From b88e8b4f8259267ebb0d068df9cd65fd36ca5477 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Tue, 10 Mar 2026 17:12:53 -0700 Subject: prepare for CSP header generation --- README.org | 2 +- blog/acausal.org | 7 -- blog/automation.org | 7 -- blog/cognition.org | 8 -- blog/crypto.org | 9 -- blog/horses.org | 7 -- blog/manifesto-1.org | 7 -- blog/monorepo.org | 8 -- blog/nixos.org | 7 -- blog/private_keys.org | 7 -- blog/tech-bros.org | 7 -- blog/voting.org | 7 -- blog/you_dont_matter.org | 7 -- config/emacs.org | 22 +--- config/nix.org | 249 ++++++++++++++++++++-------------------- flake.nix | 23 +++- index.org | 5 + mindmap/LRC circuit.org | 2 + mindmap/Laplace Transform.org | 1 + mindmap/philosophy.org | 1 + mindmap/physics.org | 1 + mindmap/prv_LRC_circuit.org.log | 35 ------ mindmap/special relativity.org | 1 + nix | 2 +- style.scss | 27 +++-- 25 files changed, 175 insertions(+), 284 deletions(-) delete mode 100644 mindmap/prv_LRC_circuit.org.log diff --git a/README.org b/README.org index 219b5b4..e723511 100644 --- a/README.org +++ b/README.org @@ -29,7 +29,7 @@ then reboot, and run: #+end_src That's all! ** Post-setup -In emacs, run ~M-x all-the-icons-install-fonts, ~~M-x nerd-icons-install-fonts~, and ~M-x org-roam-db-sync~. Install your music to ~$HOME/music~ for +In emacs, run ~M-x all-the-icons-install-fonts~, ~M-x nerd-icons-install-fonts~, and ~M-x org-roam-db-sync~. Install your music to ~$HOME/music~ for emms. In firefox, go to the three-bar menu and enable all the add-ons that were automatically installed. Set up the ~mu~ program in order to send and receive email, along with modifying the corresponding mbsync and msmtp commands. Change ~nix/flakevars.nix~ to your liking. * License diff --git a/blog/acausal.org b/blog/acausal.org index 4550d8e..e6165c2 100644 --- a/blog/acausal.org +++ b/blog/acausal.org @@ -4,13 +4,6 @@ #+subtitle: By {{{author}}}, 2024 #+description: Narrative is the only real construction. -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t diff --git a/blog/automation.org b/blog/automation.org index 820e562..89dbeb8 100644 --- a/blog/automation.org +++ b/blog/automation.org @@ -4,13 +4,6 @@ #+subtitle: By {{{author}}}, 2024 #+description: Is automation taking jobs? Is capitalism causing all the world's problems? -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t * Introduction diff --git a/blog/cognition.org b/blog/cognition.org index 5d56e7f..5e6a9c2 100644 --- a/blog/cognition.org +++ b/blog/cognition.org @@ -4,14 +4,6 @@ #+subtitle: By {{{author}}}, 2024 #+description: Other languages are inflexible and broken. Let's fix that. -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t * The problem diff --git a/blog/crypto.org b/blog/crypto.org index aa197cc..01c8d94 100644 --- a/blog/crypto.org +++ b/blog/crypto.org @@ -2,17 +2,8 @@ #+author: Preston Pan #+date: [2024-01-01] #+subtitle: By {{{author}}}, 2024 - #+description: Are cryptocurrencies useful in economic transactions? As technologies? -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t diff --git a/blog/horses.org b/blog/horses.org index 66c38ac..41cc1c9 100644 --- a/blog/horses.org +++ b/blog/horses.org @@ -4,13 +4,6 @@ #+subtitle: By {{{author}}}, 2024 #+description: It doesn't happen instantly. -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t diff --git a/blog/manifesto-1.org b/blog/manifesto-1.org index 185796f..087299e 100644 --- a/blog/manifesto-1.org +++ b/blog/manifesto-1.org @@ -5,13 +5,6 @@ #+description: A system built on illusions will always decay. -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t diff --git a/blog/monorepo.org b/blog/monorepo.org index 0f830e5..e4d1e64 100644 --- a/blog/monorepo.org +++ b/blog/monorepo.org @@ -4,14 +4,6 @@ #+subtitle: By {{{author}}}, 2025 #+description: NixOS configurations for infrastructure, workstations, and laptops -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t diff --git a/blog/nixos.org b/blog/nixos.org index 718d139..e8ebb1f 100644 --- a/blog/nixos.org +++ b/blog/nixos.org @@ -4,13 +4,6 @@ #+subtitle: By {{{author}}}, 2024 #+description: You can run a system from the 2040s, today. -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t * Introduction diff --git a/blog/private_keys.org b/blog/private_keys.org index 61cad10..7cedd0d 100644 --- a/blog/private_keys.org +++ b/blog/private_keys.org @@ -4,13 +4,6 @@ #+subtitle: By {{{author}}}, 2024 #+description: Why haven't we switched to asymmetric cryptography? -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t diff --git a/blog/tech-bros.org b/blog/tech-bros.org index 9a56491..e6af1fb 100644 --- a/blog/tech-bros.org +++ b/blog/tech-bros.org @@ -5,13 +5,6 @@ #+description: and other people that other people hate. -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t * Introduction diff --git a/blog/voting.org b/blog/voting.org index bb27b8a..6b8739a 100644 --- a/blog/voting.org +++ b/blog/voting.org @@ -5,13 +5,6 @@ #+description: What do we do about voter turnout? Voting demographics? Polarization? -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t * Introduction diff --git a/blog/you_dont_matter.org b/blog/you_dont_matter.org index 1cd750e..1d69935 100644 --- a/blog/you_dont_matter.org +++ b/blog/you_dont_matter.org @@ -5,13 +5,6 @@ #+description: Ideas aren't real, and morality is a spook. -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: -#+html_head: #+language: en #+OPTIONS: broken-links:t * Introduction diff --git a/config/emacs.org b/config/emacs.org index 2d87907..0b71dbe 100644 --- a/config/emacs.org +++ b/config/emacs.org @@ -104,6 +104,7 @@ Emacs is self documenting, after all! (prettify-symbols-mode)))) :config (require 'tex-site) + (require 'subr-x) (server-start) ;; start wiith sane defaults @@ -173,11 +174,9 @@ This is my org mode configuration, which also configures latex. (content "main" "content") (postamble "footer" "postamble"))) (org-html-head-extra (concat "\n\n\n\n\n\n\n\n\n\n\n" - "")) + "")) (org-latex-to-html-convert-command "printf '%%s' %i | pandoc -f latex -t html --mathml | tr -d '\\n' | sed -e 's/^

