Andromeda/blog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

get rid of superfluities

Browse Source
This commit is contained in:
mtgmonkey
2025-08-02 06:04:27 -04:00
parent 552efc6942
commit 3b7b378d30
4 changed files with 1 additions and 226 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
content/daily/2025-06-07.md
View File

@@ -1,15 +0,0 @@
+++
title = "init post"
date = 2025-06-07
+++
This is my first daily message, posted in the afternoon rather than the morning. In the future, all fo these will be posted when I wake up.
Let's do some about me.
I use nixos with limine, ly, xmonad, qutebrowser, and nvf on the day-to-day. I program in haskell, elm, nix, and rust. Functional programming for the win! My vps is also nixos, and it's so convenient to share my home-manager config between the two!
### Links
All sites are built %100 declatatively with Nix.
- [My rgit server](https://git.mtgmonkey.net), which hosts all my repos, including that for this site and for my pet site.
- [My blog](https://blog.mtgmonkey.net), which you are reading now.
- [My pet site](https://mtgmonkey.net), Elmskell, which has a Haskell Scotty backend with an Elm frontend.

87
content/daily/2025-06-08.md
View File

@@ -1,87 +0,0 @@
+++
title = "TLS Troubles and Embarrassing Secrets"
date = 2025-06-08
+++
Last night, this website saw hours of downtime because of a combination of silly mistakes. Let me explain.
### TLS Troubles
This site runs with the [Ferron](https://www.ferronweb.org/) webserver. When you have a website, you need to have TLS certificates so users can use HTTPS to access it. Ferron has these really great configuration options to do this automatically.
> [Nix](https://git.mtgmonkey.net/server-configuration.git/tree/services/ferron.nix), used to define Ferron's config.yaml
>
> ```nix
> -- ferron-conf.nix
> {
> global = {
> enableAutomaticTLS = true;
> useAutomaticTLSHTTPChallenge = true;
> };
> }
> ```
These automatic TLS certificates are issued by [Let's Encrypt](https://letsencrypt.org), a fantastic nonprofit you should definitely go check out. They do, however, have pretty strict [rate limits](https://letsencrypt.org/docs/rate-limits/). Luckily, they offer a [staging feature](https://letsencrypt.org/docs/staging-environment) with much higher rate limits.
I made a number of mistakes. The first was testing in production rather than on a local server.
The second was not taking advantage of Let's Encrypt's staging features. Ferron even has an option `automaticTLSLetsEncryptProduction` that, when `false`, lets one use Let's Encrypt's staging features. Even though there is a [whole page](https://www.ferronweb.org/docs/automatic-tls), and despite knowing not to experiment in a production environment, I thought I would be fine and forged ahead.
It was the seventh `systemctl restart ferron` which broke my sites. Suddenly, all I got was `ERR_SSL_PROTOCOL_ERR` from visiting *any* of my sites. There it was: Lesson learned. I will do my experiments locally going forward.
A problem still remained, however. This blog is updated daily, and is built with a [flake](https://git.mtgmonkey.net/blog.git/tree/flake.nix). This makes it fully declarative; a boon! Ferron, however, was configured to point to `${blog.packages.x86_64-linux.default}/wwwroot`, which would be outdated until I `systeml restart`ed the server. Ferron requests a new certificate from Let's Encrypt, though, meaning I would hit the rate limit if I restarted even a couple of times too many. To fix this, my Ferron https server points to a second http server, which hosts the blog.
> My much-overcomplicated ferron setup
>
> ```nix
> # ferron-conf.nix
> {
> global = {
> # enable automatic tls for https
> secure = true;
> enableAutomaticTLS = true;
> useAutomaticTLSHTTPChallenge = true;
> # let an https connection travel to the blog-ferron http server without error
> disableProxyCertificateVerification = true;
> # enable proxying to local servers (reverse proxying)
> loadModules = ["rproxy"];
> };
> hosts = [
> {
> # route requests for the blog to port 8181
> domain = "blog.mtgmonkey.net";
> proxyTo = "http://localhost:8181/";
> }
> ];
> }
> ```
>
> ```nix
> # blog-ferron-conf.nix
> # take the blog flake as an input
> { blog, ... }: {
> global = {
> # expose server to port 8181, so the main ferron server will proxy to it
> port = 8181;
> # the default flake output includes the static site at wwwroot
> wwwroot = "${blog.packages.x86_64-linux.default}/wwwroot";
> };
> }
> ```
This means I only need to `systemctl restart blog-ferron`, rather than ...`ferron`, meaning I don't trigger a new Let's Encrypt cert request every time. I can update my blog *however frequently I want* and *still* ensure the reproducibility of Nix.
All code above is, clearly, just simplified snippets; the actual file are linked below
- [ferron.nix](https://git.mtgmonkey.net/server-configuration.git/tree/services/ferron.nix), where ferron-conf.nix is in the let binding
- [blog.nix](https://git.mtgmonkey.net/server-configuration.git/tree/services/blog.nix), where blog-ferron-conf.nix is in the let binding
- [flake.nix](https://git.mtgmonkey.net/server-configuration.git/tree/flake.nix),the flake to which the above modules are imported
### Embarrassing Secrets
I spent all morning trying to configure different secrets management programs, from [agenix](https://github.com/ryantm/agenix), to [spos-nix](https://github.com/Mic92/sops-nix), to even a simple `.gitignore`. After finally getting agenix configured properly, it occured to me that my only 'secrets' were my ssh *public keys*, which are harmless to share! I don't need *any* secrets management, much less something as complex as agenix.
### By Tomorrow
- [ ] Polish up [the blog](https://blog.mtgmonkey.net) a little bit
- [ ] Get a [translation api](https://github.com/LibreTranslate/LibreTranslate) set up

