131 lines
11 KiB
HTML
131 lines
11 KiB
HTML
<!doctype html>
|
|
<html lang="en"><head>
|
|
<meta charset="utf-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
|
|
<link rel="shortcut icon" href="https://nonsense.dymc.win/favicon.ico">
|
|
<link id="stylesheet" rel="stylesheet" href="/css/light.css">
|
|
|
|
<link rel="canonical" href="https://nonsense.dymc.win/over-engineered-nixos-blog-deployment-setup/" />
|
|
<title>Over-engineered (?) nixos blog deployment setup</title>
|
|
</head>
|
|
<body><header id="banner">
|
|
<nav class="navbar">
|
|
|
|
<a href="https://nonsense.dymc.win/" class="home">🏠</a>
|
|
|
|
<a
|
|
href="/info/"
|
|
title="👋"
|
|
>👋</a
|
|
><a
|
|
href="/search/"
|
|
title="🔎"
|
|
>🔎</a
|
|
>
|
|
|
|
<button id="toggle-button" class="toggle-button" onclick="toggleTheme()">🌚</button>
|
|
</nav>
|
|
</header>
|
|
<main id="content">
|
|
<article>
|
|
<header id="post-header">
|
|
<h2>Over-engineered (?) nixos blog deployment setup</h2>
|
|
<div>
|
|
<p>August 11, 2025</p>
|
|
</div>
|
|
</header><p>As is traditional with people hosting their own blog I’m going to do a post detailing EXACTLY how I’m hosting my blog.
|
|
Down to the last dirty detail.
|
|
I have nothing better to talk about.</p>
|
|
<p>Here is a diagram I edited to illustrate (credit to xkcd I think?).</p>
|
|
<p><img src="/image/self-hosting.png" alt="self-hosting"></p>
|
|
<p>I host my site on a hetzner vps running nixos.
|
|
I also have a git repo where all the static files for my blog live.
|
|
I had previously been manually rsyncing the website up to my vps from my laptop.
|
|
Qute an easy, efficient solution; it worked well.
|
|
But not very nixos; far too simple, not sufficiently over-engineered.
|
|
So in true nixos fashion I decided I’d spend a couple of hours sorting the problem so I’d maybe save a minute once a year when I write a blog post.</p>
|
|
<h3 id="remote-rebuilds">Remote Rebuilds</h3>
|
|
<p>First, I’ll show the fancy way to rebuild your remote nixos systems via ssh.
|
|
In my case, this means I can rebuild my hetzner box from my laptop.
|
|
You can read the wiki about it <a href="https://wiki.nixos.org/wiki/Nixos-rebuild#Deploying_on_other_machines">here</a>.</p>
|
|
<p>This sets up ssh with key-based authentication and lets our local user in.
|
|
This config belongs on the remote machine.</p>
|
|
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="n">users</span><span class="o">.</span><span class="n">users</span><span class="o">.</span><span class="n">blog-king</span><span class="o">.</span><span class="n">openssh</span><span class="o">.</span><span class="n">authorizedKeys</span><span class="o">.</span><span class="n">keys</span> <span class="o">=</span> <span class="p">[</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="c1"># ssh public key on computer you're deploying from</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="s2">"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPzFa1hmmmmmPL5HvJZhXVEaWiZIMi34oR6AOcaaaaaaa"</span>
|
|
</span></span><span class="line"><span class="cl"><span class="p">];</span>
|
|
</span></span><span class="line"><span class="cl">
|
|
</span></span><span class="line"><span class="cl"><span class="n">nix</span><span class="o">.</span><span class="n">settings</span><span class="o">.</span><span class="n">trusted-users</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">"blog-king"</span> <span class="p">];</span>
|
|
</span></span><span class="line"><span class="cl">
|
|
</span></span><span class="line"><span class="cl"><span class="c1"># ssh daemon</span>
|
|
</span></span><span class="line"><span class="cl"><span class="n">services</span><span class="o">.</span><span class="n">openssh</span> <span class="o">=</span> <span class="p">{</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">enable</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">openFirewall</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">settings</span> <span class="o">=</span> <span class="p">{</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">PasswordAuthentication</span> <span class="o">=</span> <span class="no">false</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">PermitRootLogin</span> <span class="o">=</span> <span class="s2">"no"</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="p">};</span>
|
|
</span></span><span class="line"><span class="cl"><span class="p">};</span>
|
|
</span></span></code></pre></div><p>Once you have this going on your remote machine (in my case the hetzner vps) you should be able to rebuild the remote machine with <code>nixos-rebuild --target-host blog-king@remote-ip-here --ask-sudo-password switch</code>.
