From b88e8b4f8259267ebb0d068df9cd65fd36ca5477 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Tue, 10 Mar 2026 17:12:53 -0700 Subject: prepare for CSP header generation --- flake.nix | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) (limited to 'flake.nix') diff --git a/flake.nix b/flake.nix index 8d66f68..57e70b9 100644 --- a/flake.nix +++ b/flake.nix @@ -56,6 +56,8 @@ ntfyFile = affinity.config.monorepo.vars.ntfySecret; + ntfyHost = "https://${spontaneity.config.monorepo.vars.ntfyUrl}"; + topology = nixmacs.topology.x86_64-linux.config.output; pre-commit-check = git-hooks.lib.${system}.run { @@ -68,14 +70,15 @@ description = "Ensure website can build, and tests links"; stages = [ "pre-merge-commit" ]; entry = "${pkgs.writeShellScript "website-check" '' -set -e -set -o pipefail +set -e +set -o pipefail trap "echo -e '\nHook interrupted by user. Aborting merge!'; exit 1" INT TERM BRANCH=$(git branch --show-current) if [ "$BRANCH" != "main" ]; then exit 0 fi + RESULT_PATH=$(nix build .#website --no-link --print-out-paths) if [ -d "$RESULT_PATH" ]; then echo "Running lychee link check..." @@ -85,11 +88,11 @@ if [ -d "$RESULT_PATH" ]; then --no-progress \ "$RESULT_PATH/**/*.html" - curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks done!" https://ntfy.ret2pop.net/ci-build + curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks done!" ${ntfyHost}/ci-build else echo "Website build failed, skipping lychee." - curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks failed!" https://ntfy.ret2pop.net/ci-build + curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks failed!" ${ntfyHost}/ci-build exit 1 fi ''}"; @@ -185,9 +188,18 @@ mkdir -p $HOME/monorepo cp -a . $HOME/monorepo/ cd $HOME/monorepo mkdir -p mindmap/img + rsass style.scss | minify --type=css > style.css minify --type=css -o syntax.css syntax.css +# I want to do this so I can generate the CSP policy carefully +cat style.css syntax.css > combined.css + +CSS_HASH=$(openssl dgst -sha256 -binary combined.css | openssl base64) +cat < csp_header.conf +add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'sha256-$CSS_HASH'; font-src 'self';"; +EOF + cat < $TMPDIR/policy.xml @@ -296,7 +308,7 @@ ${pre-commit-check.shellHook} git config branch.main.mergeoptions "--no-ff" alias gprune='git branch --merged | grep -v -E "^\*|main|master|dev" | xargs -r git branch -d' alias serve='cd result; python3 -m http.server 10005' -alias build='nix build .#website && curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "Website build done!" https://ntfy.ret2pop.net/ci-build' +alias build='nix build .#website && curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "Website build done!" ${ntfyHost}/ci-build' ''; buildInputs = [ deadnix @@ -305,6 +317,7 @@ alias build='nix build .#website && curl -H "Priority: max" -u "${internetName}: miniserve rsass imagemagickBig + google-lighthouse ]; }; }; -- cgit v1.3 From 72d9b0f77016ff0058a2bda873c7bd71caa8649e Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Tue, 10 Mar 2026 18:41:22 -0700 Subject: add csp hash test --- flake.nix | 52 +++++++++++++++++++++++++++++++++++++------------- tests/test-csp-hash.py | 10 ++++++++++ 2 files changed, 49 insertions(+), 13 deletions(-) create mode 100644 tests/test-csp-hash.py (limited to 'flake.nix') diff --git a/flake.nix b/flake.nix index 57e70b9..ad7a690 100644 --- a/flake.nix +++ b/flake.nix @@ -60,6 +60,8 @@ topology = nixmacs.topology.x86_64-linux.config.output; + mkNotification = msg: ''curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "${msg}" ${ntfyHost}/ci-build''; + pre-commit-check = git-hooks.lib.