//' -e 's/<\\/p>$//'") (org-html-viewport '((width "device-width") @@ -198,7 +197,7 @@ This is my org mode configuration, which also configures latex. :html-preamble-format (("en" "

home | section main page

"))) ("website-static" :base-directory "~/monorepo" - :base-extension "css\\|js\\|png\\|jpg\\|gif\\|pdf\\|mp3\\|ogg\\|swf\\|ico\\|asc\\|pub\\|webmanifest\\|xml\\|svg\\|txt\\|webp" + :base-extension "css\\|js\\|png\\|jpg\\|gif\\|pdf\\|mp3\\|ogg\\|swf\\|ico\\|asc\\|pub\\|webmanifest\\|xml\\|svg\\|txt\\|webp\\|conf" :publishing-directory "~/website_html/" :recursive t :publishing-function org-publish-attachment) @@ -327,7 +326,6 @@ First, some small configurations and some evil-mode initilaization because I lik (define-key evil-motion-state-map (kbd "TAB") nil)) (evil-collection-init)) - (use-package evil-commentary :after (evil) :config @@ -647,16 +645,6 @@ emacs keybindings. ** LLM I use LLMs in order to help me come up with ideas. I use a local LLM so that I can have a competitive LLM that doesn't cost money. -#+begin_src emacs-lisp :tangle ../nix/init.el - ;; (use-package ellama - ;; :custom - ;; (ellama-sessions-directory "~/org/ellama/" "Set org directory for LLM sessions") - ;; :init - ;; (require 'llm-ollama) - ;; (setopt ellama-provider (make-llm-ollama - ;; :host "localhost" - ;; :chat-model "qwen2.5:14b"))) -#+end_src *** Minuet Minuet does my code completion, showing the potential code completion as a ghost and automatically completing the code when my cursor is still. It is kind of like copilot but it works with local LLMs, which is better. Though, it's obviously not always the most accurate. diff --git a/config/nix.org b/config/nix.org index a32c14d..dc2c823 100644 --- a/config/nix.org +++ b/config/nix.org @@ -202,7 +202,7 @@ and now for the main flake: fi echo "Merge to main detected. Building VM for ${hostname}..." if nix build .#nixosConfigurations.${hostname}.config.system.build.vm --no-link; then - echo "Build succeeded. Proceeding with merge." + echo "Build succeeded." exit 0 else echo "Build failed! Aborting." @@ -227,10 +227,6 @@ and now for the main flake: serviceName = "sshd"; enabled = super.services.openssh.enable; } - # { - # serviceName = "conduit"; - # enabled = super.services.matrix-conduit.enable; - # } { serviceName = "git-daemon"; enabled = super.services.gitDaemon.enable; @@ -333,14 +329,35 @@ and now for the main flake: devShell."${system}" = with pkgs; mkShell { buildInputs = [ fira-code - python3 - poetry statix deadnix + (python3.withPackages (ps: with ps; [ + octodns + octodns-providers.cloudflare + octodns-providers.bind + ])) ]; shellHook = '' ${pre-commit-check.shellHook} git config branch.main.mergeoptions "--no-ff" + + CURRENT_HOST="$(hostname)" + + TARGET_USER_RAW=$(nix eval .#nixosConfigurations."$CURRENT_HOST".config.home-manager.users --apply "u: builtins.head (builtins.attrNames u)" --raw 2>/dev/null) + + TARGET_USER=$(echo "$TARGET_USER_RAW" | xargs) + SOPS_BASE=$(nix eval .#nixosConfigurations."$CURRENT_HOST".config.home-manager.users."$TARGET_USER".sops.defaultSymlinkPath --raw 2>/dev/null) + + if [ -n "$SOPS_BASE" ] && [ -f "$SOPS_BASE/cloudflare-dns" ]; then + export CLOUDFLARE_TOKEN="$(cat "$SOPS_BASE/cloudflare-dns" | tr -d '\n')" + echo "Authenticated via sops-nix for host: $CURRENT_HOST" + else + echo "Could not resolve sops path for $CURRENT_HOST or secret is missing. Set CLOUDFLARE_TOKEN manually." + fi + + alias update-dns="octodns-sync --config-file ${self.packages."${system}".octodns} --doit --force" + alias fake-update-dns="octodns-sync --config-file ${self.packages."${system}".octodns} --force " + alias gprune='git branch --merged | grep -v -E "^\*|main|master|dev" | xargs -r git branch -d' ''; }; @@ -468,7 +485,7 @@ graph by running ~nix build .#topology.x86_64-linux.config.output~. Variables used for regular configuration in your system ~default.nix~ file. The options are largely self-documenting. #+begin_src nix :tangle ../nix/modules/vars.nix - { lib, ... }: + { config, lib, ... }: let vars = import ../flakevars.nix; in @@ -591,6 +608,13 @@ largely self-documenting. description = "Name of Ntfy secret for notification handling"; }; + ntfyUrl = lib.mkOption { + type = lib.types.str; + default = "ntfy.${config.monorepo.vars.remoteHost}"; + example = "ntfy.nullring.xyz"; + description = "Name of ntfy server"; + }; + monitors = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ @@ -612,11 +636,12 @@ Again, these are self documenting variables that you may see used below. These a under ~default.nix~ in the ~systems~ folder. #+begin_src nix :tangle ../nix/modules/default.nix { lib, config, pkgs, ... }: + let + dirContents = builtins.readDir ./.; + files = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".nix" name && name != "default.nix") dirContents; + in { - imports = [ - ./configuration.nix - ./vars.nix - ]; + imports = lib.mapAttrsToList (name: _: ./. + "/${name}") files; options = { monorepo = { @@ -708,14 +733,6 @@ to relevant places. templates = if config.monorepo.profiles.server.enable then { - "public-inbox-netrc" = { - owner = "public-inbox"; - group = "public-inbox"; - mode = "0400"; - content = (builtins.concatStringsSep "\n" (builtins.map (x: "machine mail.${config.monorepo.vars.orgHost} login ${x}@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}") config.monorepo.vars.projects)) + '' - machine mail.