|
|
The <code>--ask-sudo-password</code> is not required if you ssh in as root though that would be a touch gauche.</p>
|
|
<h3 id="caddy">Caddy</h3>
|
|
<p>You can do this with whatever your preferred webserver is.
|
|
I am a caddy stan.
|
|
This opens the necessary ports in the firewall and sets up caddy in file server mode pointing at <code>/etc/blog</code>.</p>
|
|
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="n">networking</span><span class="o">.</span><span class="n">firewall</span><span class="o">.</span><span class="n">allowedTCPPorts</span> <span class="o">=</span> <span class="p">[</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="mi">80</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="mi">443</span>
|
|
</span></span><span class="line"><span class="cl"><span class="p">];</span>
|
|
</span></span><span class="line"><span class="cl">
|
|
</span></span><span class="line"><span class="cl"><span class="n">services</span><span class="o">.</span><span class="n">caddy</span> <span class="o">=</span> <span class="p">{</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">enable</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">extraConfig</span> <span class="o">=</span> <span class="s1">''
|
|
</span></span></span><span class="line"><span class="cl"><span class="s1"> blog.example.org {
|
|
</span></span></span><span class="line"><span class="cl"><span class="s1"> root * /etc/blog
|
|
</span></span></span><span class="line"><span class="cl"><span class="s1"> file_server
|
|
</span></span></span><span class="line"><span class="cl"><span class="s1"> }
|
|
</span></span></span><span class="line"><span class="cl"><span class="s1"> ''</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"><span class="p">};</span>
|
|
</span></span></code></pre></div><h3 id="getting-the-files-from-git">Getting the files from git</h3>
|
|
<p>We have a web server pointing at <code>/etc/blog</code>.
|
|
The last piece of the puzzle is to get the static files from our git repo and spit them out in that directory.</p>
|
|
<p>I’m using the <code>fetchFromGitea</code> helper here which works for gitea and forgejo instances.
|
|
The <code>fetchFromGitHub</code> helper would look very similar.</p>
|
|
<p>You can get the <code>rev</code> and <code>sha256</code> of the commit using <code>nix-prefetch-git</code>.</p>
|
|
<p>Also note the little <code>/public</code> at the end of the <code>source</code> string.
|
|
That’s the directory of the git repo that the website source lives.</p>
|
|
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="n">environment</span><span class="o">.</span><span class="n">etc</span><span class="o">.</span><span class="s2">"blog"</span> <span class="o">=</span> <span class="p">{</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">enable</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">target</span> <span class="o">=</span> <span class="s2">"blog"</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">source</span> <span class="o">=</span> <span class="s2">"</span><span class="si">${</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">pkgs</span><span class="o">.</span><span class="n">fetchFromGitea</span> <span class="p">{</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">domain</span> <span class="o">=</span> <span class="s2">"git.example.org"</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">owner</span> <span class="o">=</span> <span class="s2">"james"</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">repo</span> <span class="o">=</span> <span class="s2">"blog"</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">rev</span> <span class="o">=</span> <span class="s2">"32d81f01388c88a259eed2ba52f4545dbcb1eb07"</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">sha256</span> <span class="o">=</span> <span class="s2">"173g99dj8y4sw1v7f1s5f7zgcrrlr6dly9n6ysr2i4jg095lkxw8"</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="p">}</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="si">}</span><span class="s2">/public"</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">user</span> <span class="o">=</span> <span class="s2">"caddy"</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"> <span class="n">group</span> <span class="o">=</span> <span class="s2">"caddy"</span><span class="p">;</span>
|
|
</span></span><span class="line"><span class="cl"><span class="p">};</span>
|
|
</span></span></code></pre></div><p>So now with all that setup the blog post work flow is:</p>
|
|
<ul>
|
|
<li>Commit rebuilt website to repo</li>
|
|
<li>Update the <code>rev</code> and <code>sha256</code> to the new commit (this is annoying and I’m trying to work out a good way to automate it)</li>
|
|
<li>Rebuild vps from laptop</li>
|
|
</ul>
|
|
<p>Not necessarily faster than the old rsync method but it’s pretty damn declarative, that’s for sure.</p></article>
|
|
</main>
|
|
<footer id="footer">
|
|
<small>
|
|
made with <a href="https://gohugo.io">hugo</a>
|
|
</small>
|
|
|
|
<script src="/js/search.js"></script>
|
|
<script src="/js/toggle.js"></script>
|
|
</footer>
|
|
|
|
</body>
|
|
</html>
|