${system}.run { src = ./.; hooks = { @@ -79,20 +81,41 @@ if [ "$BRANCH" != "main" ]; then exit 0 fi +set +e RESULT_PATH=$(nix build .#website --no-link --print-out-paths) -if [ -d "$RESULT_PATH" ]; then - echo "Running lychee link check..." - ${pkgs.lychee}/bin/lychee --root-dir "$RESULT_PATH" \ - --offline \ - --verbose \ - --no-progress \ - "$RESULT_PATH/**/*.html" - - curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks done!" ${ntfyHost}/ci-build -else - echo "Website build failed, skipping lychee." +BUILD_STATUS=$? +set -e - curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "CI checks failed!" ${ntfyHost}/ci-build +if [ $BUILD_STATUS -eq 0 ] && [ -d "$RESULT_PATH" ]; then + echo "Running lychee link check..." + set +e + ${pkgs.lychee}/bin/lychee --root-dir "$RESULT_PATH" \ + --offline \ + --verbose \ + --no-progress \ + "$RESULT_PATH/**/*.html" + LYCHEE_STATUS=$? + set -e + + if [ $LYCHEE_STATUS -ne 0 ]; then + echo "Lychee found broken links!" + ${mkNotification "CI checks failed: Broken links!"} + exit 1 + fi + + INJECT_HASH="$(python3 tests/test-csp-hash.py "$RESULT_PATH/index.html")" + CSS_HASH="$(openssl dgst -sha256 -binary "$RESULT_PATH/combined.css" | openssl base64)" + + if [ "$INJECT_HASH" != "$CSS_HASH" ]; then + echo "Security headers test failed!" + ${mkNotification "CI checks failed: CSP hash mismatch!"} + exit 1 + fi + + ${mkNotification "CI checks done!"} +else + echo "Website build failed, skipping lychee and CSP tests." + ${mkNotification "CI checks failed!"} exit 1 fi ''}"; @@ -165,6 +188,7 @@ fi pkgs.rsass pkgs.minify pkgs.woff2 + pkgs.openssl (pkgs.texlive.combine { inherit (pkgs.texlive) @@ -308,7 +332,7 @@ ${pre-commit-check.shellHook} git config branch.main.mergeoptions "--no-ff" alias gprune='git branch --merged | grep -v -E "^\*|main|master|dev" | xargs -r git branch -d' alias serve='cd result; python3 -m http.server 10005' -alias build='nix build .#website && curl -H "Priority: max" -u "${internetName}:$(grep ADMIN_PASSWORD "${secretsPath}/${ntfyFile}" | cut -d "\"" -f 2)" -d "Website build done!" ${ntfyHost}/ci-build' +alias build='nix build .#website && ${mkNotification "CI build done!"} ' ''; buildInputs = [ deadnix @@ -318,6 +342,8 @@ alias build='nix build .#website && curl -H "Priority: max" -u "${internetName}: rsass imagemagickBig google-lighthouse + openssl + git ]; }; }; diff --git a/tests/test-csp-hash.py b/tests/test-csp-hash.py new file mode 100644 index 0000000..8401979 --- /dev/null +++ b/tests/test-csp-hash.py @@ -0,0 +1,10 @@ +import sys, re, hashlib, base64 +html = open(sys.argv[1]).read() +match = re.search(r']*>(.*?)', html, re.DOTALL | re.IGNORECASE) +if match: + content = match.group(1).encode('utf-8') + print(base64.b64encode(hashlib.sha256(content).digest()).decode()) + exit(0) +else: + print('Error: Still could not find a ")) + "") "add all these different headers for performance and compliance") (org-latex-to-html-convert-command - "printf '%%s' %i | pandoc -f latex -t html --mathml | tr -d '\\n' | sed -e 's/^

//' -e 's/<\\/p>$//'") + "printf '%%s' %i | pandoc -f latex -t html --mathml | tr -d '\\n' | sed -e 's/^

