add blog (with webhooks)

flake.nix

@@ -108,6 +108,7 @@
       "ivpn.patch"
       "ivpn-ui.patch"
       "vaultwarden.patch"
+      "webhooks.patch"
     ];
     channelsConfig = { allowUnfree = true; };
     channels.unstable.input = nixpkgs;

machines/Home-Hypervisor/default.nix

@@ -32,6 +32,7 @@ in {
     nixosProfiles.cocalc
     # nixosProfiles.neko-browser
     nixosProfiles.openbooks
+    nixosProfiles.webhooks
 
     nixosProfiles.yandex-db
     nixosProfiles.it-tools

patches/webhooks.patch

@@ -0,0 +1,28 @@
+diff --git a/nixos/modules/services/networking/webhook.nix b/nixos/modules/services/networking/webhook.nix
+index 2a78491941c..9e3c816021f 100644
+--- a/nixos/modules/services/networking/webhook.nix
++++ b/nixos/modules/services/networking/webhook.nix
+@@ -158,6 +158,11 @@ in {
+         default = {};
+         description = mdDoc "Extra environment variables passed to webhook.";
+       };
++      environmentFiles = mkOption {
++        type = types.listOf types.str;
++        default = [];
++        description = mdDoc "Extra environment variables from files passed to webhook.";
++      };
+     };
+   };
+ 
+@@ -201,7 +206,11 @@ in {
+             ++ optional cfg.enableTemplates "-template"
+             ++ optional cfg.verbose "-verbose"
+             ++ cfg.extraArgs;
++        envFiles = concatMapStringsSep "\n" (envFile: "source " + envFile) cfg.environmentFiles;
+       in ''
++        set -a
++        ${envFiles}
++        set +a
+         ${cfg.package}/bin/webhook ${escapeShellArgs args}
+       '';
+       serviceConfig = {

profiles/servers/gitea.nix

@@ -67,7 +67,7 @@ in {
       security = {
         INSTALL_LOCK = true;
         DISABLE_GIT_HOOKS = true;
-        DISABLE_WEBHOOKS = true;
+        DISABLE_WEBHOOKS = false;
         IMPORT_LOCAL_PATHS = false;
         PASSWORD_HASH_ALGO = "argon2";
         SECRET_KEY_URI = "file:${config.secrets.gitea-secretkey.decrypted}";
@@ -95,6 +95,9 @@ in {
       ui = {
         DEFAULT_THEME = "arc-green";
       };
+      webhook = {
+        ALLOWED_HOST_LIST = "loopback, private, ataraxiadev.com, *.ataraxiadev.com";
+      };
     };
   };
 