${config.monorepo.vars.orgHost} login discussion@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}''; - }; - "matterbridge" = { owner = "matterbridge"; content = '' @@ -1017,7 +1034,6 @@ This is an internet radio which will host a ton of music. ''; }; - admin.password = "changeme"; } #+end_src ** IRC @@ -1356,15 +1372,15 @@ This is a basic ActivityPub server. #+end_src ** TODO matrix-appservice-irc #+begin_src nix :tangle ../nix/modules/matrix-appservice-irc.nix - { lib, config, ... }: + { ... }: { - enable = lib.mkDefault config.monorepo.profiles.server.enable; - registrationUrl = "localhost"; + # enable = lib.mkDefault config.monorepo.profiles.server.enable; + # registrationUrl = "localhost"; - settings = { - homeserver.url = "https://matrix.nullring.xyz"; - homserver.domain = "matrix.nullring.xyz"; - }; + # settings = { + # homeserver.url = "https://matrix.nullring.xyz"; + # homserver.domain = "matrix.nullring.xyz"; + # }; } #+end_src ** Gitolite @@ -1598,7 +1614,7 @@ I want to have notifications on my phone, and run my own server to do this. #+begin_src nix :tangle ../nix/modules/ntfy-sh.nix { pkgs, lib, config, ... }: let - serverName = "ntfy.${config.monorepo.vars.remoteHost}"; + serverName = "${config.monorepo.vars.ntfyUrl}"; port = 2586; ntfySecret = config.monorepo.vars.ntfySecret; in @@ -1701,16 +1717,21 @@ to the outside world under a domain. enableACME = true; locations."/" = { extraConfig = '' - add_header Cache-Control "no-cache, must-revalidate"; - expires off; + add_header Cache-Control "no-cache, must-revalidate"; + expires off; ''; }; + locations."~* \\.(?:woff2|ttf|otf|eot|woff|ico|css|js|gif|jpe?g|png|svg|mp3|mp4|iso|webmanifest)$" = { extraConfig = '' - add_header Cache-Control "public, max-age=31536000, immutable"; - access_log off; + add_header Cache-Control "public, max-age=31536000, immutable"; + access_log off; ''; }; + extraConfig = '' + include ${monorepoSelf.packages.${pkgs.system}.website}/csp_headers.conf; + rewrite ^/graph_view/?(.*)$ https://graph.${config.monorepo.vars.remoteHost}/$1 permanent; + ''; }; # the port comes from ssh tunnelling @@ -1738,6 +1759,20 @@ to the outside world under a domain. addSSL = true; enableACME = true; }; + + "graph.${config.monorepo.vars.remoteHost}" = lib.mkIf (monorepoSelf != null) { + serverName = "graph.${config.monorepo.vars.remoteHost}"; + root = "${monorepoSelf.packages.${pkgs.system}.website}"; + addSSL = true; + enableACME = true; + locations."/" = { + extraConfig = "rewrite ^/$ /graph_view/index.html break;"; + }; + + extraConfig = '' + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none';"; + ''; + }; }; }; @@ -1747,6 +1782,8 @@ to the outside world under a domain. "${config.monorepo.vars.remoteHost}" = {}; "${config.monorepo.vars.orgHost}" = {}; "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" = {}; + "music.${config.monorepo.vars.remoteHost}" = {}; + "graph.${config.monorepo.vars.remoteHost}" = {}; }; } #+end_src @@ -1837,10 +1874,21 @@ There is a non declarative part of setting dkims and spf. password_path = "mail_monorepo_password"; in { - sops.secrets = lib.mkIf config.services.maddy.enable { - "${password_path}" = lib.mkIf config.services.maddy.enable { - format = "yaml"; - owner = "maddy"; + sops = lib.mkIf config.services.maddy.enable { + secrets = { + "${password_path}" = { + format = "yaml"; + owner = "maddy"; + }; + }; + templates = lib.mkIf config.services.public-inbox.enable { + "public-inbox-netrc" = { + owner = "public-inbox"; + group = "public-inbox"; + mode = "0400"; + content = (builtins.concatStringsSep "\n" (builtins.map (x: "machine ${emailServerName} login ${x}@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}") config.monorepo.vars.projects)) + '' + machine ${emailServerName} login discussion@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}''; + }; }; }; @@ -1895,18 +1943,16 @@ There is a non declarative part of setting dkims and spf. ''; serviceConfig = { - # Allow the service to see the file it just created BindPaths = [ "/var/lib/public-inbox" "${config.users.users.git.home}" ]; ReadOnlyPaths = [ "/var/lib/public-inbox/style.css" ]; - # Ensure it can actually write to the directory during preStart ReadWritePaths = [ "/var/lib/public-inbox" ]; }; } else {}; - systemd.services.public-inbox-watch = if config.monorepo.profiles.server.enable then { + systemd.services.public-inbox-watch = if config.services.public-inbox.enable then { after = [ "sops-nix.service" ]; confinement.enable = lib.mkForce false; preStart = '' @@ -1936,7 +1982,7 @@ There is a non declarative part of setting dkims and spf. } else {}; services.public-inbox = { - enable = lib.mkDefault config.monorepo.profiles.server.enable; + enable = lib.mkDefault config.services.maddy.enable; settings = { coderepo = lib.genAttrs config.monorepo.vars.projects (name: { dir = "${config.users.users.git.home}/${name}.git"; @@ -2333,35 +2379,6 @@ because they enhance security. vmHosts = map (dom: "127.0.0.1 ${dom}") allDomains; in { - imports = [ - ./cgit.nix - ./public_inbox.nix - ./matterbridge.nix - ./mautrix.nix - ./xserver.nix - ./ssh.nix - ./pipewire.nix - ./tor.nix - ./kubo.nix - ./nvidia.nix - ./cuda.nix - ./nginx.nix - ./secrets.nix - ./git-daemon.nix - ./ollama.nix - ./i2pd.nix - ./conduit.nix - ./bitcoin.nix - ./ngircd.nix - ./znc.nix - ./docker.nix - ./impermanence.nix - ./maddy.nix - ./ntfy-sh.nix - ./fail2ban.nix - ./nixpkgs-options.nix - ]; - environment.etc."wpa_supplicant.conf".text = '' country=CA ''; @@ -2925,10 +2942,13 @@ This is all configuration common to any GPT partitioned drive. I dynamically cho *** ESP Boot Partition #+begin_src nix :tangle ../nix/disko/esp-boot.nix { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; } #+end_src *** Btrfs @@ -2936,10 +2956,8 @@ This is a fully featured drive configuration and the recommended configuration t Btrfs enables you to enable impermanence and also encrypt the drive with ~/tmp/secret.key~. #+begin_src nix :tangle ../nix/disko/btrfs.nix { - ESP = { + ESP = (import ./esp-boot.nix) // { size = "512M"; - type = "EF00"; - content = import ./esp-boot.nix; }; luks = { size = "100%"; @@ -2993,11 +3011,9 @@ This configuration is used for simple partitioning schemes with EFI. A simple ex should be using EFI if you can. #+begin_src nix :tangle ../nix/disko/ext4.nix { - ESP = { - type = "EF00"; + ESP = (import ./esp-boot.nix) // { size = "500M"; priority = 1; - content = import ./esp-boot.nix; }; root = { size = "100%"; @@ -3042,31 +3058,14 @@ As you can see, I have my installed home packages installed based on the profile I have many imports that we'll go through next. #+begin_src nix :tangle ../nix/modules/home/default.nix { lib, config, pkgs, sops-nix, super, ... }: + let + dirContents = builtins.readDir ./.; + files = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".nix" name && name != "default.nix" && name != "emacs-packages.nix") dirContents; + in { imports = [ sops-nix.homeManagerModules.sops - ../vars.nix - ./fcitx.nix - ./emacs.nix - ./firefox.nix - ./git.nix - ./hyprland.nix - ./mpv.nix - ./yt-dlp.nix - ./wofi.nix - ./kitty.nix - ./waybar.nix - ./zsh.nix - ./mbsync.nix - ./msmtp.nix - ./gammastep.nix - ./mpd.nix - ./mako.nix - ./user.nix - ./gtk.nix - ./secrets.nix - ./pantalaimon.nix - ]; + ] ++ lib.mapAttrsToList (name: _: ./. + "/${name}") files; options = { monorepo.profiles = { @@ -3869,15 +3868,15 @@ just set the options to the ones you want in your system ~default.nix~. This mpd configuration uses pipewire by default, and it should just work if you place music in the ~~/music~ directory and then run ~mpc add /~ afterwards. #+begin_src nix :tangle ../nix/modules/home/mpd.nix - { lib, config, ... }: + { lib, config, super, ... }: { services.mpd = { enable = lib.mkDefault config.monorepo.profiles.music.enable; - dbFile = "/home/${config.monorepo.vars.userName}/.config/mpd/db"; - dataDir = "/home/${config.monorepo.vars.userName}/.config/mpd/"; + dbFile = "/home/${super.monorepo.vars.userName}/.config/mpd/db"; + dataDir = "/home/${super.monorepo.vars.userName}/.config/mpd/"; network.port = 6600; - musicDirectory = "/home/${config.monorepo.vars.userName}/music"; - playlistDirectory = "/home/${config.monorepo.vars.userName}/.config/mpd/playlists"; + musicDirectory = "/home/${super.monorepo.vars.userName}/music"; + playlistDirectory = "/home/${super.monorepo.vars.userName}/.config/mpd/playlists"; network.listenAddress = "0.0.0.0"; extraConfig = '' audio_output { @@ -3965,7 +3964,7 @@ here: This is the bar I use for my hyprland configuration. You will need to adjust the monitors field in the ~default.nix~ for it to really appear. #+begin_src nix :tangle ../nix/modules/home/waybar.nix - { lib, config, ... }: + { lib, config, super, ... }: { programs.waybar = { enable = lib.mkDefault config.monorepo.profiles.hyprland.enable; @@ -4221,7 +4220,7 @@ in the ~default.nix~ for it to really appear. position = "top"; height = 50; - output = config.monorepo.vars.monitors; + output = super.monorepo.vars.monitors; modules-left = [ "hyprland/workspaces" ]; modules-center = [ "hyprland/window" ]; @@ -4475,7 +4474,7 @@ A classic program that allows you to download from youtube. Also has integration My zsh config has some useful aliases that one should read through. Otherwise it is pretty standard. #+begin_src nix :tangle ../nix/modules/home/zsh.nix - { config, pkgs, systemHostName, ... }: + { pkgs, systemHostName, super, ... }: { programs.zsh = { enable = true; @@ -4510,9 +4509,9 @@ standard. build-installer = "nix build $HOME/monorepo/nix#nixosConfigurations.installer.config.system.build.isoImage"; rb = "sudo nixos-rebuild switch --flake $HOME/monorepo/nix#${systemHostName}"; nfu = "cd ~/monorepo/nix && git add . && git commit -m \"new flake lock\" && nix flake update"; - usync = "rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/monorepo/result/ root@${config.monorepo.vars.remoteHost}:/var/www/${config.monorepo.vars.internetName}-website/"; + usync = "rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/monorepo/result/ root@${super.monorepo.vars.remoteHost}:/var/www/${super.monorepo.vars.internetName}-website/"; usite - = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@${config.monorepo.vars.remoteHost}:/var/www/${config.monorepo.vars.internetName}-website/"; + = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@${super.monorepo.vars.remoteHost}:/var/www/${super.monorepo.vars.internetName}-website/"; sai = "eval \"$(ssh-agent -s)\" && ssh-add ~/.ssh/id_ed25519 && ssh-add -l"; }; loginExtra = '' @@ -4528,33 +4527,33 @@ This configuration is the backbone configuration for the default user. It specif generally useful packages and something every home should have, as well as some dependencies for these configurations. #+begin_src nix :tangle ../nix/modules/home/user.nix - { lib, config, pkgs, ... }: + { lib, config, pkgs, super, ... }: { home = { activation.startup-files = lib.hm.dag.entryAfter [ "installPackages" ] '' - if [ ! -d "/home/${config.monorepo.vars.userName}/email/${config.monorepo.vars.internetName}/" ]; then - mkdir -p /home/${config.monorepo.vars.userName}/email/${config.monorepo.vars.internetName}/ + if [ ! -d "/home/${super.monorepo.vars.userName}/email/${super.monorepo.vars.internetName}/" ]; then + mkdir -p /home/${super.monorepo.vars.userName}/email/${super.monorepo.vars.internetName}/ fi - if [ ! -d "/home/${config.monorepo.vars.userName}/music" ]; then - mkdir -p /home/${config.monorepo.vars.userName}/music + if [ ! -d "/home/${super.monorepo.vars.userName}/music" ]; then + mkdir -p /home/${super.monorepo.vars.userName}/music fi - if [ ! -d /home/${config.monorepo.vars.userName}/org ]; then - mkdir -p /home/${config.monorepo.vars.userName}/org + if [ ! -d /home/${super.monorepo.vars.userName}/org ]; then + mkdir -p /home/${super.monorepo.vars.userName}/org fi - if [ ! -d /home/${config.monorepo.vars.userName}/src ]; then - mkdir -p /home/${config.monorepo.vars.userName}/src + if [ ! -d /home/${super.monorepo.vars.userName}/src ]; then + mkdir -p /home/${super.monorepo.vars.userName}/src fi - touch /home/${config.monorepo.vars.userName}/org/agenda.org - touch /home/${config.monorepo.vars.userName}/org/notes.org + touch /home/${super.monorepo.vars.userName}/org/agenda.org + touch /home/${super.monorepo.vars.userName}/org/notes.org ''; enableNixpkgsReleaseCheck = false; - username = config.monorepo.vars.userName; - homeDirectory = "/home/${config.monorepo.vars.userName}"; + username = super.monorepo.vars.userName; + homeDirectory = "/home/${super.monorepo.vars.userName}"; stateVersion = "24.11"; packages = with pkgs; (if config.monorepo.profiles.graphics.enable then [ diff --git a/flake.nix b/flake.nix index 8d66f68..57e70b9 100644 --- a/flake.nix +++ b/flake.nix @@ -56,6 +56,8 @@ ntfyFile = affinity.config.monorepo.vars.ntfySecret; + ntfyHost = "https://${spontaneity.config.monorepo.vars.ntfyUrl}"; + topology = nixmacs.topology.x86_64-linux.config.output; pre-commit-check = git-hooks.lib.${system}.run { @@ -68,14 +70,15 @@ description = "Ensure website can build, and tests links"; stages = [ "pre-merge-commit" ]; entry = "${pkgs.writeShellScript "website-check" '' -set -e -set -o pipefail +set -e +set -o pipefail trap "echo -e '\nHook interrupted by user. Aborting merge!'; exit 1" INT TERM BRANCH=$(git branch --show-current) if [ "$BRANCH" != "main" ]; then exit 0 fi + RESULT_PATH=$(nix build .#website --no-link --print-out-paths) if [ -d "$RESULT_PATH" ]; then echo "Running lychee link check..." @@ -85,11 +88,11 @@ if [ -d "$RESULT_PATH" ]; then --no-progress \ "$RESULT_PATH/**/*.html" - curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks done!" https://ntfy.ret2pop.net/ci-build + curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks done!" ${ntfyHost}/ci-build else echo "Website build failed, skipping lychee." - curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks failed!" https://ntfy.ret2pop.net/ci-build + curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks failed!" ${ntfyHost}/ci-build exit 1 fi ''}"; @@ -185,9 +188,18 @@ mkdir -p $HOME/monorepo cp -a . $HOME/monorepo/ cd $HOME/monorepo mkdir -p mindmap/img + rsass style.scss | minify --type=css > style.css minify --type=css -o syntax.css syntax.css +# I want to do this so I can generate the CSP policy carefully +cat style.css syntax.css > combined.css + +CSS_HASH=$(openssl dgst -sha256 -binary combined.css | openssl base64) +cat < csp_header.conf +add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'sha256-$CSS_HASH'; font-src 'self';"; +EOF + cat < $TMPDIR/policy.xml @@ -296,7 +308,7 @@ ${pre-commit-check.shellHook} git config branch.main.mergeoptions "--no-ff" alias gprune='git branch --merged | grep -v -E "^\*|main|master|dev" | xargs -r git branch -d' alias serve='cd result; python3 -m http.server 10005' -alias build='nix build .#website && curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "Website build done!" https://ntfy.ret2pop.net/ci-build' +alias build='nix build .#website && curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "Website build done!" ${ntfyHost}/ci-build' ''; buildInputs = [ deadnix @@ -305,6 +317,7 @@ alias build='nix build .#website && curl -H "Priority: max" -u "${internetName}: miniserve rsass imagemagickBig + google-lighthouse ]; }; }; diff --git a/index.org b/index.org index d844efe..a6df6b9 100644 --- a/index.org +++ b/index.org @@ -8,6 +8,7 @@ #+HTML_HEAD: #+attr_html: :width 595 :height 746 +#+attr_html: :alt My ret2pop logo #+caption: All Hope Abandon, Ye Who Enter Here [[./img/logo.webp]] @@ -35,6 +36,7 @@ Click the hyperlink to find out! In case you didn't see: - [[file:mindmap/index.org][Mindmap]] - [[file:mindmap/index.org][Mindmap]] * [[file:config/index.org][Configurations]] +#+attr_html: :alt nix topology graph of all my systems [[./img/topology.svg]] Most of my configurations/dotfiles for various programs are literate configurations, and I @@ -76,6 +78,7 @@ Alternatively for all of these addresses, you can use ~ret2pop.eth~, if you can An anonymous form of ecash, the only one out of these that is actually being used for the purpose of currency (on the dark web): #+attr_html: :width 240 :height 240 +#+attr_html: :alt XMR QR code [[./img/monero.webp]] #+begin_example 88DQVgiowjJLwsHfTaNjNgJ9Wu4Pw9msie89M2fMrTVJeDEnzqwYMQjX9nAnEDegWrU9LsJdNYp5EKkzxT73DuD6EGa9eWf @@ -84,6 +87,7 @@ of currency (on the dark web): Utility in the form of smart contracts (which are perhaps useful for something important in the future), with first mover advantage in this regard: #+attr_html: :width 147 :height 147 +#+attr_html: :alt ETH QR code [[./img/eth.webp]] #+begin_example 0x135Ed80afB7Cd06E494e5Bb737Da8D4B23153480 @@ -93,6 +97,7 @@ Note that this includes subprojects such as LINK which I find to have some value The standard, and probably will continue to be used as a prediction market/speculative asset for the efficacy of other cryptocurrencies: #+attr_html: :width 147 :height 147 +#+attr_html: :alt bitcoin QR code [[./img/bitcoin.webp]] #+begin_example bc1qaymk2ky8unwq7jdydjw6y9a5xr9z60mkds9ttq diff --git a/mindmap/LRC circuit.org b/mindmap/LRC circuit.org index f685940..0df7bdc 100644 --- a/mindmap/LRC circuit.org +++ b/mindmap/LRC circuit.org @@ -38,6 +38,7 @@ another circuit diagram will include a possibly variable voltage source. #+end_export #+CAPTION: LRC Circuit without voltage source +#+attr_html: :alt Homogeneous LRC circuit diagram #+attr_html: :width 400 :height 310 [[./lrc_circuit.png]] @@ -115,6 +116,7 @@ Here is the circuit diagram for the LRC circuit with a voltage source: #+end_export #+CAPTION: LRC Circuit +#+attr_html: :alt Circuit diagram with AC voltage source #+attr_html: :width 400 :height 319 [[./lrc_circuit_source.png]] This new [[id:4be41e2e-52b9-4cd1-ac4c-7ecb57106692][differential