From b88e8b4f8259267ebb0d068df9cd65fd36ca5477 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Tue, 10 Mar 2026 17:12:53 -0700 Subject: prepare for CSP header generation --- config/emacs.org | 22 ++--- config/nix.org | 249 +++++++++++++++++++++++++++---------------------------- 2 files changed, 129 insertions(+), 142 deletions(-) (limited to 'config') diff --git a/config/emacs.org b/config/emacs.org index 2d87907..0b71dbe 100644 --- a/config/emacs.org +++ b/config/emacs.org @@ -104,6 +104,7 @@ Emacs is self documenting, after all! (prettify-symbols-mode)))) :config (require 'tex-site) + (require 'subr-x) (server-start) ;; start wiith sane defaults @@ -173,11 +174,9 @@ This is my org mode configuration, which also configures latex. (content "main" "content") (postamble "footer" "postamble"))) (org-html-head-extra (concat "\n\n\n\n\n\n\n\n\n\n\n" - "")) + "")) (org-latex-to-html-convert-command "printf '%%s' %i | pandoc -f latex -t html --mathml | tr -d '\\n' | sed -e 's/^

//' -e 's/<\\/p>$//'") (org-html-viewport '((width "device-width") @@ -198,7 +197,7 @@ This is my org mode configuration, which also configures latex. :html-preamble-format (("en" "

home | section main page

"))) ("website-static" :base-directory "~/monorepo" - :base-extension "css\\|js\\|png\\|jpg\\|gif\\|pdf\\|mp3\\|ogg\\|swf\\|ico\\|asc\\|pub\\|webmanifest\\|xml\\|svg\\|txt\\|webp" + :base-extension "css\\|js\\|png\\|jpg\\|gif\\|pdf\\|mp3\\|ogg\\|swf\\|ico\\|asc\\|pub\\|webmanifest\\|xml\\|svg\\|txt\\|webp\\|conf" :publishing-directory "~/website_html/" :recursive t :publishing-function org-publish-attachment) @@ -327,7 +326,6 @@ First, some small configurations and some evil-mode initilaization because I lik (define-key evil-motion-state-map (kbd "TAB") nil)) (evil-collection-init)) - (use-package evil-commentary :after (evil) :config @@ -647,16 +645,6 @@ emacs keybindings. ** LLM I use LLMs in order to help me come up with ideas. I use a local LLM so that I can have a competitive LLM that doesn't cost money. -#+begin_src emacs-lisp :tangle ../nix/init.el - ;; (use-package ellama - ;; :custom - ;; (ellama-sessions-directory "~/org/ellama/" "Set org directory for LLM sessions") - ;; :init - ;; (require 'llm-ollama) - ;; (setopt ellama-provider (make-llm-ollama - ;; :host "localhost" - ;; :chat-model "qwen2.5:14b"))) -#+end_src *** Minuet Minuet does my code completion, showing the potential code completion as a ghost and automatically completing the code when my cursor is still. It is kind of like copilot but it works with local LLMs, which is better. Though, it's obviously not always the most accurate. diff --git a/config/nix.org b/config/nix.org index a32c14d..dc2c823 100644 --- a/config/nix.org +++ b/config/nix.org @@ -202,7 +202,7 @@ and now for the main flake: fi echo "Merge to main detected. Building VM for ${hostname}..." if nix build .#nixosConfigurations.${hostname}.config.system.build.vm --no-link; then - echo "Build succeeded. Proceeding with merge." + echo "Build succeeded." exit 0 else echo "Build failed! Aborting." @@ -227,10 +227,6 @@ and now for the main flake: serviceName = "sshd"; enabled = super.services.openssh.enable; } - # { - # serviceName = "conduit"; - # enabled = super.services.matrix-conduit.enable; - # } { serviceName = "git-daemon"; enabled = super.services.gitDaemon.enable; @@ -333,14 +329,35 @@ and now for the main flake: devShell."${system}" = with pkgs; mkShell { buildInputs = [ fira-code - python3 - poetry statix deadnix + (python3.withPackages (ps: with ps; [ + octodns + octodns-providers.cloudflare + octodns-providers.bind + ])) ]; shellHook = '' ${pre-commit-check.shellHook} git config branch.main.mergeoptions "--no-ff" + + CURRENT_HOST="$(hostname)" + + TARGET_USER_RAW=$(nix eval .