profiles/servers/nginx.nix

@@ -23,7 +23,6 @@ let
           proxy_set_header X-authentik-uid $authentik_uid;
         '' + rootExtraConfig;
       } // root;
-      # all requests to /outpost.goauthentik.io must be accessible without authentication
       "/outpost.goauthentik.io" = {
         extraConfig = ''
           proxy_pass              http://127.0.0.1:9000/outpost.goauthentik.io;
@@ -35,7 +34,6 @@ let
           proxy_set_header        Content-Length "";
         '';
       };
-      # Special location for when the /auth endpoint returns a 401, redirect to the /start URL which initiates SSO
       "@goauthentik_proxy_signin" = {
         extraConfig = ''
           internal;
@@ -128,14 +126,6 @@ in {
         add_header Referrer-Policy "strict-origin-when-cross-origin";
       '';
     in {
-      # "ataraxiadev.com" = default // authentik {
-      #   root = { proxyPass = "http://127.0.0.1:3000"; };
-      #   rootExtraConfig = ''
-      #     if ($http_origin ~* "^https?://\w*\.?ataraxiadev\.com$") {
-      #         add_header Access-Control-Allow-Origin "$http_origin";
-      #     }
-      #   '' + proxySettings;
-      # };
       "ataraxiadev.com" = {
         locations."/" = {
           root = "/srv/http/ataraxiadev.com/docroot";
@@ -143,6 +133,9 @@ in {
             try_files $uri $uri/ =404;
           '';
         };
+        locations."/hooks" = {
+          proxyPass = "http://127.0.0.1:9010/hooks";
+        };
         locations."/.well-known/matrix" = {
           proxyPass = "https://matrix.ataraxiadev.com/.well-known/matrix";
           extraConfig = ''
@@ -222,12 +215,6 @@ in {
           extraConfig = proxySettings;
         };
       } // default;
-      # "bathist.ataraxiadev.com" = {
-      #   locations."/" = {
-      #     proxyPass = "http://127.0.0.1:9999";
-      #     extraConfig = proxySettings;
-      #   };
-      # } // default;
       "bathist.ataraxiadev.com" = default // authentik {
         root = { proxyPass = "http://127.0.0.1:9999"; };
         rootExtraConfig = proxySettings;
@@ -318,14 +305,6 @@ in {
           '' + proxySettings;
         };
       } // default;
-      # "microbin.ataraxiadev.com" = {
-      #   locations."/" = {
-      #     proxyPass = "http://127.0.0.1:9988";
-      #     extraConfig = ''
-      #       client_max_body_size 40M;
-      #     '' + proxySettings;
-      #   };
-      # } // default;
       "joplin.ataraxiadev.com" = {
         locations."/" = {
           proxyPass = "http://127.0.0.1:22300";

profiles/servers/webhooks.nix

@@ -0,0 +1,93 @@
+{ config, pkgs, lib, ... }:
+let
+  blog-hook = pkgs.writeShellApplication {
+    name = "blog-hook";
+    runtimeInputs = with pkgs; [ git hugo openssh go ];
+    text = ''
+      git pull
+      hugo -d ../docroot
+    '';
+  };
+in {
+  secrets.webhook-blog.owner = "webhook";
+
+  persist.state.directories = [ "/var/lib/webhook" ];
+
+  users.users.webhook = {
+    description = "Webhook daemon user";
+    isSystemUser = true;
+    group = "webhook";
+    createHome = true;
+    home = "/var/lib/webhook";
+  };
+
+  services.webhook = {
+    enable = true;
+    port = 9010;
+    group = "webhook";
+    user = "webhook";
+    environmentFiles = [
+      config.secrets.webhook-blog.decrypted
+    ];
+    hooksTemplated = {
+      publish-ataraxiadev-blog = ''
+        {
+          "id": "ataraxiadev-blog",
+          "execute-command": "${blog-hook}/bin/blog-hook",
+          "command-working-directory": "/srv/http/ataraxiadev.com/gitrepo",
+          "trigger-rule":
+          {
+            "and":
+            [
+              {
+                "match":
+                {
+                  "type": "payload-hmac-sha256",
+                  "secret": "{{ getenv "HOOK_BLOG_SECRET" | js }}",
+                  "parameter":
+                  {
+                    "source": "header",
+                    "name": "X-Gitea-Signature"
+                  }
+                }
+              },
+              {
+                "match":
+                {
+                  "type": "value",
+                  "value": "refs/heads/master",
+                  "parameter":
+                  {
+                    "source": "payload",
+                    "name": "ref"
+                  }
+                }
+              }
+            ]
+          }
+        }
+      '';
+    };
+  };
+
+  # services.caddy = {
+  #   enable = true;
+  #   email = "needed@for.acme";
+  #   virtualHosts = {
+  #     "${config.networking.hostName}.${config.networking.domain}" = {
+  #       extraConfig = ''
+  #         route /hooks/* {
+  #           # no uri manipulation, path /hooks/ on webhook service as well
+  #           reverse_proxy http://localhost:9000;
+  #         }
+  #       '';
+  #     };
+  #     "hugo.site" = {
+  #       extraConfig = ''
+  #         root * /srv/http/ataraxiadev.com/docroot
+  #         file_server
+  #       '';
+  #     };
+  #   };
+  # };
+}