Add blog

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

flake.lock

@@ -511,11 +511,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1757861884,
-        "narHash": "sha256-s0cInWk/yrj0eY7Iee722ME9/bfjpUj9aKMlnb6q/t4=",
+        "lastModified": 1757873556,
+        "narHash": "sha256-WYrV46if1XsiQKOQEMNtHdAPeFDeu7YBdcoNSXc3sf8=",
         "ref": "refs/heads/main",
-        "rev": "383cf08fa55a46c8aa1c5faf57160bf594e5feaa",
-        "revCount": 41,
+        "rev": "21ab0b0a59264b1da501f90725bf2c03e07ae941",
+        "revCount": 43,
         "type": "git",
         "url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git"
       },

hosts/jupiter/users/storm/configs/console/podman/blog/default.nix

@@ -0,0 +1,62 @@
+{ user, home }:
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  hmConfig = config.home-manager.users.${user};
+  inherit (hmConfig.virtualisation.quadlet) volumes networks;
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets."blog/apiKey".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+
+      templates.blog-receiver-env.content = ''
+        AUTH_KEY=${hmConfig.sops.placeholder."blog/apiKey"}
+      '';
+    };
+
+    virtualisation.quadlet = {
+      volumes.blog = { };
+
+      containers = {
+        blog.containerConfig = {
+          image = "docker-archive:${pkgs.dockerImages.nginx}";
+          networks = [ networks.traefik.ref ];
+          volumes = [ "${volumes.blog.ref}:/var/www/nginx:ro" ];
+          labels = [
+            "traefik.enable=true"
+            "traefik.http.routers.blog.rule=Host(`blog.karaolidis.com`)"
+          ];
+        };
+
+        blog-receiver = {
+          containerConfig = {
+            image = "docker-archive:${pkgs.dockerImages.nginx-receiver}";
+            networks = [ networks.traefik.ref ];
+            volumes = [ "${volumes.blog.ref}:/var/www/nginx" ];
+            environments = {
+              TARGET_DIR = "/var/www/nginx";
+              SUBPATH = "/upload";
+            };
+            environmentFiles = [ hmConfig.sops.templates.blog-receiver-env.path ];
+            labels = [
+              "traefik.enable=true"
+              "traefik.http.routers.blog-receiver.rule=Host(`blog.karaolidis.com`) && PathPrefix(`/upload`)"
+
+              "traefik.http.middlewares.redirect-root-to-blog.redirectregex.regex=^https://(www\.)?karaolidis\.com(/.*)?$"
+              "traefik.http.middlewares.redirect-root-to-blog.redirectregex.replacement=https://blog.karaolidis.com$${2}"
+              "traefik.http.middlewares.redirect-root-to-blog.redirectregex.permanent=false"
+            ];
+          };
+
+          unitConfig.After = [ "sops-nix.service" ];
+        };
+      };
+    };
+  };
+}

hosts/jupiter/users/storm/configs/console/podman/default.nix

@@ -12,6 +12,7 @@ in
   imports = [
     (import ./attic { inherit user home; })
     (import ./authelia { inherit user home; })
+    (import ./blog { inherit user home; })
     (import ./comentario { inherit user home; })
     (import ./gitea { inherit user home; })
     (import ./grafana { inherit user home; })

packages/docker/gitea-act-runner-worker/default.nix

@@ -17,6 +17,7 @@ pkgs.dockerTools.buildImage {
     name = "root";
     paths = with pkgs; [
       git
+      git-lfs
       curl
       jq
       nix

packages/docker/nginx-receiver/package/main.go

@@ -27,11 +27,14 @@ var (
 	maxUploadSize     int64 = 1 << 30 // 1GB
 
 	deployLock sync.Mutex
+
+	infoLog  = log.New(os.Stdout, "", log.LstdFlags)
+	errorLog = log.New(os.Stderr, "", log.LstdFlags)
 )
 
 func main() {
 	if authenticationKey == "" || targetDirectory == "" {
-		log.Fatal("AUTH_KEY and TARGET_DIR must be set")
+		errorLog.Fatal("AUTH_KEY and TARGET_DIR must be set")
 	}
 
 	if port == "" {
@@ -43,15 +46,15 @@ func main() {
 		basePath = "/" + subPath
 	}
 
-	log.Printf("starting server on :%s, endpoint %q, target directory %q", port, basePath, targetDirectory)
+	infoLog.Printf("starting server on :%s, endpoint %q, target directory %q", port, basePath, targetDirectory)
 	http.HandleFunc(basePath, withRecovery(handle))
-	log.Fatal(http.ListenAndServe(":"+port, nil))
+	errorLog.Fatal(http.ListenAndServe(":"+port, nil))
 }
 
 func handle(w http.ResponseWriter, r *http.Request) {
 	remoteIP := realIP(r)
 
-	log.Printf("incoming %q request on %q from %s", r.Method, r.URL.Path, remoteIP)
+	infoLog.Printf("incoming %q request on %q from %s", r.Method, r.URL.Path, remoteIP)
 
 	if r.Method != http.MethodPost {
 		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
@@ -60,7 +63,7 @@ func handle(w http.ResponseWriter, r *http.Request) {
 
 	auth := r.Header.Get("Authorization")
 	if subtle.ConstantTimeCompare([]byte(auth), []byte(authenticationKey)) != 1 {
-		log.Printf("unauthorized request from %s", remoteIP)
+		errorLog.Printf("unauthorized request from %s", remoteIP)
 		http.Error(w, "unauthorized", http.StatusUnauthorized)
 		return
 	}
@@ -112,7 +115,7 @@ func handle(w http.ResponseWriter, r *http.Request) {
 	defer os.RemoveAll(extractDir)
 
 	if err := extractor.Extract(ctx, archiveStream, extract(extractDir)); err != nil {
-		log.Printf("failed to extract archive: %v", err)
+		errorLog.Printf("failed to extract archive: %v", err)
 		http.Error(w, "bad archive", http.StatusBadRequest)
 		return
 	}
@@ -131,7 +134,7 @@ func handle(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.WriteHeader(http.StatusOK)
-	log.Printf("upload successful from %s", remoteIP)
+	infoLog.Printf("upload successful from %s", remoteIP)
 }
 
 func realIP(r *http.Request) string {
@@ -235,7 +238,7 @@ func withRecovery(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		defer func() {
 			if v := recover(); v != nil {
-				log.Printf("panic: %v", v)
+				errorLog.Printf("panic: %v", v)
 				http.Error(w, "internal error", http.StatusInternalServerError)
 			}
 		}()