#nixosConfigurations."$CURRENT_HOST".config.home-manager.users --apply "u: builtins.head (builtins.attrNames u)" --raw 2>/dev/null) + + TARGET_USER=$(echo "$TARGET_USER_RAW" | xargs) + SOPS_BASE=$(nix eval .#nixosConfigurations."$CURRENT_HOST".config.home-manager.users."$TARGET_USER".sops.defaultSymlinkPath --raw 2>/dev/null) + + if [ -n "$SOPS_BASE" ] && [ -f "$SOPS_BASE/cloudflare-dns" ]; then + export CLOUDFLARE_TOKEN="$(cat "$SOPS_BASE/cloudflare-dns" | tr -d '\n')" + echo "Authenticated via sops-nix for host: $CURRENT_HOST" + else + echo "Could not resolve sops path for $CURRENT_HOST or secret is missing. Set CLOUDFLARE_TOKEN manually." + fi + + alias update-dns="octodns-sync --config-file ${self.packages."${system}".octodns} --doit --force" + alias fake-update-dns="octodns-sync --config-file ${self.packages."${system}".octodns} --force " + alias gprune='git branch --merged | grep -v -E "^\*|main|master|dev" | xargs -r git branch -d' ''; }; @@ -468,7 +485,7 @@ graph by running ~nix build .#topology.x86_64-linux.config.output~. Variables used for regular configuration in your system ~default.nix~ file. The options are largely self-documenting. #+begin_src nix :tangle ../nix/modules/vars.nix - { lib, ... }: + { config, lib, ... }: let vars = import ../flakevars.nix; in @@ -591,6 +608,13 @@ largely self-documenting. description = "Name of Ntfy secret for notification handling"; }; + ntfyUrl = lib.mkOption { + type = lib.types.str; + default = "ntfy.${config.monorepo.vars.remoteHost}"; + example = "ntfy.nullring.xyz"; + description = "Name of ntfy server"; + }; + monitors = lib.mkOption { type = lib.types.listOf lib.types.str; default = [ @@ -612,11 +636,12 @@ Again, these are self documenting variables that you may see used below. These a under ~default.nix~ in the ~systems~ folder. #+begin_src nix :tangle ../nix/modules/default.nix { lib, config, pkgs, ... }: + let + dirContents = builtins.readDir ./.; + files = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".nix" name && name != "default.nix") dirContents; + in { - imports = [ - ./configuration.nix - ./vars.nix - ]; + imports = lib.mapAttrsToList (name: _: ./. + "/${name}") files; options = { monorepo = { @@ -708,14 +733,6 @@ to relevant places. templates = if config.monorepo.profiles.server.enable then { - "public-inbox-netrc" = { - owner = "public-inbox"; - group = "public-inbox"; - mode = "0400"; - content = (builtins.concatStringsSep "\n" (builtins.map (x: "machine mail.${config.monorepo.vars.orgHost} login ${x}@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}") config.monorepo.vars.projects)) + '' - machine mail.${config.monorepo.vars.orgHost} login discussion@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}''; - }; - "matterbridge" = { owner = "matterbridge"; content = '' @@ -1017,7 +1034,6 @@ This is an internet radio which will host a ton of music. ''; }; - admin.password = "changeme"; } #+end_src ** IRC @@ -1356,15 +1372,15 @@ This is a basic ActivityPub server. #+end_src ** TODO matrix-appservice-irc #+begin_src nix :tangle ../nix/modules/matrix-appservice-irc.nix - { lib, config, ... }: + { ... }: { - enable = lib.mkDefault config.monorepo.profiles.server.enable; - registrationUrl = "localhost"; + # enable = lib.mkDefault config.monorepo.profiles.server.enable; + # registrationUrl = "localhost"; - settings = { - homeserver.url = "https://matrix.nullring.xyz"; - homserver.domain = "matrix.nullring.xyz"; - }; + # settings = { + # homeserver.url = "https://matrix.nullring.xyz"; + # homserver.domain = "matrix.nullring.xyz"; + # }; } #+end_src ** Gitolite @@ -1598,7 +1614,7 @@ I want to have notifications on my phone, and run my own server to do this. #+begin_src nix :tangle ../nix/modules/ntfy-sh.nix { pkgs, lib, config, ... }: let - serverName = "ntfy.