systems/eldiron/websites/assets/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

{ lib, pkgs, config, ... }:
let
  cfg = config.myServices.websites.tools.assets;
  fetchFont = v: pkgs.runCommand "fetch-font" {
    outputHashAlgo = "sha256";
    outputHashMode = "recursive";
    outputHash = v.sha256;
  } ''
    mkdir -p $out
    ${pkgs.curl}/bin/curl -k --output $out/font.css -H "User-Agent: Firefox/100.0" "${v.url}"
    cat $out/font.css | grep -o "https://[^ )]*" | while read url; do
      filename=$(echo "$url" | sed -e "s@.*/@@g")
      ${pkgs.curl}/bin/curl -k --output "$out/$filename" "$url"
      sed -i -e "s@$url@./$filename@" "$out/font.css"
    done
  '';
  fetchTgz = v: pkgs.runCommand "fetch-tgz" {
    outputHashAlgo = "sha256";
    outputHashMode = "recursive";
    outputHash = v.sha256;
  } ''
    mkdir -p $out
    cd $out
    ${pkgs.curl}/bin/curl -L -k "${v.url}" | tar -xz --strip-components=${builtins.toString v.tgzRemoveComponents}
  '';
  fetchAsset = v:
    if v.assetType == "googleFont"
    then fetchFont v
    else if v.assetType == "tgz"
    then fetchTgz v
    else pkgs.fetchurl { url = v.url; sha256 = v.sha256; };
  assets_urls = lib.mapAttrs (k: fetchAsset) config.myEnv.tools.assets;
  assets = pkgs.runCommand "assets" {} (''
    mkdir -p $out
    cp -a ${./static}/* $out/
  '' + builtins.concatStringsSep "\n"
    (lib.mapAttrsToList (k: v: ''
      if [ -d "${v}" ]; then
        mkdir -p "$out/$(dirname "${k}")"
        cp -a "${v}" "$out/${k}"
        chmod -R u+rwX "$out/${k}"
      else
        install -D -m644 -T "${v}" "$out/${k}"
      fi
    '') assets_urls));
in
{
  options.myServices.websites.tools.assets = {
    enable = lib.mkEnableOption "Enable assets website";
  };
  config = lib.mkIf cfg.enable {
    myServices.dns.zones."immae.eu".subdomains.assets =
      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;

    services.websites.env.production.bindMounts."/run/imgproxy" = {};
    security.acme.certs.eldiron.extraDomainNames = [ "assets.immae.eu" ];
    services.websites.env.tools.vhostConfs.assets = {
      certName = "eldiron";
      hosts = [ "assets.immae.eu" ];
      root = assets;
      extraConfig = [
        ''
          Use Apaxy "${assets}" "title"
          <Directory "${assets}">
            Options Indexes FollowSymlinks
            AllowOverride None
            Require all granted
            Header always set Last-Modified "Tue, 01 Jan 2020 00:00:00 GMT"
            Header always set Cache-Control "public, max-age=31536000, immutable"
            Header always set Access-Control-Allow-Origin "*"
            Header always set Access-Control-Expose-Headers "*"
          </Directory>

          MergeSlashes OFF
          <Location /p>
            ProxyPass unix:///run/imgproxy/imgproxy.sock|http://assets.immae.eu
            ProxyPassReverse unix:///run/imgproxy/imgproxy.sock|http://assets.immae.eu
          </Location>
        ''
      ];
    };
    systemd.services.imgproxy = {
      description = "IMG proxy";
      wantedBy = [ "multi-user.target" ];

      environment = {
        IMGPROXY_NETWORK = "unix";
        IMGPROXY_BIND = "%t/imgproxy/imgproxy.sock";
      };
      serviceConfig = {
        User = "wwwrun";
        Group = "wwwrun";
        RuntimeDirectory = "imgproxy";
        ExecStart = "${pkgs.imgproxy}/bin/imgproxy";
      };
    };
  };
}