Update nix module, add resizing to WebsiteEditor and make preview load without JS

2025-11-22 02:41:35 +01:00 · 2025-01-29 19:53:38 +01:00
parent c6111fd247
commit fba3aef8aa
4 changed files with 38 additions and 46 deletions
--- a/nix/deploy/prod/default.nix
+++ b/nix/deploy/prod/default.nix
@@ -27,7 +27,10 @@ in
    defaults.email = "thilo.hohlt@tutanota.com";
    certs."${domain}" = {
      inherit domain;
-      extraDomainNames = [ "*.${domain}" docsSubdomain ];
+      extraDomainNames = [
+        "*.${domain}"
+        docsSubdomain
+      ];
      dnsProvider = "porkbun";
      environmentFile = /var/lib/porkbun.env;
      group = "nginx";
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -69,7 +69,7 @@ in
          disableRegistration = mkOption {
            type = types.bool;
            default = false;
-            description = "By default any user can create an account. That behavior can be disabled by using this option.";
+            description = "By default any user can create an account. That behavior can be disabled with this option.";
          };
          maxUserWebsites = mkOption {
            type = types.ints.positive;
@@ -128,21 +128,19 @@ in
        ];
      };

-      systemd.tmpfiles.settings = {
-        "10-archtika" = {
-          "/var/www" = {
-            d = {
-              mode = "0755";
-              user = "root";
-              group = "root";
-            };
+      systemd.tmpfiles.settings."10-archtika" = {
+        "/var/www" = {
+          d = {
+            mode = "0755";
+            user = "root";
+            group = "root";
          };
-          "/var/www/archtika-websites" = {
-            d = {
-              mode = "0770";
-              user = cfg.user;
-              group = cfg.group;
-            };
+        };
+        "/var/www/archtika-websites" = {
+          d = {
+            mode = "0770";
+            user = cfg.user;
+            group = cfg.group;
          };
        };
      };
@@ -171,9 +169,7 @@ in

        script =
          let
-            dbUrl =
-              user:
-              "postgres://${user}@127.0.0.1:${toString config.services.postgresql.settings.port}/${cfg.databaseName}";
+            dbUrl = user: "postgres://${user}@/${cfg.databaseName}?host=/var/run/postgresql";
          in
          ''
            JWT_SECRET=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c64)
@@ -183,7 +179,7 @@ in
              -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_storage_size\" TO ${toString cfg.settings.maxWebsiteStorageSize}" \
              -c "ALTER DATABASE ${cfg.databaseName} SET \"app.website_max_number_user\" TO ${toString cfg.settings.maxUserWebsites}"

-            ${pkgs.dbmate}/bin/dbmate --url ${dbUrl "postgres"}?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up
+            ${lib.getExe pkgs.dbmate} --url ${dbUrl "postgres"}?sslmode=disable --migrations-dir ${cfg.package}/rest-api/db/migrations up

            PGRST_SERVER_CORS_ALLOWED_ORIGINS="https://${cfg.domain}" \
            PGRST_ADMIN_SERVER_PORT=${toString cfg.apiAdminPort} \
@@ -193,7 +189,7 @@ in
            PGRST_OPENAPI_MODE="ignore-privileges" \
            PGRST_DB_URI=${dbUrl "authenticator"} \
            PGRST_JWT_SECRET="$JWT_SECRET" \
-            ${pkgs.postgrest}/bin/postgrest
+            ${lib.getExe pkgs.postgrest}
          '';
      };

@@ -220,24 +216,20 @@ in
          PORT = toString cfg.webAppPort;
        };

-        script = "${pkgs.nodejs_22}/bin/node ${cfg.package}/web-app";
+        script = "${lib.getExe pkgs.nodejs_22} ${cfg.package}/web-app";
      };

      services.postgresql = {
        enable = true;
        ensureDatabases = [ cfg.databaseName ];
-        authentication = lib.mkOverride 51 ''
-          host    all    all    127.0.0.1/32    trust
-          host    all    all    ::1/128         trust
-          local   all    all                    trust
-        '';
        extensions = ps: with ps; [ pgjwt ];
      };

      systemd.services.postgresql = {
-        path = builtins.attrValues {
-          inherit (pkgs) gnutar gzip;
-        };
+        path = with pkgs; [
+          gnutar
+          gzip
+        ];
        serviceConfig = {
          ReadWritePaths = [ "/var/www/archtika-websites" ];
          SystemCallFilter = [ "@system-service" ];
@@ -251,23 +243,16 @@ in
        recommendedZstdSettings = true;
        recommendedOptimisation = true;

-        appendHttpConfig = ''
-          add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-          add_header X-Frame-Options "SAMEORIGIN" always;
-          add_header X-Content-Type-Options "nosniff" always;
-          add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-          add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),cross-origin-isolated=(),display-capture=(),encrypted-media=(),fullscreen=(self),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(self),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),xr-spatial-tracking=(),clipboard-read=(self),clipboard-write=(self),gamepad=(),hid=(),idle-detection=(),interest-cohort=(),serial=(),unload=()" always;
-
-          map $http_cookie $auth_header {
-            default "";
-            "~*session_token=([^;]+)" "Bearer $1";
-          }
-        '';
-
        virtualHosts = {
          "${cfg.domain}" = {
            useACMEHost = cfg.domain;
            forceSSL = true;
+            extraConfig = ''
+              map $http_cookie $auth_header {
+                default "";
+                "~*session_token=([^;]+)" "Bearer $1";
+              }
+            '';
            locations = {
              "/" = {
                proxyPass = "http://127.0.0.1:${toString cfg.webAppPort}";