{
config,
lib,
pkgs,
pkgs-unstable,
...
}:
let
cfg = config.alisceon.blogbox;
user = config.users.users.${cfg.user};
repoDir = "${user.home}/${cfg.repoDirectoryName}";
outputDir = toString cfg.outputDir;
outputParent = dirOf outputDir;
caddyfile = pkgs.writeText "blogbox-Caddyfile" ''
{$BLOGBOX_DOMAIN} {
encode zstd gzip
root * ${outputDir}
file_server
}
'';
publishSite = pkgs.writeShellApplication {
name = "blogbox-publish-site";
runtimeInputs = [
pkgs.coreutils
pkgs.git
pkgs.gnugrep
pkgs-unstable.hugo
];
text = ''
repo_dir="''${BLOGBOX_REPO_DIR:-${repoDir}}"
output_dir="''${BLOGBOX_OUTPUT_DIR:-${outputDir}}"
hugo_args="''${BLOGBOX_HUGO_ARGS:-}"
if [ ! -d "$repo_dir/.git" ]; then
echo "Skipping blog publish: $repo_dir is not an initialized git repository"
exit 0
fi
cd "$repo_dir"
old_rev="$(git rev-parse HEAD 2>/dev/null || true)"
if [ -z "$old_rev" ]; then
echo "Skipping blog publish: unable to resolve HEAD in $repo_dir"
exit 0
fi
if ! git remote get-url origin >/dev/null 2>&1; then
echo "Skipping blog publish: $repo_dir has no origin remote"
exit 0
fi
git fetch --prune --tags origin
upstream="$(git rev-parse --abbrev-ref --symbolic-full-name '@{u}' 2>/dev/null || true)"
if [ -n "$upstream" ]; then
git merge --ff-only "$upstream"
else
git pull --ff-only
fi
new_rev="$(git rev-parse HEAD)"
built_rev_file="$output_dir/.blogbox-built-rev"
if [ -f "$built_rev_file" ] && [ "$old_rev" = "$new_rev" ] && grep -qxF "$new_rev" "$built_rev_file"; then
echo "No blog repository updates since $new_rev; skipping Hugo build"
exit 0
fi
output_parent="$(dirname "$output_dir")"
mkdir -p "$output_parent"
build_dir="$(mktemp -d "$output_parent/.hugo-build.XXXXXX")"
trap 'rm -rf "$build_dir"' EXIT
# shellcheck disable=SC2086
hugo --source "$repo_dir" --destination "$build_dir/public" --cleanDestinationDir $hugo_args
printf '%s\n' "$new_rev" > "$build_dir/public/.blogbox-built-rev"
rm -rf "$output_dir.previous"
if [ -d "$output_dir" ]; then
mv "$output_dir" "$output_dir.previous"
fi
mv "$build_dir/public" "$output_dir"
rm -rf "$output_dir.previous"
trap - EXIT
rm -rf "$build_dir"
echo "Published blog revision $new_rev to $output_dir"
'';
};
updateNamecheap = pkgs.writeShellApplication {
name = "blogbox-namecheap-ddns";
runtimeInputs = [
pkgs.curl
pkgs.gnugrep
];
text = ''
domain="''${NAMECHEAP_DOMAIN:-''${BLOGBOX_DOMAIN:-}}"
host="''${NAMECHEAP_HOST:-@}"
password="''${NAMECHEAP_DDNS_PASSWORD:-''${NAMECHEAP_PASSWORD:-}}"
if [ -z "$domain" ] || [ -z "$password" ]; then
echo "Skipping Namecheap DDNS: BLOGBOX_DOMAIN/NAMECHEAP_DOMAIN or NAMECHEAP_DDNS_PASSWORD is not configured"
exit 0
fi
ip="''${NAMECHEAP_IP:-}"
if [ -z "$ip" ]; then
ip_url="''${NAMECHEAP_IP_URL:-https://dynamicdns.park-your-domain.com/getip}"
ip="$(curl --fail --silent --show-error --max-time 15 "$ip_url")"
fi
response="$(
curl --fail --silent --show-error --get "https://dynamicdns.park-your-domain.com/update" \
--data-urlencode "host=$host" \
--data-urlencode "domain=$domain" \
--data-urlencode "password=$password" \
--data-urlencode "ip=$ip"
)"
printf '%s\n' "$response"
if printf '%s\n' "$response" | grep -qiE '0|true'; then
exit 0
fi
echo "Namecheap DDNS response did not indicate success"
exit 1
'';
};
in
{
options.alisceon.blogbox = {
enable = lib.mkEnableOption "blogbox static site publishing";
user = lib.mkOption {
type = lib.types.str;
default = "alisceon";
description = "User that owns and updates the blog git repository.";
};
group = lib.mkOption {
type = lib.types.str;
default = "users";
description = "Group for blogbox writable state.";
};
repoDirectoryName = lib.mkOption {
type = lib.types.str;