equation]] looks like this: diff --git a/mindmap/Laplace Transform.org b/mindmap/Laplace Transform.org index 8113a6e..f5552e9 100644 --- a/mindmap/Laplace Transform.org +++ b/mindmap/Laplace Transform.org @@ -3,6 +3,7 @@ :END: #+title: Laplace Transform #+author: Preston Pan +#+description: The algebra of differential equations. #+options: broken-links:t diff --git a/mindmap/philosophy.org b/mindmap/philosophy.org index 7fe892f..0e9d2c9 100644 --- a/mindmap/philosophy.org +++ b/mindmap/philosophy.org @@ -3,6 +3,7 @@ :END: #+title: philosophy #+author: Preston Pan +#+description: But what is philosophy? #+options: broken-links:t * Introduction diff --git a/mindmap/physics.org b/mindmap/physics.org index 35d7508..22fa0c8 100644 --- a/mindmap/physics.org +++ b/mindmap/physics.org @@ -3,6 +3,7 @@ :END: #+title: physics #+author: Preston Pan +#+description: What happens when things exist. #+options: broken-links:t diff --git a/mindmap/prv_LRC_circuit.org.log b/mindmap/prv_LRC_circuit.org.log deleted file mode 100644 index b841f4f..0000000 --- a/mindmap/prv_LRC_circuit.org.log +++ /dev/null @@ -1,35 +0,0 @@ -This is XeTeX, Version 3.141592653-2.6-0.999995 (TeX Live 2023/nixos.org) (preloaded format=xelatex 1980.1.1) 3 JAN 2025 14:31 -entering extended mode - restricted \write18 enabled. - %&-line parsing enabled. -**&xelatex prv_LRC_circuit.org.ini \nonstopmode\nofiles\PassOptionsToPackage{active,tightpage,auctex}{preview}\AtBeginDocument{\ifx\ifPreview\undefined\RequirePackage[displaymath,textmath,graphics]{preview}[2004/11/05]\fi} \input \detokenize{ "LRC circuit.org.tex" } -(./prv_LRC_circuit.org.ini -LaTeX2e <2023-11-01> patch level 1 -L3 programming layer <2024-02-20> -(/nix/store/w8fdfdyc5l71qr9m42h2fpifzxp9p5mn-texlive-2023-env-texmfdist/tex/latex/mylatex/mylatex.ltx)) (/nix/store/w8fdfdyc5l71qr9m42h2fpifzxp9p5mn-texlive-2023-env-texmfdist/tex/latex/tools/.tex File ignored) -No auxiliary output files. - -! I can't find file `"LRC circuit.org.tex"'. - "LRC circuit.org.tex" - -<*> ...\input \detokenize{ "LRC circuit.org.tex" } - -(Press Enter to retry, or Control-D to exit) -Please type another input file name -! Emergency stop. - "LRC circuit.org.tex" - -<*> ...\input \detokenize{ "LRC circuit.org.tex" } - -*** (job aborted, file error in nonstop mode) - - -Here is how much of TeX's memory you used: - 39 strings out of 474773 - 1168 string characters out of 5739028 - 1917839 words of memory out of 5000000 - 22285 multiletter control sequences out of 15000+600000 - 558069 words of font info for 36 fonts, out of 8000000 for 9000 - 1348 hyphenation exceptions out of 8191 - 13i,0n,22p,396b,12s stack positions out of 10000i,1000n,20000p,200000b,200000s -No pages of output. diff --git a/mindmap/special relativity.org b/mindmap/special relativity.org index aca50de..9e6c4b2 100644 --- a/mindmap/special relativity.org +++ b/mindmap/special relativity.org @@ -32,6 +32,7 @@ no information can either; light in this case can be replaced with something els once the light reaches the roof from the floor, where this distance is $d$ meters, $\frac{d}{c}$ seconds will have passed for Bob. #+caption: A very scientifically accurate drawing of the situation +#+attr_html: :alt Bad drawing of a reference frame with velocity #+attr_html: :width 1800 :height 1800 [[../img/relativity1.webp]] diff --git a/nix b/nix index 7e0ff16..44521f8 160000 --- a/nix +++ b/nix @@ -1 +1 @@ -Subproject commit 7e0ff1661d94a061d0ad6db72803d211f9df4638 +Subproject commit 44521f898a8e71361e81d42adca748964a457f31 diff --git a/style.scss b/style.scss index db04896..dc90ab0 100644 --- a/style.scss +++ b/style.scss @@ -102,6 +102,11 @@ body { flex-direction: column; align-items: center; min-height: 100vh; + + @media (max-width: 1250px) { + padding-left: 0; + font-size: 20px; + } } h1, h2, h3 { line-height: 1.2; font-family: var(--font-header), serif; } @@ -123,7 +128,14 @@ h1 { line-height: 1.3; } -h2 { font-size: 1.6rem; margin-top: 2.5rem; margin-bottom: 0.6rem; } +h2 { + font-size: 1.6rem; + margin-top: 2.5rem; + margin-bottom: 0.6rem; + + @media (max-width: 768px) { font-size: 1.5rem; } +} + h3 { font-size: 1.25rem; font-weight: 700; margin-top: 2rem; margin-bottom: 0.4rem; letter-spacing: 0.02em; } h4 { font-size: 1.1rem; font-weight: 700; color: var(--text-main); } h5 { font-size: 1rem; font-weight: 700; color: var(--link-color); } @@ -616,23 +628,14 @@ pre { } h2 { display: none !important; } + + @media (max-width: 1250px) { display: none !important; } } #postamble { text-align: center; } -@media (max-width: 1250px) { - body { - padding-left: 0; - font-size: 20px; - } - #table-of-contents { display: none !important; } - h1 { font-size: 1.8rem; } - h2 { font-size: 18px; } -} @media (max-width: 768px) { - h2 { font-size: 1.5rem; } - blockquote, .src, .example { max-width: 100%; width: 100%; -- cgit v1.3 From a18bafba09090a113927b3e3cc639ce4962e8f5c Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Tue, 10 Mar 2026 17:57:47 -0700 Subject: add hook --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7e1b138..0bf6053 120000 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1 +1 @@ -/nix/store/j3mz2szdrll59q7blqhiy70j1dij3wnq-pre-commit-config.json \ No newline at end of file +/nix/store/ganmcifhn2hwk9jmmfs1fy1jg2v4a8wd-pre-commit-config.json \ No newline at end of file -- cgit v1.3 From 72d9b0f77016ff0058a2bda873c7bd71caa8649e Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Tue, 10 Mar 2026 18:41:22 -0700 Subject: add csp hash test --- flake.nix | 52 +++++++++++++++++++++++++++++++++++++------------- tests/test-csp-hash.py | 10 ++++++++++ 2 files changed, 49 insertions(+), 13 deletions(-) create mode 100644 tests/test-csp-hash.py diff --git a/flake.nix b/flake.nix index 57e70b9..ad7a690 100644 --- a/flake.nix +++ b/flake.nix @@ -60,6 +60,8 @@ topology = nixmacs.topology.x86_64-linux.config.output; + mkNotification = msg: ''curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "${msg}" ${ntfyHost}/ci-build''; + pre-commit-check = git-hooks.lib.