//' -e 's/<\\/p>$//'" "latex to MathML with special character handling") (org-html-viewport '((width "device-width") (initial-scale "1.0") (minimum-scale "1.0")) "Prevent zooming out past default size") @@ -408,13 +408,6 @@ Org superstar adds those nice looking utf-8 bullets: ** LSP We set up eglot, the LSP manager for emacs, now built in: #+begin_src emacs-lisp :tangle ../nix/init.el - ;; (use-package eglot - ;; :hook - ;; (prog-mode . eglot-ensure) - ;; (nix-mode . eglot-ensure) - ;; :config - ;; (add-to-list 'eglot-server-programs '(nix-mode . ("nil")))) - (use-package lsp :hook (prog-mode . lsp)) diff --git a/flake.nix b/flake.nix index 09c8ea9..a524c32 100644 --- a/flake.nix +++ b/flake.nix @@ -66,15 +66,28 @@ src = ./.; hooks = { deadnix.enable = true; - test-spontaneity-vm-with-site = { + spontaneity-smoke-test = { enable = true; - name = "spontaneity-vm"; - description = "test boot the spontaneity vm to check nginx config. Required test as we inject monorepoSelf variable."; + name = "Spontaneity smoke test"; + description = "tests if nginx is active/if the config works."; stages = [ "pre-merge-commit" ]; - entry = "${pkgs.writeShellScript "website-check" '' -nix build .#spontaneity -''}"; + entry = '' +set -e +set -o pipefail +trap "echo -e '\nHook interrupted by user. Aborting merge!'; exit 1" INT TERM + +BRANCH=$(git branch --show-current) +if [ "$BRANCH" != "main" ]; then + exit 0 +fi + +set +e +nix build .#checks.${system}.spontaneity-website-test --no-link +set -e +''; + pass_filenames = false; }; + website-build-check = { enable = true; name = "website-build"; -- cgit v1.3 From 699dcef30fc987ab0de9f6068de3999163b04e93 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 01:11:12 -0700 Subject: new stuff --- config/nix.org | 1 - flake.nix | 7 ++++--- nix | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'flake.nix') diff --git a/config/nix.org b/config/nix.org index 1939a28..89928d5 100644 --- a/config/nix.org +++ b/config/nix.org @@ -2738,7 +2738,6 @@ because they enhance security. programs = { nix-ld.enable = true; zsh.enable = true; - light.enable = true; ssh.enableAskPassword = false; }; diff --git a/flake.nix b/flake.nix index a524c32..7c309c8 100644 --- a/flake.nix +++ b/flake.nix @@ -346,7 +346,7 @@ sha256sum installer.iso > installer.iso.sha256 node.specialArgs = { monorepoSelf = self; isIntegrationTest = true; - }; + } // nixmacs.inputs; nodes."spontaneity" = { lib, ... }: { imports = nixmacs.lib.mkHostModules "spontaneity" ++ [ @@ -359,8 +359,9 @@ sha256sum installer.iso > installer.iso.sha256 nixpkgs.overlays = lib.mkForce []; } ]; - disabledModules = [ - "${nixmacs}/systems/spontaneity/hardware-configuration.nix" + disabledModules = [ + "${self}/nix/modules/nixpkgs-options.nix" + "${self}/nix/systems/spontaneity/hardware-configuration.nix" ]; }; diff --git a/nix b/nix index db63be0..202612a 160000 --- a/nix +++ b/nix @@ -1 +1 @@ -Subproject commit db63be0ac07cd5c2dad8f316250c6a6115f21c63 +Subproject commit 202612ad3fabefa274423bb24f955157b9a290a0 -- cgit v1.3 From 90c57b64ed82a940dea155161e0833040f540963 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 01:22:15 -0700 Subject: hooks --- .pre-commit-config.yaml | 2 +- flake.nix | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) (limited to 'flake.nix') diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d1c0e1d..6fc3ea7 120000 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1 +1 @@ -/nix/store/1gjsgdiq4mwrd8i3a1kz44s7l8nw2n37-pre-commit-config.json \ No newline at end of file +/nix/store/wdcgkxxwf6dl5bbjf550ys96hpr97ibw-pre-commit-config.json \ No newline at end of file diff --git a/flake.nix b/flake.nix index 7c309c8..17ff339 100644 --- a/flake.nix +++ b/flake.nix @@ -83,7 +83,13 @@ fi set +e nix build .#checks.${system}.spontaneity-website-test --no-link +BUILD_STATUS=$? set -e + +if [ $BUILD_STATUS -neq 0 ]; then + echo "Failed to build the website with spontaneity!" + exit $BUILD_STATUS +fi ''; pass_filenames = false; }; @@ -340,7 +346,7 @@ sha256sum installer.iso > installer.iso.sha256 checks."${system}" = { build-website = website; - spontaneity-website-test = pkgs.testers.runNixOSTest { + spontaneity-website-test = nixmacs.inputs.nixpkgs.legacyPackages."${system}".testers.runNixOSTest { name = "spontaneity-website-test"; node.specialArgs = { @@ -350,7 +356,7 @@ sha256sum installer.iso > installer.iso.sha256 nodes."spontaneity" = { lib, ... }: { imports = nixmacs.lib.mkHostModules "spontaneity" ++ [ - "${nixpkgs}/nixos/modules/misc/nixpkgs/read-only.nix" + "${nixmacs.inputs.nixpkgs}/nixos/modules/misc/nixpkgs/read-only.nix" { nixpkgs.pkgs = lib.mkVMOverride self.nixosConfigurations.spontaneity.pkgs; nixpkgs.config = lib.mkForce {}; @@ -388,6 +394,7 @@ git config branch.main.mergeoptions "--no-ff" alias gprune='git branch --merged | grep -v -E "^\*|main|master|dev" | xargs -r git branch -d' alias serve='cd result; python3 -m http.server 10005' alias build='nix build .#website && ${mkNotification "CI build done!"} ' +alias check='nix flake check; ${mkNotification "flake checks done!"} ' ''; buildInputs = [ deadnix -- cgit v1.3 From 0e86238729b06b83bf2c518da90abeb25c1b2cc1 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 14:36:32 -0700 Subject: smoke test passes --- config/nix.org | 5 ++++- flake.nix | 6 +++--- nix | 2 +- 3 files changed, 8 insertions(+), 5 deletions(-) (limited to 'flake.nix') diff --git a/config/nix.org b/config/nix.org index 89928d5..c355ba5 100644 --- a/config/nix.org +++ b/config/nix.org @@ -1733,7 +1733,7 @@ to the outside world under a domain. ''; }; extraConfig = '' - include ${monorepoSelf.packages.${pkgs.system}.website}/csp_headers.conf; + include ${monorepoSelf.packages.${pkgs.system}.website}/csp_header.conf; rewrite ^/graph_view/?(.*)$ https://graph.${config.monorepo.vars.remoteHost}/$1 permanent; ''; }; @@ -2396,6 +2396,7 @@ because they enhance security. memoryPercent = 50; }; + # Shim for testing virtualisation.vmVariant = { sops.validateSopsFiles = false; disko.devices = lib.mkForce {}; @@ -2424,6 +2425,8 @@ because they enhance security. systemd.services.sops-nix = { unitConfig.RequiresMountsFor = "/home/preston/.config/sops/age"; }; + + security.acme.defaults.server = lib.mkForce "https://127.0.0.1:14000/dir"; }; documentation = { diff --git a/flake.nix b/flake.nix index 17ff339..228e15a 100644 --- a/flake.nix +++ b/flake.nix @@ -373,10 +373,10 @@ sha256sum installer.iso > installer.iso.sha256 testScript = '' spontaneity.start() -spontaneity.wait_for_unit("nginx.service") -spontaneity.wait_for_open_port(443) +spontaneity.succeed('printf "smoke"') +spontaneity.wait_for_unit("default.target") spontaneity.succeed("systemctl is-active nginx") -spontaneity.succeed("echo 'smoke'") +spontaneity.succeed('printf "smoke again"') ''; }; }; diff --git a/nix b/nix index 202612a..7185f3f 160000 --- a/nix +++ b/nix @@ -1 +1 @@ -Subproject commit 202612ad3fabefa274423bb24f955157b9a290a0 +Subproject commit 7185f3f185bbfe594dbf11a31a2e7d78d5b72f09 -- cgit v1.3 From 8f0e761380481b9bc9c511530b19ad14e87e57c8 Mon Sep 17 00:00:00 2001 From: Preston Pan Date: Wed, 11 Mar 2026 14:39:06 -0700 Subject: typo --- flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'flake.nix') diff --git a/flake.nix b/flake.nix index 228e15a..4544ce4 100644 --- a/flake.nix +++ b/flake.nix @@ -71,7 +71,7 @@ name = "Spontaneity smoke test"; description = "tests if nginx is active/if the config works."; stages = [ "pre-merge-commit" ]; - entry = '' + entry = "${pkgs.writeShellScript "website-check" '' set -e set -o pipefail trap "echo -e '\nHook interrupted by user. Aborting merge!'; exit 1" INT TERM @@ -90,7 +90,7 @@ if [ $BUILD_STATUS -neq 0 ]; then echo "Failed to build the website with spontaneity!" exit $BUILD_STATUS fi -''; +''}"; pass_filenames = false; }; -- cgit v1.3