feat(webserver): Vendor and reimplement main pages in leptos

2025-11-24 03:29:18 +08:00 · 2025-11-24 03:29:18 +08:00 · 59fdb37222
commit 59fdb37222
parent aeba7301b0
25 changed files with 4862 additions and 176 deletions
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@ -1,4 +1,10 @@
-{ config, ... }:
+{
+  pkgs,
+  config,
+  lib,
+  flake-inputs,
+  ...
+}:
 let
  inherit (config.services.nginx) domain;
 in
@ -8,11 +14,50 @@ in
    443
  ];

-  services.tlaternet-webserver = {
-    enable = true;
-    listen = {
-      addr = "127.0.0.1";
-      port = 8000;
+  systemd.services.tlaternet-webserver = {
+    description = "tlater.net webserver";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    script = ''
+      ${lib.getExe flake-inputs.self.packages.${pkgs.system}.webserver}
+    '';
+
+    environment = {
+      TLATERNET_NTFY_INSTANCE = "https://tlater.net";
+      LEPTOS_SITE_ADDR = "127.0.0.1:8000";
+    };
+
+    serviceConfig = {
+      Type = "exec";
+      LoadCredential = "ntfy-topic:/run/secrets/tlaternet/ntfy-topic";
+
+      DynamicUser = true;
+      ProtectHome = true; # Override the default (read-only)
+      PrivateDevices = true;
+      PrivateIPC = true;
+      PrivateUsers = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      RestrictAddressFamilies = [
+        "AF_UNIX"
+        "AF_INET"
+        "AF_INET6"
+      ];
+      RestrictNamespaces = true;
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged @resources @setuid @keyring"
+      ];
    };
  };

@ -28,6 +73,11 @@ in
      useACMEHost = "tlater.net";
      enableHSTS = true;

-      locations."/".proxyPass = "http://${addr}:${toString port}";
+      locations."/".proxyPass =
+        "http://${config.systemd.services.tlaternet-webserver.environment.LEPTOS_SITE_ADDR}";
    };
+
+  sops.secrets = {
+    "tlaternet/ntfy-topic" = { };
+  };
 }