${config.monorepo.vars.remoteHost}"; + serverName = "${config.monorepo.vars.ntfyUrl}"; port = 2586; ntfySecret = config.monorepo.vars.ntfySecret; in @@ -1701,16 +1717,21 @@ to the outside world under a domain. enableACME = true; locations."/" = { extraConfig = '' - add_header Cache-Control "no-cache, must-revalidate"; - expires off; + add_header Cache-Control "no-cache, must-revalidate"; + expires off; ''; }; + locations."~* \\.(?:woff2|ttf|otf|eot|woff|ico|css|js|gif|jpe?g|png|svg|mp3|mp4|iso|webmanifest)$" = { extraConfig = '' - add_header Cache-Control "public, max-age=31536000, immutable"; - access_log off; + add_header Cache-Control "public, max-age=31536000, immutable"; + access_log off; ''; }; + extraConfig = '' + include ${monorepoSelf.packages.${pkgs.system}.website}/csp_headers.conf; + rewrite ^/graph_view/?(.*)$ https://graph.${config.monorepo.vars.remoteHost}/$1 permanent; + ''; }; # the port comes from ssh tunnelling @@ -1738,6 +1759,20 @@ to the outside world under a domain. addSSL = true; enableACME = true; }; + + "graph.${config.monorepo.vars.remoteHost}" = lib.mkIf (monorepoSelf != null) { + serverName = "graph.${config.monorepo.vars.remoteHost}"; + root = "${monorepoSelf.packages.${pkgs.system}.website}"; + addSSL = true; + enableACME = true; + locations."/" = { + extraConfig = "rewrite ^/$ /graph_view/index.html break;"; + }; + + extraConfig = '' + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none';"; + ''; + }; }; }; @@ -1747,6 +1782,8 @@ to the outside world under a domain. "${config.monorepo.vars.remoteHost}" = {}; "${config.monorepo.vars.orgHost}" = {}; "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" = {}; + "music.${config.monorepo.vars.remoteHost}" = {}; + "graph.${config.monorepo.vars.remoteHost}" = {}; }; } #+end_src @@ -1837,10 +1874,21 @@ There is a non declarative part of setting dkims and spf. password_path = "mail_monorepo_password"; in { - sops.secrets = lib.mkIf config.services.maddy.enable { - "${password_path}" = lib.mkIf config.services.maddy.enable { - format = "yaml"; - owner = "maddy"; + sops = lib.mkIf config.services.maddy.enable { + secrets = { + "${password_path}" = { + format = "yaml"; + owner = "maddy"; + }; + }; + templates = lib.mkIf config.services.public-inbox.enable { + "public-inbox-netrc" = { + owner = "public-inbox"; + group = "public-inbox"; + mode = "0400"; + content = (builtins.concatStringsSep "\n" (builtins.map (x: "machine ${emailServerName} login ${x}@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}") config.monorepo.vars.projects)) + '' + machine ${emailServerName} login discussion@${config.monorepo.vars.orgHost} password ${config.sops.placeholder."mail_monorepo_password_pi"}''; + }; }; }; @@ -1895,18 +1943,16 @@ There is a non declarative part of setting dkims and spf. ''; serviceConfig = { - # Allow the service to see the file it just created BindPaths = [ "/var/lib/public-inbox" "${config.users.users.git.home}" ]; ReadOnlyPaths = [ "/var/lib/public-inbox/style.css" ]; - # Ensure it can actually write to the directory during preStart ReadWritePaths = [ "/var/lib/public-inbox" ]; }; } else {}; - systemd.services.public-inbox-watch = if config.monorepo.profiles.server.enable then { + systemd.services.public-inbox-watch = if config.services.public-inbox.enable then { after = [ "sops-nix.service" ]; confinement.enable = lib.mkForce false; preStart = '' @@ -1936,7 +1982,7 @@ There is a non declarative part of setting dkims and spf. } else {}; services.public-inbox = { - enable = lib.mkDefault config.monorepo.profiles.server.enable; + enable = lib.mkDefault config.services.maddy.enable; settings = { coderepo = lib.genAttrs config.monorepo.vars.projects (name: { dir = "${config.users.users.git.home}/${name}.git"; @@ -2333,35 +2379,6 @@ because they enhance security. vmHosts = map (dom: "127.0.0.1 ${dom}") allDomains; in { - imports = [ - ./cgit.nix - ./public_inbox.nix - ./matterbridge.nix - ./mautrix.nix - ./xserver.nix - ./ssh.nix - ./pipewire.nix - ./tor.nix - ./kubo.nix - ./nvidia.nix - ./cuda.nix - ./nginx.nix - ./secrets.nix - ./git-daemon.nix - ./ollama.nix - ./i2pd.nix - ./conduit.nix - ./bitcoin.nix - ./ngircd.nix - ./znc.nix - ./docker.nix - ./impermanence.nix - ./maddy.nix - ./ntfy-sh.nix - ./fail2ban.nix - ./nixpkgs-options.nix - ]; - environment.etc."wpa_supplicant.conf".text = '' country=CA ''; @@ -2925,10 +2942,13 @@ This is all configuration common to any GPT partitioned drive. I dynamically cho *** ESP Boot Partition #+begin_src nix :tangle ../nix/disko/esp-boot.nix { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; } #+end_src *** Btrfs @@ -2936,10 +2956,8 @@ This is a fully featured drive configuration and the recommended configuration t Btrfs enables you to enable impermanence and also encrypt the drive with ~/tmp/secret.key~. #+begin_src nix :tangle ../nix/disko/btrfs.nix { - ESP = { + ESP = (import ./esp-boot.nix) // { size = "512M"; - type = "EF00"; - content = import ./esp-boot.nix; }; luks = { size = "100%"; @@ -2993,11 +3011,9 @@ This configuration is used for simple partitioning schemes with EFI. A simple ex should be using EFI if you can. #+begin_src nix :tangle ../nix/disko/ext4.nix { - ESP = { - type = "EF00"; + ESP = (import ./esp-boot.nix) // { size = "500M"; priority = 1; - content = import ./esp-boot.nix; }; root = { size = "100%"; @@ -3042,31 +3058,14 @@ As you can see, I have my installed home packages installed based on the profile I have many imports that we'll go through next. #+begin_src nix :tangle ../nix/modules/home/default.nix { lib, config, pkgs, sops-nix, super, ... }: + let + dirContents = builtins.readDir ./.; + files = lib.filterAttrs (name: type: type == "regular" && lib.hasSuffix ".nix" name && name != "default.nix" && name != "emacs-packages.nix") dirContents; + in { imports = [ sops-nix.homeManagerModules.sops - ../vars.nix - ./fcitx.nix - ./emacs.nix - ./firefox.nix - ./git.nix - ./hyprland.nix - ./mpv.nix - ./yt-dlp.nix - ./wofi.nix - ./kitty.nix - ./waybar.nix - ./zsh.nix - ./mbsync.nix - ./msmtp.nix - ./gammastep.nix - ./mpd.nix - ./mako.nix - ./user.nix - ./gtk.nix - ./secrets.nix - ./pantalaimon.nix - ]; + ] ++ lib.mapAttrsToList (name: _: ./. + "/${name}") files; options = { monorepo.profiles = { @@ -3869,15 +3868,15 @@ just set the options to the ones you want in your system ~default.nix~. This mpd configuration uses pipewire by default, and it should just work if you place music in the ~~/music~ directory and then run ~mpc add /~ afterwards. #+begin_src nix :tangle ../nix/modules/home/mpd.nix - { lib, config, ... }: + { lib, config, super, ... }: { services.mpd = { enable = lib.mkDefault config.monorepo.profiles.music.enable; - dbFile = "/home/${config.monorepo.vars.userName}/.config/mpd/db"; - dataDir = "/home/${config.monorepo.vars.userName}/.config/mpd/"; + dbFile = "/home/${super.monorepo.vars.userName}/.config/mpd/db"; + dataDir = "/home/${super.monorepo.vars.userName}/.config/mpd/"; network.port = 6600; - musicDirectory = "/home/${config.monorepo.vars.userName}/music"; - playlistDirectory = "/home/${config.monorepo.vars.userName}/.config/mpd/playlists"; + musicDirectory = "/home/${super.monorepo.vars.userName}/music"; + playlistDirectory = "/home/${super.monorepo.vars.userName}/.config/mpd/playlists"; network.listenAddress = "0.0.0.0"; extraConfig = '' audio_output { @@ -3965,7 +3964,7 @@ here: This is the bar I use for my hyprland configuration. You will need to adjust the monitors field in the ~default.nix~ for it to really appear. #+begin_src nix :tangle ../nix/modules/home/waybar.nix - { lib, config, ... }: + { lib, config, super, ... }: { programs.waybar = { enable = lib.mkDefault config.monorepo.profiles.hyprland.enable; @@ -4221,7 +4220,7 @@ in the ~default.nix~ for it to really appear. position = "top"; height = 50; - output = config.monorepo.vars.monitors; + output = super.monorepo.vars.monitors; modules-left = [ "hyprland/workspaces" ]; modules-center = [ "hyprland/window" ]; @@ -4475,7 +4474,7 @@ A classic program that allows you to download from youtube. Also has integration My zsh config has some useful aliases that one should read through. Otherwise it is pretty standard. #+begin_src nix :tangle ../nix/modules/home/zsh.nix - { config, pkgs, systemHostName, ... }: + { pkgs, systemHostName, super, ... }: { programs.zsh = { enable = true; @@ -4510,9 +4509,9 @@ standard. build-installer = "nix build $HOME/monorepo/nix#nixosConfigurations.installer.config.system.build.isoImage"; rb = "sudo nixos-rebuild switch --flake $HOME/monorepo/nix#${systemHostName}"; nfu = "cd ~/monorepo/nix && git add . && git commit -m \"new flake lock\" && nix flake update"; - usync = "rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/monorepo/result/ root@${config.monorepo.vars.remoteHost}:/var/www/${config.monorepo.vars.internetName}-website/"; + usync = "rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/monorepo/result/ root@${super.monorepo.vars.remoteHost}:/var/www/${super.monorepo.vars.internetName}-website/"; usite - = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@${config.monorepo.vars.remoteHost}:/var/www/${config.monorepo.vars.internetName}-website/"; + = "cd ~/src/publish-org-roam-ui && bash local.sh && rm -rf ~/website_html/graph_view; cp -r ~/src/publish-org-roam-ui/out ~/website_html/graph_view && rsync -azvP --chmod=\"Du=rwx,Dg=rx,Do=rx,Fu=rw,Fg=r,Fo=r\" ~/website_html/ root@${super.monorepo.vars.remoteHost}:/var/www/${super.monorepo.vars.internetName}-website/"; sai = "eval \"$(ssh-agent -s)\" && ssh-add ~/.ssh/id_ed25519 && ssh-add -l"; }; loginExtra = '' @@ -4528,33 +4527,33 @@ This configuration is the backbone configuration for the default user. It specif generally useful packages and something every home should have, as well as some dependencies for these configurations. #+begin_src nix :tangle ../nix/modules/home/user.nix - { lib, config, pkgs, ... }: + { lib, config, pkgs, super, ... }: { home = { activation.startup-files = lib.hm.dag.entryAfter [ "installPackages" ] '' - if [ ! -d "/home/${config.monorepo.vars.userName}/email/${config.monorepo.vars.internetName}/" ]; then - mkdir -p /home/${config.monorepo.vars.userName}/email/${config.monorepo.vars.internetName}/ + if [ ! -d "/home/${super.monorepo.vars.userName}/email/${super.monorepo.vars.internetName}/" ]; then + mkdir -p /home/${super.monorepo.vars.userName}/email/${super.monorepo.vars.internetName}/ fi - if [ ! -d "/home/${config.monorepo.vars.userName}/music" ]; then - mkdir -p /home/${config.monorepo.vars.userName}/music + if [ ! -d "/home/${super.monorepo.vars.userName}/music" ]; then + mkdir -p /home/${super.monorepo.vars.userName}/music fi - if [ ! -d /home/${config.monorepo.vars.userName}/org ]; then - mkdir -p /home/${config.monorepo.vars.userName}/org + if [ ! -d /home/${super.monorepo.vars.userName}/org ]; then + mkdir -p /home/${super.monorepo.vars.userName}/org fi - if [ ! -d /home/${config.monorepo.vars.userName}/src ]; then - mkdir -p /home/${config.monorepo.vars.userName}/src + if [ ! -d /home/${super.monorepo.vars.userName}/src ]; then + mkdir -p /home/${super.monorepo.vars.userName}/src fi - touch /home/${config.monorepo.vars.userName}/org/agenda.org - touch /home/${config.monorepo.vars.userName}/org/notes.org + touch /home/${super.monorepo.vars.userName}/org/agenda.org + touch /home/${super.monorepo.vars.userName}/org/notes.org ''; enableNixpkgsReleaseCheck = false; - username = config.monorepo.vars.userName; - homeDirectory = "/home/${config.monorepo.vars.userName}"; + username = super.monorepo.vars.userName; + homeDirectory = "/home/${super.monorepo.vars.userName}"; stateVersion = "24.11"; packages = with pkgs; (if config.monorepo.profiles.graphics.enable then [ -- cgit v1.3 From c8d23ac96f8a2204a96ee0abd4bce231c0ef84fd Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Tue, 10 Mar 2026 20:17:57 -0700 Subject: maybe test works? --- config/nix.org | 4 ++++ flake.nix | 41 +++++++++++++++++++++++++++++++++++++++++ nix | 2 +- 3 files changed, 46 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/nix.org b/config/nix.org index dc2c823..1939a28 100644 --- a/config/nix.org +++ b/config/nix.org @@ -308,6 +308,10 @@ and now for the main flake: }; in { + lib = { + inherit mkHostModules; + }; + checks."${system}" = integrationTests // { inherit pre-commit-check; }; diff --git a/flake.nix b/flake.nix index ad7a690..09c8ea9 100644 --- a/flake.nix +++ b/flake.nix @@ -66,6 +66,15 @@ src = ./.; hooks = { deadnix.enable = true; + test-spontaneity-vm-with-site = { + enable = true; + name = "spontaneity-vm"; + description = "test boot the spontaneity vm to check nginx config. Required test as we inject monorepoSelf variable."; + stages = [ "pre-merge-commit" ]; + entry = "${pkgs.writeShellScript "website-check" '' +nix build .#spontaneity +''}"; + }; website-build-check = { enable = true; name = "website-build"; @@ -318,6 +327,38 @@ sha256sum installer.iso > installer.iso.sha256 checks."${system}" = { build-website = website; + spontaneity-website-test = pkgs.testers.runNixOSTest { + name = "spontaneity-website-test"; + + node.specialArgs = { + monorepoSelf = self; + isIntegrationTest = true; + }; + + nodes."spontaneity" = { lib, ... }: { + imports = nixmacs.lib.mkHostModules "spontaneity" ++ [ + "${nixpkgs}/nixos/modules/misc/nixpkgs/read-only.nix" + { + nixpkgs.pkgs = lib.mkVMOverride self.nixosConfigurations.spontaneity.pkgs; + nixpkgs.config = lib.mkForce {}; + systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; + systemd.services.NetworkManager-wait-online.enable = lib.mkForce false; + nixpkgs.overlays = lib.mkForce []; + } + ]; + disabledModules = [ + "${nixmacs}/systems/spontaneity/hardware-configuration.nix" + ]; + }; + + testScript = '' +spontaneity.start() +spontaneity.wait_for_unit("nginx.service") +spontaneity.wait_for_open_port(443) +spontaneity.succeed("systemctl is-active nginx") +spontaneity.succeed("echo 'smoke'") + ''; + }; }; packages."