl"><span class="s1"> blog.example.org {
|
||||
</span></span></span><span class="line"><span class="cl"><span class="s1"> root * /etc/blog
|
||||
</span></span></span><span class="line"><span class="cl"><span class="s1"> file_server
|
||||
</span></span></span><span class="line"><span class="cl"><span class="s1"> }
|
||||
</span></span></span><span class="line"><span class="cl"><span class="s1"> &#39;&#39;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"><span class="p">};</span>
|
||||
</span></span></code></pre></div><h3 id="getting-the-files-from-git">Getting the files from git</h3>
|
||||
<p>We have a web server pointing at <code>/etc/blog</code>.
|
||||
The last piece of the puzzle is to get the static files from our git repo and spit them out in that directory.</p>
|
||||
<p>I&rsquo;m using the <code>fetchFromGitea</code> helper here which works for gitea and forgejo instances.
|
||||
The <code>fetchFromGitHub</code> helper would look very similar.</p>
|
||||
<p>You can get the <code>rev</code> and <code>sha256</code> of the commit using <code>nix-prefetch-git</code>.</p>
|
||||
<p>Also note the little <code>/public</code> at the end of the <code>source</code> string.
|
||||
That&rsquo;s the directory of the git repo that the website source lives.</p>
|
||||
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="n">environment</span><span class="o">.</span><span class="n">etc</span><span class="o">.</span><span class="s2">&#34;blog&#34;</span> <span class="o">=</span> <span class="p">{</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">enable</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">target</span> <span class="o">=</span> <span class="s2">&#34;blog&#34;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">source</span> <span class="o">=</span> <span class="s2">&#34;</span><span class="si">${</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">pkgs</span><span class="o">.</span><span class="n">fetchFromGitea</span> <span class="p">{</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">domain</span> <span class="o">=</span> <span class="s2">&#34;git.example.org&#34;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">owner</span> <span class="o">=</span> <span class="s2">&#34;james&#34;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">repo</span> <span class="o">=</span> <span class="s2">&#34;blog&#34;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">rev</span> <span class="o">=</span> <span class="s2">&#34;32d81f01388c88a259eed2ba52f4545dbcb1eb07&#34;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">sha256</span> <span class="o">=</span> <span class="s2">&#34;173g99dj8y4sw1v7f1s5f7zgcrrlr6dly9n6ysr2i4jg095lkxw8&#34;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="p">}</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="si">}</span><span class="s2">/public&#34;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">user</span> <span class="o">=</span> <span class="s2">&#34;caddy&#34;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"> <span class="n">group</span> <span class="o">=</span> <span class="s2">&#34;caddy&#34;</span><span class="p">;</span>
|
||||
</span></span><span class="line"><span class="cl"><span class="p">};</span>
|
||||
</span></span></code></pre></div><p>So now with all that setup the blog post work flow is:</p>
|
||||
<ul>
|
||||
<li>Commit rebuilt website to repo</li>
|
||||
<li>Update the <code>rev</code> and <code>sha256</code> to the new commit (this is annoying and I&rsquo;m trying to work out a good way to automate it)</li>
|
||||
<li>Rebuild vps from laptop</li>
|
||||
</ul>
|
||||
<p>Not necessarily faster than the old rsync method but it&rsquo;s pretty damn declarative, that&rsquo;s for sure.</p>
|
||||
</description>
|
||||
</item>
|
||||
|
||||
|
||||
|
||||
<item>
|
||||
<title>so you want to write a neovim plugin with lua</title>
|
||||
<link>https://nonsense.dymc.win/so-you-want-to-write-a-neovim-plugin-with-lua/</link>
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue