clean: Remove nix + nginx dead code

Previously this repo used nix and nginx to manage deployment. All of
that happens in another repo (nixos-config) to manage virtual hosts. Now
this repo's deployment stage just pushes content.
This commit is contained in:
Matthew Binning 2026-03-22 09:05:34 -07:00
parent 5e55754e64
commit 81e40712f5
3 changed files with 7 additions and 171 deletions

View file

@ -37,11 +37,8 @@ case $ENV in
# Set proper ownership
sudo chown -R nginx:nginx ${STAGING_PATH}/
# Copy nginx config
sudo cp -t /etc/nixos/ staging.nginx.nix
printf "✓ Staging deployment complete!\n Files deployed to: %s\n Nginx config: /etc/nixos/staging.nginx.nix\n\nTo activate, update your NixOS configuration to import staging.nginx.nix\nand run: sudo nixos-rebuild switch\n" "${STAGING_PATH}"
printf "✓ Staging deployment complete!\n Files deployed to: %s\n\nTo activate nginx, import staging.nginx.nix into your local NixOS config\nand run: sudo nixos-rebuild switch\n" "${STAGING_PATH}"
;;
prod)
@ -51,7 +48,6 @@ case $ENV in
REMOTE_HOST="crossbox"
REMOTE_USER="m3b"
REMOTE_PATH="/srv/www/binning.net"
REMOTE_NIXOS="/etc/nixos/"
# Check if SSH key is set up
if ! ssh -o BatchMode=yes -o ConnectTimeout=5 ${REMOTE_USER}@${REMOTE_HOST} exit 2>/dev/null; then
@ -67,17 +63,8 @@ case $ENV in
ssh ${REMOTE_HOST} "sudo rsync -avz --delete /tmp/${REMOTE_PATH}/ ${REMOTE_PATH} && \
sudo chown -R nginx:nginx ${REMOTE_PATH}/ && \
printf 'Content deployed.\n'"
# Deploy nginx configuration
printf "Deploying nginx configuration...\n"
scp prod.nginx.nix ${REMOTE_HOST}:/tmp/nginx.nix
# Set proper permissions and move config on remote server
ssh ${REMOTE_HOST} "sudo mv /tmp/nginx.nix ${REMOTE_NIXOS}nginx.nix && \
sudo chown -R nginx:nginx ${REMOTE_PATH}/ && \
printf 'Configuration deployed. Run sudo nixos-rebuild switch to activate.\n'"
printf "✓ Production deployment complete!\n\nSSH into %s and run: sudo nixos-rebuild switch\n" "${REMOTE_HOST}"
printf "✓ Production deployment complete!\n\nNginx configuration is managed by the nixos-config flake (hosts/crossbox/nginx.nix).\n" "${REMOTE_HOST}"
;;
*)

View file

@ -1,151 +0,0 @@
{ config, pkgs, lib, ... }:
let
# Read multiple API keys from the secrets file at build time
# Note: This embeds the secrets in the Nix store, which is a trade-off
# Alternative: Keep secrets file and read via njs module or external auth service
secretsFile = "/srv/nginx/secrets";
# Read API keys from file (one key per line, will be evaluated at build time)
# If the file doesn't exist yet, this will fail - create it first
apiKeysRaw = builtins.readFile secretsFile;
apiKeys = lib.filter (k: k != "") (lib.splitString "\n" apiKeysRaw);
# Generate map entries for each key
mapEntries = lib.concatMapStringsSep "\n "
(key: ''"Bearer ${key}" "authorized";'')
apiKeys;
in
{
services.nginx = {
enable = true;
# Recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Increase bucket size for long Bearer tokens
mapHashBucketSize = 128;
# Map directive to check Authorization header against multiple keys
appendHttpConfig = ''
# Check if the Authorization header matches any expected value
map $http_authorization $auth_status {
default "unauthorized";
"" "no_auth";
${mapEntries}
}
'';
# Virtual hosts configuration
virtualHosts = {
# Main website - Static HTML/CSS
"www.binning.net" = {
enableACME = true;
forceSSL = true;
root = "/srv/www/binning.net";
locations."/" = {
index = "index.html";
tryFiles = "$uri $uri/ =404";
extraConfig = ''
# Enable Server Side Includes for navbar/footer includes
ssi on;
'';
};
# Private blog articles with HTTP basic authentication
locations."/blog/private/" = {
extraConfig = ''
auth_basic "Private Articles";
auth_basic_user_file /srv/nginx/.htpasswd;
# Enable Server Side Includes
ssi on;
'';
};
# Optional: Custom 404 page
extraConfig = ''
error_page 404 /404.html;
'';
};
# Ollama with Bearer token authentication
"ollama.binning.net" = {
enableACME = true;
forceSSL = true;
locations."/" = {
extraConfig = ''
# Check auth status
if ($auth_status = "no_auth") {
return 401 "Unauthorized: Bearer token required\n";
}
if ($auth_status = "unauthorized") {
return 403 "Forbidden: Invalid API key\n";
}
# Proxy to Ollama (only if authorized)
proxy_pass http://localhost:11434;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Timeouts for long-running requests
proxy_read_timeout 300s;
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
# Allow large request bodies
client_max_body_size 100M;
# Logging
access_log /var/log/nginx/ollama_access.log;
error_log /var/log/nginx/ollama_error.log;
'';
};
};
# Forgejo
"forgejo.binning.net" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
# No extraConfig needed - recommendedProxySettings handles headers
};
};
# Radicale
"radicale.binning.net" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5232";
# recommendedProxySettings handles most headers
extraConfig = ''
proxy_set_header X-Script-Name "";
'';
};
};
};
};
# Firewall
networking.firewall.allowedTCPPorts = [ 80 443 ];
# ACME/Let's Encrypt
security.acme = {
acceptTerms = true;
defaults.email = "hvanb@pm.me";
};
}

View file

@ -1,4 +1,4 @@
(C) Add a folder to hold the nginx/nix files and deploy it properly.
x 2026-03-22 Add a folder to hold the nginx/nix files and deploy it properly.
(B) Add a Forgejo pipeline to supersede deploy.sh. @Cline
(C) Move the resume to the private section and add the lock symbol. @Cline
Remove the one line descriptions from the menu. @Cline
@ -13,7 +13,7 @@ Integrate photos for recipes
Determine which articles should be incorporated into the website
Build out the Copper Chronicle
Fill out the DefCon article
Fill out the Oktoberfest article
Fill out the Oktoberfest article with old physical notes in big binder
Fill out the health journey
Fill out the faith journey
x Add a build step to fetch/symlink "content" to this repo before mdbook build.
@ -42,4 +42,4 @@ x Add a lock symbol to the mdbook sidebar to indicate private/restricted section
x Create a "minimal" content set to test building and deployment without the entire blog/content.
x Import Abby's Binning Family Menu @Cline
x Fix anchors (relative links) showing in mdbook's sidebar.
x Create a minimal "Menu" (food menu) page on the main website, which has a selection of line items from the recipe book. @Cline
x Create a minimal "Menu" (food menu) page on the main website, which has a selection of line items from the recipe book. @Cline