${system}.run { src = ./.; hooks = { @@ -79,20 +81,41 @@ if [ "$BRANCH" != "main" ]; then exit 0 fi +set +e RESULT_PATH=$(nix build .#website --no-link --print-out-paths) -if [ -d "$RESULT_PATH" ]; then - echo "Running lychee link check..." - ${pkgs.lychee}/bin/lychee --root-dir "$RESULT_PATH" \ - --offline \ - --verbose \ - --no-progress \ - "$RESULT_PATH/**/*.html" - - curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks done!" ${ntfyHost}/ci-build -else - echo "Website build failed, skipping lychee." +BUILD_STATUS=$? +set -e - curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks failed!" ${ntfyHost}/ci-build +if [ $BUILD_STATUS -eq 0 ] && [ -d "$RESULT_PATH" ]; then + echo "Running lychee link check..." + set +e + ${pkgs.lychee}/bin/lychee --root-dir "$RESULT_PATH" \ + --offline \ + --verbose \ + --no-progress \ + "$RESULT_PATH/**/*.html" + LYCHEE_STATUS=$? + set -e + + if [ $LYCHEE_STATUS -ne 0 ]; then + echo "Lychee found broken links!" + ${mkNotification "CI checks failed: Broken links!"} + exit 1 + fi + + INJECT_HASH="$(python3 tests/test-csp-hash.py "$RESULT_PATH/index.html")" + CSS_HASH="$(openssl dgst -sha256 -binary "$RESULT_PATH/combined.css" | openssl base64)" + + if [ "$INJECT_HASH" != "$CSS_HASH" ]; then + echo "Security headers test failed!" + ${mkNotification "CI checks failed: CSP hash mismatch!"} + exit 1 + fi + + ${mkNotification "CI checks done!"} +else + echo "Website build failed, skipping lychee and CSP tests." + ${mkNotification "CI checks failed!"} exit 1 fi ''}"; @@ -165,6 +188,7 @@ fi pkgs.rsass pkgs.minify pkgs.woff2 + pkgs.openssl (pkgs.texlive.combine { inherit (pkgs.texlive) @@ -308,7 +332,7 @@ ${pre-commit-check.shellHook} git config branch.main.mergeoptions "--no-ff" alias gprune='git branch --merged | grep -v -E "^\*|main|master|dev" | xargs -r git branch -d' alias serve='cd result; python3 -m http.server 10005' -alias build='nix build .#website && curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "Website build done!" ${ntfyHost}/ci-build' +alias build='nix build .#website && ${mkNotification "CI build done!"} ' ''; buildInputs = [ deadnix @@ -318,6 +342,8 @@ alias build='nix build .#website && curl -H "Priority: max" -u "${internetName}: rsass imagemagickBig google-lighthouse + openssl + git ]; }; }; diff --git a/tests/test-csp-hash.py b/tests/test-csp-hash.py new file mode 100644 index 0000000..8401979 --- /dev/null +++ b/tests/test-csp-hash.py @@ -0,0 +1,10 @@ +import sys, re, hashlib, base64 +html = open(sys.argv[1]).read() +match = re.search(r']*>(.*?)', html, re.DOTALL | re.IGNORECASE) +if match: + content = match.group(1).encode('utf-8') + print(base64.b64encode(hashlib.sha256(content).digest()).decode()) + exit(0) +else: + print('Error: Still could not find a ")) + "") "add all these different headers for performance and compliance") (org-latex-to-html-convert-command - "printf '%%s' %i | pandoc -f latex -t html --mathml | tr -d '\\n' | sed -e 's/^

//' -e 's/<\\/p>$//'") + "printf '%%s' %i | pandoc -f latex -t html --mathml | tr -d '\\n' | sed -e 's/^

//' -e 's/<\\/p>$//'" "latex to MathML with special character handling") (org-html-viewport '((width "device-width") (initial-scale "1.0") (minimum-scale "1.0")) "Prevent zooming out past default size") @@ -408,13 +408,6 @@ Org superstar adds those nice looking utf-8 bullets: ** LSP We set up eglot, the LSP manager for emacs, now built in: #+begin_src emacs-lisp :tangle ../nix/init.el - ;; (use-package eglot - ;; :hook - ;; (prog-mode . eglot-ensure) - ;; (nix-mode . eglot-ensure) - ;; :config - ;; (add-to-list 'eglot-server-programs '(nix-mode . ("nil")))) - (use-package lsp :hook (prog-mode . lsp)) diff --git a/flake.nix b/flake.nix index 09c8ea9..a524c32 100644 --- a/flake.nix +++ b/flake.nix @@ -66,15 +66,28 @@ src = ./.; hooks = { deadnix.enable = true; - test-spontaneity-vm-with-site = { + spontaneity-smoke-test = { enable = true; - name = "spontaneity-vm"; - description = "test boot the spontaneity vm to check nginx config. Required test as we inject monorepoSelf variable."; + name = "Spontaneity smoke test"; + description = "tests if nginx is active/if the config works."; stages = [ "pre-merge-commit" ]; - entry = "${pkgs.writeShellScript "website-check" '' -nix build .#spontaneity -''}"; + entry = '' +set -e +set -o pipefail +trap "echo -e '\nHook interrupted by user. Aborting merge!'; exit 1" INT TERM + +BRANCH=$(git branch --show-current) +if [ "$BRANCH" != "main" ]; then + exit 0 +fi + +set +e +nix build .#checks.${system}.spontaneity-website-test --no-link +set -e +''; + pass_filenames = false; }; + website-build-check = { enable = true; name = "website-build"; -- cgit v1.3 From d7f5cec11ea4b269aae8a7251009546263c9747e Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 00:32:26 -0700 Subject: new nix commit --- nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix b/nix index 2cae1e9..db63be0 160000 --- a/nix +++ b/nix @@ -1 +1 @@ -Subproject commit 2cae1e9468fcead554f54672fc2250ec31769f1f +Subproject commit db63be0ac07cd5c2dad8f316250c6a6115f21c63 -- cgit v1.3 From 699dcef30fc987ab0de9f6068de3999163b04e93 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 01:11:12 -0700 Subject: new stuff --- config/nix.org | 1 - flake.nix | 7 ++++--- nix | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/config/nix.org b/config/nix.org index 1939a28..89928d5 100644 --- a/config/nix.org +++ b/config/nix.org @@ -2738,7 +2738,6 @@ because they enhance security. programs = { nix-ld.enable = true; zsh.enable = true; - light.enable = true; ssh.enableAskPassword = false; }; diff --git a/flake.nix b/flake.nix index a524c32..7c309c8 100644 --- a/flake.nix +++ b/flake.nix @@ -346,7 +346,7 @@ sha256sum installer.iso > installer.iso.sha256 node.specialArgs = { monorepoSelf = self; isIntegrationTest = true; - }; + } // nixmacs.inputs; nodes."spontaneity" = { lib, ... }: { imports = nixmacs.lib.mkHostModules "spontaneity" ++ [ @@ -359,8 +359,9 @@ sha256sum installer.iso > installer.iso.sha256 nixpkgs.overlays = lib.mkForce []; } ]; - disabledModules = [ - "${nixmacs}/systems/spontaneity/hardware-configuration.nix" + disabledModules = [ + "${self}/nix/modules/nixpkgs-options.nix" + "${self}/nix/systems/spontaneity/hardware-configuration.nix" ]; }; diff --git a/nix b/nix index db63be0..202612a 160000 --- a/nix +++ b/nix @@ -1 +1 @@ -Subproject commit db63be0ac07cd5c2dad8f316250c6a6115f21c63 +Subproject commit 202612ad3fabefa274423bb24f955157b9a290a0 -- cgit v1.3 From 90c57b64ed82a940dea155161e0833040f540963 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 01:22:15 -0700 Subject: hooks --- .pre-commit-config.yaml | 2 +- flake.nix | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d1c0e1d..6fc3ea7 120000 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1 +1 @@ -/nix/store/1gjsgdiq4mwrd8i3a1kz44s7l8nw2n37-pre-commit-config.json \ No newline at end of file +/nix/store/wdcgkxxwf6dl5bbjf550ys96hpr97ibw-pre-commit-config.json \ No newline at end of file diff --git a/flake.nix b/flake.nix index 7c309c8..17ff339 100644 --- a/flake.nix +++ b/flake.nix @@ -83,7 +83,13 @@ fi set +e nix build .#checks.${system}.spontaneity-website-test --no-link +BUILD_STATUS=$? set -e + +if [ $BUILD_STATUS -neq 0 ]; then + echo "Failed to build the website with spontaneity!" + exit $BUILD_STATUS +fi ''; pass_filenames = false; }; @@ -340,7 +346,7 @@ sha256sum installer.iso > installer.iso.sha256 checks."${system}" = { build-website = website; - spontaneity-website-test = pkgs.testers.runNixOSTest { + spontaneity-website-test = nixmacs.inputs.nixpkgs.legacyPackages."${system}".testers.runNixOSTest { name = "spontaneity-website-test"; node.specialArgs = { @@ -350,7 +356,7 @@ sha256sum installer.iso > installer.iso.sha256 nodes."spontaneity" = { lib, ... }: { imports = nixmacs.lib.mkHostModules "spontaneity" ++ [ - "${nixpkgs}/nixos/modules/misc/nixpkgs/read-only.nix" + "${nixmacs.inputs.nixpkgs}/nixos/modules/misc/nixpkgs/read-only.nix" { nixpkgs.pkgs = lib.mkVMOverride self.nixosConfigurations.spontaneity.pkgs; nixpkgs.config = lib.mkForce {}; @@ -388,6 +394,7 @@ git config branch.main.mergeoptions "--no-ff" alias gprune='git branch --merged | grep -v -E "^\*|main|master|dev" | xargs -r git branch -d' alias serve='cd result; python3 -m http.server 10005' alias build='nix build .#website && ${mkNotification "CI build done!"} ' +alias check='nix flake check; ${mkNotification "flake checks done!"} ' ''; buildInputs = [ deadnix -- cgit v1.3 From 0e86238729b06b83bf2c518da90abeb25c1b2cc1 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 14:36:32 -0700 Subject: smoke test passes --- config/nix.org | 5 ++++- flake.nix | 6 +++--- nix | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/config/nix.org b/config/nix.org index 89928d5..c355ba5 100644 --- a/config/nix.org +++ b/config/nix.org @@ -1733,7 +1733,7 @@ to the outside world under a domain. ''; }; extraConfig = '' - include ${monorepoSelf.packages.${pkgs.system}.website}/csp_headers.conf; + include ${monorepoSelf.packages.${pkgs.system}.website}/csp_header.conf; rewrite ^/graph_view/?(.*)$ https://graph.${config.monorepo.vars.remoteHost}/$1 permanent; ''; }; @@ -2396,6 +2396,7 @@ because they enhance security. memoryPercent = 50; }; + # Shim for testing virtualisation.vmVariant = { sops.validateSopsFiles = false; disko.devices = lib.mkForce {}; @@ -2424,6 +2425,8 @@ because they enhance security. systemd.services.sops-nix = { unitConfig.RequiresMountsFor = "/home/preston/.config/sops/age"; }; + + security.acme.defaults.server = lib.mkForce "https://127.0.0.1:14000/dir"; }; documentation = { diff --git a/flake.nix b/flake.nix index 17ff339..228e15a 100644 --- a/flake.nix +++ b/flake.nix @@ -373,10 +373,10 @@ sha256sum installer.iso > installer.iso.sha256 testScript = '' spontaneity.start() -spontaneity.wait_for_unit("nginx.service") -spontaneity.wait_for_open_port(443) +spontaneity.succeed('printf "smoke"') +spontaneity.wait_for_unit("default.target") spontaneity.succeed("systemctl is-active nginx") -spontaneity.succeed("echo 'smoke'") +spontaneity.succeed('printf "smoke again"') ''; }; }; diff --git a/nix b/nix index 202612a..7185f3f 160000 --- a/nix +++ b/nix @@ -1 +1 @@ -Subproject commit 202612ad3fabefa274423bb24f955157b9a290a0 +Subproject commit 7185f3f185bbfe594dbf11a31a2e7d78d5b72f09 -- cgit v1.3 From 8f0e761380481b9bc9c511530b19ad14e87e57c8 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 14:39:06 -0700 Subject: typo --- flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 228e15a..4544ce4 100644 --- a/flake.nix +++ b/flake.nix @@ -71,7 +71,7 @@ name = "Spontaneity smoke test"; description = "tests if nginx is active/if the config works."; stages = [ "pre-merge-commit" ]; - entry = '' + entry = "${pkgs.writeShellScript "website-check" '' set -e set -o pipefail trap "echo -e '\nHook interrupted by user. Aborting merge!'; exit 1" INT TERM @@ -90,7 +90,7 @@ if [ $BUILD_STATUS -neq 0 ]; then echo "Failed to build the website with spontaneity!" exit $BUILD_STATUS fi -''; +''}"; pass_filenames = false; }; -- cgit v1.3 From e52cf6c709dff76974580c01761f3a556c7a4883 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 14:39:51 -0700 Subject: add hook --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6fc3ea7..f1e91f2 120000 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1 +1 @@ -/nix/store/wdcgkxxwf6dl5bbjf550ys96hpr97ibw-pre-commit-config.json \ No newline at end of file +/nix/store/b6fyx6fvys0p5r1q237l8kppwwzh1868-pre-commit-config.json \ No newline at end of file -- cgit v1.3