${system}" = { diff --git a/nix b/nix index 44521f8..2cae1e9 160000 --- a/nix +++ b/nix @@ -1 +1 @@ -Subproject commit 44521f898a8e71361e81d42adca748964a457f31 +Subproject commit 2cae1e9468fcead554f54672fc2250ec31769f1f -- cgit v1.3 From 4d26df871ea076e892d7691e2f6cba5068e82c99 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 00:31:22 -0700 Subject: add hooks --- .pre-commit-config.yaml | 2 +- config/emacs.org | 25 +++++++++---------------- flake.nix | 25 +++++++++++++++++++------ 3 files changed, 29 insertions(+), 23 deletions(-) (limited to 'config') diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5372f74..d1c0e1d 120000 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1 +1 @@ -/nix/store/sl54l2pqgb5ysmpd1qn500hrm61zk2i7-pre-commit-config.json \ No newline at end of file +/nix/store/1gjsgdiq4mwrd8i3a1kz44s7l8nw2n37-pre-commit-config.json \ No newline at end of file diff --git a/config/emacs.org b/config/emacs.org index 0b71dbe..d262138 100644 --- a/config/emacs.org +++ b/config/emacs.org @@ -107,7 +107,7 @@ Emacs is self documenting, after all! (require 'subr-x) (server-start) - ;; start wiith sane defaults + ;; start with sane defaults (pixel-scroll-precision-mode 1) (display-battery-mode 1) (display-time-mode 1) @@ -165,20 +165,20 @@ This is my org mode configuration, which also configures latex. (org-pretty-entities t "prettify org mode") (org-agenda-files (list "~/monorepo/agenda.org" "~/org/notes.org" "~/org/agenda.org") "set default org files") (org-default-notes-file (concat org-directory "/notes.org") "Notes file") - (org-html-with-latex 'html) - (org-html-mathjax-options nil) - (org-html-mathjax-template "") - (org-html-head-include-default-style nil) ; Clear Org's default CSS - (org-html-head-include-scripts nil) ; Clear Org's default JS + (org-html-with-latex 'html "let my html handler handle latex") + (org-html-mathjax-options nil "disable mathjax, use MathML") + (org-html-mathjax-template "" "disable mathjax, use MathML") + (org-html-head-include-default-style nil "use my own css for everything") + (org-html-head-include-scripts nil "use my own js for everything") (org-html-divs '((preamble "header" "preamble") (content "main" "content") - (postamble "footer" "postamble"))) + (postamble "footer" "postamble")) "semantic html exports") (org-html-head-extra (concat "\n\n\n\n\n\n\n\n\n\n\n" "")) + "") "add all these different headers for performance and compliance") (org-latex-to-html-convert-command - "printf '%%s' %i | pandoc -f latex -t html --mathml | tr -d '\\n' | sed -e 's/^

//' -e 's/<\\/p>$//'") + "printf '%%s' %i | pandoc -f latex -t html --mathml | tr -d '\\n' | sed -e 's/^

//' -e 's/<\\/p>$//'" "latex to MathML with special character handling") (org-html-viewport '((width "device-width") (initial-scale "1.0") (minimum-scale "1.0")) "Prevent zooming out past default size") @@ -408,13 +408,6 @@ Org superstar adds those nice looking utf-8 bullets: ** LSP We set up eglot, the LSP manager for emacs, now built in: #+begin_src emacs-lisp :tangle ../nix/init.el - ;; (use-package eglot - ;; :hook - ;; (prog-mode . eglot-ensure) - ;; (nix-mode . eglot-ensure) - ;; :config - ;; (add-to-list 'eglot-server-programs '(nix-mode . ("nil")))) - (use-package lsp :hook (prog-mode . lsp)) diff --git a/flake.nix b/flake.nix index 09c8ea9..a524c32 100644 --- a/flake.nix +++ b/flake.nix @@ -66,15 +66,28 @@ src = ./.; hooks = { deadnix.enable = true; - test-spontaneity-vm-with-site = { + spontaneity-smoke-test = { enable = true; - name = "spontaneity-vm"; - description = "test boot the spontaneity vm to check nginx config. Required test as we inject monorepoSelf variable."; + name = "Spontaneity smoke test"; + description = "tests if nginx is active/if the config works."; stages = [ "pre-merge-commit" ]; - entry = "${pkgs.writeShellScript "website-check" '' -nix build .