~aasg/haunted-blog

ref: 1b76038e10c417008e8c11add6803971377c79ed haunted-blog/flake.nix -rw-r--r-- 3.2 KiB
1b76038e — Aluísio Augusto Silva Gonçalves flake/production: Update Content-Security-Policy a month ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# SPDX-FileCopyrightText: 2020 Aluísio Augusto Silva Gonçalves <https://aasg.name>
# SPDX-License-Identifier: MIT

{
  description = "aasg's haunted blog";
  inputs = {
    flake-utils.url = "github:numtide/flake-utils";
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    aasg-nixexprs = { url = "git+https://git.sr.ht/~aasg/nixexprs"; inputs.nixpkgs.follows = "nixpkgs"; };
  };

  outputs = { self, aasg-nixexprs, flake-utils, nixpkgs }:
    let
      exports = {
        overlay = final: prev: {
          aasg-blog.defaultPackage = final.stdenvNoCC.mkDerivation {
            name = "aasg-blog";
            src = self;

            LANG = "C.UTF-8";
            SOURCE_DATE_EPOCH = toString self.lastModified;
            GIT_COMMIT = self.rev or "";
            HAUNT_DESTDIR = placeholder "out";

            nativeBuildInputs = with final; [ haunt moreutils pandoc reuse xmlstarlet ];
            buildInputs = with final; [ guile guile-json ];
            buildPhase = ''
              runHook preBuild

              haunt build
              reuse spdx -o $out/files/reuse.spdx
              # Patch non-reproducible strings in the output.
              ISO8601_FAKETIME=$(date --utc --date @$SOURCE_DATE_EPOCH '+%FT%TZ')
              xml edit --update '/_:feed/_:updated' -v "$ISO8601_FAKETIME" $out/feed.xml | sponge $out/feed.xml
              sed -i \
                -e "/^Created:/c Created: $ISO8601_FAKETIME" \
                -e "/^DocumentNamespace:/c DocumentNamespace: https://aasg.name/files/reuse.spdx?src=${self.rev or ""}" \
                $out/files/reuse.spdx

              runHook postBuild
            '';

            installPhase = ''
              runHook preInstall
              runHook postInstall
            '';
          };

          # The production build is what actually goes live on
          # https://aasg.name; it includes a few well-known URLs
          # and its HTML/CSS/JS is pre-compressed with Brotli.
          aasg-blog.production = final.aasg-blog.defaultPackage.overrideAttrs (drv: {
            nativeBuildInputs = drv.nativeBuildInputs ++ [ final.aasgBrotlifyHook ];
            snowwebHeaders = ''
              Content-Security-Policy-Report-Only: default-src 'self'; form-action 'none'; frame-ancestors 'none'; report-uri https://aasg.report-uri.com/r/d/csp/reportOnly
              Cross-Origin-Opener-Policy: same-origin
              Referrer-Policy: no-referrer, strict-origin-when-cross-origin
              Strict-Transport-Security: max-age=31536000
              X-Content-Type-Options: nosniff
              X-Frame-Options: DENY
            '';
            postBuild = ''
              mkdir -p $out/.well-known/matrix
              >$out/.well-known/matrix/client printf '{"m.homeserver":{"base_url":"https://matrix.aasg.name"}}\n'
              >$out/.well-known/matrix/server printf '{"m.server":"matrix.aasg.name:443"}\n'
              mkdir -p $out/.snowweb
              >$out/.snowweb/headers printf '%s\n' "$snowwebHeaders"
            '';
          });
        };
      };

      outputs = flake-utils.lib.simpleFlake {
        inherit self nixpkgs;
        inherit (exports) overlay;
        name = "aasg-blog";
        preOverlays = [ aasg-nixexprs.overlay ];
      };

    in
    exports // outputs;
}