123
content/daily/2025-06-09.md
View File

@@ -1,123 +0,0 @@
+++
title = "Spacebar and a Translation Service"
date = 2025-06-09
+++
### Since Yesterday
- [ ] Polish up [the blog](https://blog.mtgmonkey.net) a little bit
- [X] Get a [translation api](https://translate.mtgmonkey.net) set up
- [X] Get a [chat client](https://chat.mtgmonkey.net) set up
### Spacebar Server
The Spacebar server is super easy to run on Nix - its flake just works! Below I write the relevant portions of my Nix config.
> ```nix
> # flake.nix
> {
> # import server from the flake.nix on gh
> inputs.spacebar-server.url = "github:spacebarchat/server";
> outputs = {
> spacebar-server,
> ...
> }: {
> nixosConfigurations."server" = nixpkgs.lib.nixosSystem {
> system = "x86_64-linux";
> specialArgs = {
> # pass spacebar-server to any module that wants it
> inherit spacebar-server;
> };
> modules = [
> # add spacebar to configuration
> ./services/spacebar.nix
> ];
> };
> };
> }
> ```
>
> ```nix
> # services/spacebar.nix
> {
> spacebar-server,
> lib,
> pkgs,
> ...
> }: {
> systemd.services.spacebar-server = {
> serviceConfig = {
> Type = "simple";
> ExecStart = "${lib.getExe
> spacebar-server.packages.x86_64-linux.default}";
> # Ensure the server is run by a non-priveleged user for security
> RemainAfterExit = true;
> User = "spacebar";
> Group = "spacebar";
> };
> environment = {
> # Specify location of uploaded files and the db
> DATABASE = "/var/lib/spacebar-server/database.db";
> STORAGE_LOCATION = "/var/lib/spacebar-server/files/";
> };
> };
> # Create user that runs the server
> users.users.spacebar = {
> isSystemUser = true;
> group = "spacebar";
> # Create home, where database.db and files/ are located
> home = "/var/lib/spacebar-server";
> createHome = true;
> # utility packages while SSHing into the user
> packages = [
> pkgs.git
> # package to test drive the server with the unpriveleged user
> spacebar-server.packages.x86_64-linux.default
> # edit the database
> pkgs.sqlite
> ];
> # I have noshell in my flake, so there won't be a login shell unless it's specified
> shell = pkgs.bash;
> };
> # Groups need to be 'initialized' on nixos
> users.groups.spacebar = {};
> }
> ```
This configuration runs great! Well, given that you configure the database correctly - sqlite is going to be the death of me! `api_endpointPublic`, `cdn_endpointPublic`, and `gateway_endpointPublic` *all need to be set* before the server's connected up properly to take new users. That means running the below series of commands from the `sqlite3` repl - an interface without backspace~
> ```bash
> # as spacebar user
> sqlite3 ~/database.db
> ```
>> ```sql
>> update config
>> set value='"https://spacebar-api.mtgmonkey.net/api/v9"'
>> where key='api_endpointPublic';
>> update config
>> set value='"https://spacebar-api.mtgmonkey.net"'
>> where key='cdn_endpointPublic';
>> update config
>> set value='"wss://spacebar-api.mtgmonkey.net"'
>> where key='gateway_endpointPublic';
>> .exit
>> ```
Beleive it or not, the server was only the *easy* part! I next had to configure the client.
There are generally 3 web clients to choose from when it comes to Spacebar.
- [The official client](https://github.com/spacebarchat/client), written in React, is the most beautiful. It's not fully featured, however, missing the home page, friends, DMs, and more.
- [The legacy client](https://github.com/spacebarchat/client/tree/legacy-v2), written in Typescript, is known to work. Unfortunately, it is quite outdated and, no matter how much I tried, I could not get it to build on Nix.
- [JankClient](https://github.com/MathMan05/JankClient), an unofficial client written in TypeScript, is, as its name suggests, quite janky. It requires frequent browser refreshes to fix visual glitches and is poorly optimised on mobile.
JankClient, despite its glitchiness, is the one I finally decided on. Though the official client has a flake, it's currently non-functional, and has been for a while. Neither of the other two have flakes, unfortunately, but it's easy enough to run JankClient with Docker. I first ran `nix-shell -p compose2nix` before renaming `compose.yaml` to `docker-compose.yaml` (as compose2nix requires). I then ran compose2nix and used the output as the basis for [services/spacebar.nix](https://git.mtgmonkey.net/server-configuration.git/tree/services/spacebar.nix). I made a couple of major modifications: Firstly, I bound it to a different port as a matter of personal preference. I also changed all instances of `podman` with `docker`, as my rgit instance runs on docker and nix can only have 1 declaration of `virtualisation.oci-containers.backend`. Secondly, the generated `docker-build-spaceclient-jank.service` wouldn't run properly, so I had to build the image manually. Finally, I added an [anubis](https://github.com/TecharoHQ/anubis) PoW captcha and a reverse client entry in my [ferron](https://www.ferronweb.org) webserver, as appropriate.
All code above is, clearly, just simplified snippets; the actual file are linked below
- [flake.nix](https://git.mtgmonkey.net/server-configuration.git/tree/flake.nix).
- [services/spacebar.nix](https://git.mtgmonkey.net/server-configuration.git/tree/services/spacebar.nix).
- [services/ferron.nix](https://git.mtgmonkey.net/server-configuration.git/tree/services/ferron.nix).
- [services/translate.nix](https://git.mtgmonkey.net/server-configuration.git/tree/services/ferron.nix).
### For Tomorrow
- [ ] Polish up [the blog](https://blog.mtgmonkey.net) a little bit

2
content/daily/2025-08-01.md
View File

@@ -5,7 +5,7 @@ date = 2025-08-01
### Welcome to the blog! ### Welcome to the blog!
The previous blog posts are broken and not to be taken with more than a grain of salt. I will be posting every day from today until my return from Germany! I will take the train down to Washington D.C. on the 6th of August and will say goodbye to my parents on the 7th. My excitement is nearly unbearable! I will be posting every day from today until my return from Germany! I will take the train down to Washington D.C. on the 6th of August and will say goodbye to my parents on the 7th. My excitement is nearly unbearable!
## Preparation ## Preparation