#spontaneity -''}"; + entry = '' +set -e +set -o pipefail +trap "echo -e '\nHook interrupted by user. Aborting merge!'; exit 1" INT TERM + +BRANCH=$(git branch --show-current) +if [ "$BRANCH" != "main" ]; then + exit 0 +fi + +set +e +nix build .#checks.${system}.spontaneity-website-test --no-link +set -e +''; + pass_filenames = false; }; + website-build-check = { enable = true; name = "website-build"; -- cgit v1.3 From 699dcef30fc987ab0de9f6068de3999163b04e93 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 01:11:12 -0700 Subject: new stuff --- config/nix.org | 1 - flake.nix | 7 ++++--- nix | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'config') diff --git a/config/nix.org b/config/nix.org index 1939a28..89928d5 100644 --- a/config/nix.org +++ b/config/nix.org @@ -2738,7 +2738,6 @@ because they enhance security. programs = { nix-ld.enable = true; zsh.enable = true; - light.enable = true; ssh.enableAskPassword = false; }; diff --git a/flake.nix b/flake.nix index a524c32..7c309c8 100644 --- a/flake.nix +++ b/flake.nix @@ -346,7 +346,7 @@ sha256sum installer.iso > installer.iso.sha256 node.specialArgs = { monorepoSelf = self; isIntegrationTest = true; - }; + } // nixmacs.inputs; nodes."spontaneity" = { lib, ... }: { imports = nixmacs.lib.mkHostModules "spontaneity" ++ [ @@ -359,8 +359,9 @@ sha256sum installer.iso > installer.iso.sha256 nixpkgs.overlays = lib.mkForce []; } ]; - disabledModules = [ - "${nixmacs}/systems/spontaneity/hardware-configuration.nix" + disabledModules = [ + "${self}/nix/modules/nixpkgs-options.nix" + "${self}/nix/systems/spontaneity/hardware-configuration.nix" ]; }; diff --git a/nix b/nix index db63be0..202612a 160000 --- a/nix +++ b/nix @@ -1 +1 @@ -Subproject commit db63be0ac07cd5c2dad8f316250c6a6115f21c63 +Subproject commit 202612ad3fabefa274423bb24f955157b9a290a0 -- cgit v1.3 From 0e86238729b06b83bf2c518da90abeb25c1b2cc1 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 14:36:32 -0700 Subject: smoke test passes --- config/nix.org | 5 ++++- flake.nix | 6 +++--- nix | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) (limited to 'config') diff --git a/config/nix.org b/config/nix.org index 89928d5..c355ba5 100644 --- a/config/nix.org +++ b/config/nix.org @@ -1733,7 +1733,7 @@ to the outside world under a domain. ''; }; extraConfig = '' - include ${monorepoSelf.packages.${pkgs.system}.website}/csp_headers.conf; + include ${monorepoSelf.packages.${pkgs.system}.website}/csp_header.conf; rewrite ^/graph_view/?(.*)$ https://graph.${config.monorepo.vars.remoteHost}/$1 permanent; ''; }; @@ -2396,6 +2396,7 @@ because they enhance security. memoryPercent = 50; }; + # Shim for testing virtualisation.vmVariant = { sops.validateSopsFiles = false; disko.devices = lib.mkForce {}; @@ -2424,6 +2425,8 @@ because they enhance security. systemd.services.sops-nix = { unitConfig.RequiresMountsFor = "/home/preston/.config/sops/age"; }; + + security.acme.defaults.server = lib.mkForce "https://127.0.0.1:14000/dir"; }; documentation = { diff --git a/flake.nix b/flake.nix index 17ff339..228e15a 100644 --- a/flake.nix +++ b/flake.nix @@ -373,10 +373,10 @@ sha256sum installer.iso > installer.iso.sha256 testScript = '' spontaneity.start() -spontaneity.wait_for_unit("nginx.service") -spontaneity.wait_for_open_port(443) +spontaneity.succeed('printf "smoke"') +spontaneity.wait_for_unit("default.target") spontaneity.succeed("systemctl is-active nginx") -spontaneity.succeed("echo 'smoke'") +spontaneity.succeed('printf "smoke again"') ''; }; }; diff --git a/nix b/nix index 202612a..7185f3f 160000 --- a/nix +++ b/nix @@ -1 +1 @@ -Subproject commit 202612ad3fabefa274423bb24f955157b9a290a0 +Subproject commit 7185f3f185bbfe594dbf11a31a2e7d78d5b72f09 -- cgit v1.3