Initial commit

bacchus-snu · Nov 2, 2023 · e4d4475 · e4d4475
commit e4d4475
Show file tree

Hide file tree

Showing 5 changed files with 168 additions and 0 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,33 @@
+name: Build and push image
+
+on:
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: read
+  id-token: write
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: cachix/install-nix-action@v22
+      - run: nix build .#docker
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Tag and Push
+        env:
+          GH_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
+        run: |
+          IMAGE="$(docker load -i result | awk '{print $3}')"
+          docker tag "$IMAGE" "$GH_IMAGE"
+          docker push "$GH_IMAGE"
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+/result
+/result-*
diff --git a/README.md b/README.md
@@ -0,0 +1,7 @@
+# secure front
+
+```console
+$ nix build .#docker
+$ docker load -i result
+Loaded image: localhost/secure-front:q4b69zbzv9x79kybqzhs53hfd7syxpsb
+```
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -0,0 +1,68 @@
+{
+  outputs = { self, flake-utils, nixpkgs }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        lib = nixpkgs.lib;
+        pkgs = nixpkgs.legacyPackages.${system};
+        placeholder = self.packages.${system}.placeholder;
+      in
+      {
+        packages = {
+          placeholder = pkgs.stdenvNoCC.mkDerivation {
+            name = "placeholder";
+            src = pkgs.fetchFromGitHub {
+              owner = "bacchus-snu";
+              repo = "snucse-gpu-service-manual";
+              rev = "3dd6d4df9b6c8ffbcc6073826527f119c7fd937f";
+              hash = "sha256-e9GANnoJpUggZROINZ0kxtrjA4uubrhzEIWjNCONE5U=";
+            };
+
+            postPatch = ''
+              cat <<EOF > src/robots.txt
+              User-Agent: *
+              Disallow: /
+              EOF
+            '';
+
+            nativeBuildInputs = with pkgs; [ mdbook mdbook-i18n-helpers ];
+
+            buildPhase = ''
+              mdbook build -d $out
+            '';
+          };
+          docker =
+            let
+              caddyfile = pkgs.writeText "Caddyfile" ''
+                :8080 {
+                  root * ${placeholder}
+                  file_server
+                  handle_errors {
+                    rewrite * /{err.status_code}.html
+                    file_server
+                  }
+
+                  # such secure
+                  header {
+                    X-Frame-Options DENY
+                    X-XSS-Protection 0
+                    X-Content-Type-Options nosniff
+                  }
+                }
+              '';
+            in
+            pkgs.dockerTools.buildLayeredImage {
+              name = "secure-front";
+              config = {
+                User = "1000";
+                Cmd = [
+                  (lib.getExe pkgs.caddy)
+                  "run"
+                  "--adapter=caddyfile"
+                  "--config=${caddyfile}"
+                ];
+              };
+            };
+        };
+      }
+    );
+}