From e4d447588b9b41a9800597cc0842d2ab7b664ec2 Mon Sep 17 00:00:00 2001
From: Yongun Seong <nevivurn@nevi.dev>
Date: Thu, 2 Nov 2023 13:51:42 +0900
Subject: [PATCH] Initial commit

---
 .github/workflows/build.yaml | 33 +++++++++++++++++
 .gitignore                   |  2 ++
 README.md                    |  7 ++++
 flake.lock                   | 58 ++++++++++++++++++++++++++++++
 flake.nix                    | 68 ++++++++++++++++++++++++++++++++++++
 5 files changed, 168 insertions(+)
 create mode 100644 .github/workflows/build.yaml
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 flake.lock
 create mode 100644 flake.nix

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
new file mode 100644
index 0000000..26c1e71
--- /dev/null
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,33 @@
+name: Build and push image
+
+on:
+  push:
+    branches:
+      - master
+
+permissions:
+  contents: read
+  id-token: write
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: cachix/install-nix-action@v22
+      - run: nix build .#docker
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Tag and Push
+        env:
+          GH_IMAGE: ghcr.io/${{ github.repository }}:${{ github.sha }}
+        run: |
+          IMAGE="$(docker load -i result | awk '{print $3}')"
+          docker tag "$IMAGE" "$GH_IMAGE"
+          docker push "$GH_IMAGE"
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7c5f3f9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+/result
+/result-*
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..5100500
--- /dev/null
+++ b/README.md
@@ -0,0 +1,7 @@
+# secure front
+
+```console
+$ nix build .#docker
+$ docker load -i result
+Loaded image: localhost/secure-front:q4b69zbzv9x79kybqzhs53hfd7syxpsb
+```
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..953c4a6
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,58 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "id": "flake-utils",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1698855203,
+        "narHash": "sha256-I9Vrh2ZXBZciGjgIXVhlHNc9XxRt0+bGlUGLGDXQ2r8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "39d2f0847ebbb57beb8fe3b992b043ad39afa0af",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..fdd8a6d
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,68 @@
+{
+  outputs = { self, flake-utils, nixpkgs }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        lib = nixpkgs.lib;
+        pkgs = nixpkgs.legacyPackages.${system};
+        placeholder = self.packages.${system}.placeholder;
+      in
+      {
+        packages = {
+          placeholder = pkgs.stdenvNoCC.mkDerivation {
+            name = "placeholder";
+            src = pkgs.fetchFromGitHub {
+              owner = "bacchus-snu";
+              repo = "snucse-gpu-service-manual";
+              rev = "3dd6d4df9b6c8ffbcc6073826527f119c7fd937f";
+              hash = "sha256-e9GANnoJpUggZROINZ0kxtrjA4uubrhzEIWjNCONE5U=";
+            };
+
+            postPatch = ''
+              cat <<EOF > src/robots.txt
+              User-Agent: *
+              Disallow: /
+              EOF
+            '';
+
+            nativeBuildInputs = with pkgs; [ mdbook mdbook-i18n-helpers ];
+
+            buildPhase = ''
+              mdbook build -d $out
+            '';
+          };
+          docker =
+            let
+              caddyfile = pkgs.writeText "Caddyfile" ''
+                :8080 {
+                  root * ${placeholder}
+                  file_server
+                  handle_errors {
+                    rewrite * /{err.status_code}.html
+                    file_server
+                  }
+
+                  # such secure
+                  header {
+                    X-Frame-Options DENY
+                    X-XSS-Protection 0
+                    X-Content-Type-Options nosniff
+                  }
+                }
+              '';
+            in
+            pkgs.dockerTools.buildLayeredImage {
+              name = "secure-front";
+              config = {
+                User = "1000";
+                Cmd = [
+                  (lib.getExe pkgs.caddy)
+                  "run"
+                  "--adapter=caddyfile"
+                  "--config=${caddyfile}"
+                ];
+              };
+            };
+        };
+      }
+    );
+}