default = "blogbox-site";
description = "Directory name under the user's home where the runtime git repository lives.";
};
outputDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/blogbox/public";
description = "Stable directory served by Caddy and replaced after successful Hugo builds.";
};
environmentFile = lib.mkOption {
type = lib.types.path;
default = "/etc/blogbox/blogbox.env";
description = "Runtime environment file for non-secret domain and repository settings.";
};
ddnsEnvironmentFile = lib.mkOption {
type = lib.types.path;
default = "/etc/blogbox/namecheap.env";
description = "Runtime environment file for Namecheap dynamic DNS credentials.";
};
publishInterval = lib.mkOption {
type = lib.types.str;
default = "2min";
description = "Interval for git pull and Hugo publish attempts.";
};
ddnsInterval = lib.mkOption {
type = lib.types.str;
default = "5min";
description = "Interval for Namecheap dynamic DNS updates.";
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
80
443
];
environment.etc."blogbox/blogbox.env.example".text = ''
# Required for HTTPS virtual hosting.
BLOGBOX_DOMAIN=example.com
# Optional. Defaults to /home/${cfg.user}/${cfg.repoDirectoryName}.
# BLOGBOX_REPO_DIR=/home/${cfg.user}/${cfg.repoDirectoryName}
# Optional. Defaults to ${outputDir}.
# BLOGBOX_OUTPUT_DIR=${outputDir}
# Optional extra flags passed to hugo. Keep this shell-word-safe.
# BLOGBOX_HUGO_ARGS=--minify
'';
environment.etc."blogbox/namecheap.env.example".text = ''
# Required for Namecheap DDNS.
# NAMECHEAP_DOMAIN defaults to BLOGBOX_DOMAIN from blogbox.env when omitted.
# NAMECHEAP_DOMAIN=example.com
NAMECHEAP_HOST=@
NAMECHEAP_DDNS_PASSWORD=change-me
# Optional. If unset, the updater asks Namecheap for the current public IP.
# NAMECHEAP_IP=203.0.113.10
'';
services.caddy = {
enable = true;
adapter = "caddyfile";
configFile = caddyfile;
environmentFile = cfg.environmentFile;
};
systemd.tmpfiles.rules = [
"d /etc/blogbox 0750 root root -"
"d ${outputParent} 0755 ${cfg.user} ${cfg.group} -"
"d ${outputDir} 0755 ${cfg.user} ${cfg.group} -"
];
systemd.services = {
caddy.unitConfig.ConditionPathExists = cfg.environmentFile;
blogbox-publish-site = {
description = "Pull and publish the blogbox Hugo site";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
EnvironmentFile = [ "-${toString cfg.environmentFile}" ];
Environment = [
"HOME=${user.home}"
"GIT_TERMINAL_PROMPT=0"
];
Nice = 10;
IOSchedulingClass = "idle";
TimeoutStartSec = "10min";
};
script = lib.getExe publishSite;
};
blogbox-namecheap-ddns = {
description = "Update Namecheap dynamic DNS for blogbox";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
DynamicUser = true;
EnvironmentFile = [
"-${toString cfg.environmentFile}"
"-${toString cfg.ddnsEnvironmentFile}"
];
Nice = 10;
IOSchedulingClass = "idle";
TimeoutStartSec = "45s";
};
script = lib.getExe updateNamecheap;
};
blogbox-reload-caddy = {
description = "Restart Caddy after blogbox runtime configuration changes";
serviceConfig.Type = "oneshot";
script = ''
${pkgs.systemd}/bin/systemctl restart caddy.service
'';
};
};
systemd.timers = {
blogbox-publish-site = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "2min";
OnUnitActiveSec = cfg.publishInterval;
RandomizedDelaySec = "20s";
Persistent = true;
};
};
blogbox-namecheap-ddns = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1min";
OnUnitActiveSec = cfg.ddnsInterval;
RandomizedDelaySec = "30s";
Persistent = true;
};
};
};
systemd.paths.blogbox-reload-caddy = {
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathExists = cfg.environmentFile;
PathChanged = cfg.environmentFile;
};
};
};
}