From b2d99412e32990a4172b55a5b69a0496d0c1a590 Mon Sep 17 00:00:00 2001
From: Alan Pearce
Date: Sat, 1 Jun 2024 19:14:31 +0200
Subject: no more CI

---
 .build.yml                   | 49 ------------------------------------
 .gitignore                   |  2 ++
 flake.nix                    |  3 ++-
 internal/builder/builder.go  |  2 +-
 netlify.toml                 | 29 ++++++++++++++++++++++
 nix/default.nix              |  2 +-
 static/.well-known/webfinger |  1 +
 vercel.json                  | 59 ++++++++++++++++++++++++++++++++++++++++++++
 8 files changed, 95 insertions(+), 52 deletions(-)
 delete mode 100644 .build.yml
 create mode 100644 netlify.toml
 create mode 100644 static/.well-known/webfinger
 create mode 100644 vercel.json

diff --git a/.build.yml b/.build.yml
deleted file mode 100644
index 8554649..0000000
--- a/.build.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-image: nixos/unstable
-sources:
-  - https://git.sr.ht/~alanpearce/website
-secrets:
-  - ce767f7f-3ac0-43fb-b225-fccbc9cdfaba
-  - 5a04c7f9-bba4-40ab-b54c-a2daae2989e8
-  - d0a0edd6-1d39-4959-b346-71f64af36a73
-environment:
-  NIX_CONFIG: |
-    experimental-features = nix-command flakes
-    max-jobs = 4
-    extra-substituters = https://binarycache.alanpearce.eu
-    extra-trusted-public-keys = binarycache.alanpearce.eu:ZwqO3XMuajPictjwih8OY2+RXnOKpjZEZFHJjGSxAI4=
-  FLY_APP: alanpearce-eu
-packages:
-  - nixos.just
-  - nixos.skopeo
-  - nixos.flyctl
-  - nixos.sentry-cli
-  - nixos.flake-checker
-  - nixos.hut
-tasks:
-  - check: |
-      cd website
-      flake-checker
-
-  - build: |
-      echo "VerifyHostKeyDNS yes" >> ~/.ssh/config
-      cd website
-      nix build .#website
-      nix build .#checks.x86_64-linux.hyperlink
-      just docker-image-fly
-      nix copy --substitute-on-destination \
-        --to ssh://nixremote@linde.alanpearce.eu \
-        .
-
-  - deploy: |
-      if [[ "$GIT_REF" != "refs/heads/main" ]]
-      then
-        exit
-      fi
-      cd website
-      sudo mkdir /etc/containers
-      echo '{"default":[{"type":"insecureAcceptAnything"}]}' | sudo tee /etc/containers/policy.json > /dev/null
-      fly auth docker
-      just docker-image-fly \
-        print-docker-tag \
-        push-to-registry \
-        deploy
diff --git a/.gitignore b/.gitignore
index 6c9ee49..88424a9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,5 @@ go.work
 /website/
 /.pre-commit-config.yaml
 /result
+.vercel
+/.netlify/
diff --git a/flake.nix b/flake.nix
index 1f605d5..949ccf4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -45,6 +45,7 @@
                 go-tools
                 gomod2nix.packages.${system}.default
                 gci
+                nodePackages.vercel
                 netlify-cli
                 sentry-cli
               ] ++ commonShellPackages;
@@ -53,7 +54,7 @@
           checks = rec {
             default = hyperlink;
             hyperlink = pkgs.runCommandLocal "hyperlink" { } ''
-              ${pkgs.hyperlink}/bin/hyperlink ${packages.website}/website/public
+              ${pkgs.hyperlink}/bin/hyperlink ${packages.website}/public
               touch $out
             '';
             pre-commit-check = pre-commit-hooks.lib.${system}.run {
diff --git a/internal/builder/builder.go b/internal/builder/builder.go
index 55e68d2..7c69af0 100644
--- a/internal/builder/builder.go
+++ b/internal/builder/builder.go
@@ -172,7 +172,7 @@ func build(outDir string, config config.Config) error {
 	if err != nil {
 		return errors.WithMessage(err, "could not render 404 page")
 	}
-	if err := outputToFile(notFound, privateDir, "404.html"); err != nil {
+	if err := outputToFile(notFound, publicDir, "404.html"); err != nil {
 		return err
 	}
 
diff --git a/netlify.toml b/netlify.toml
new file mode 100644
index 0000000..d733f41
--- /dev/null
+++ b/netlify.toml
@@ -0,0 +1,29 @@
+[build]
+  publish = "website/public"
+
+[[headers]]
+  for = "/*"
+  [headers.values]
+    x-content-type-options = "nosniff"
+    x-xss-protection = "1; mode=block"
+    referrer-policy = "strict-origin-when-cross-origin"
+    strict-transport-security = "max-age=63072000; includeSubDomains; preload"
+    cache-control = '''
+      max-age=300,
+      s-maxage=86400,
+      state-while-revalidate
+    '''
+    content-security-policy = '''
+      default-src 'none';
+      img-src 'self' https://gc.zgo.at;
+      object-src 'none';
+      script-src 'self' https://gc.zgo.at;
+      style-src
+      'sha256-a4TPKWHB0aSu7cV10GthTEySTJ0w4r0bw6Q8JsNYMbk='
+      'sha256-gyxzfgCOxeAAL8URUdaW2nHYDOr9bzbwFjgSqi7D+8U=';
+      form-action 'none';
+      base-uri 'self';
+      connect-src https://alanpearce-eu.goatcounter.com/count;
+      frame-ancestors 'https://kagi.com';
+      require-trusted-types-for "'script'"
+'''
diff --git a/nix/default.nix b/nix/default.nix
index 62caed6..095b3f7 100644
--- a/nix/default.nix
+++ b/nix/default.nix
@@ -58,7 +58,7 @@ with pkgs; rec {
         ];
       };
     } ''
-    ${builder}/bin/build -s $src -d $out/website
+    ${builder}/bin/build -s $src -d $out
   '';
   server = buildGoApplication {
     pname = "server";
diff --git a/static/.well-known/webfinger b/static/.well-known/webfinger
new file mode 100644
index 0000000..b2e3d7d
--- /dev/null
+++ b/static/.well-known/webfinger
@@ -0,0 +1 @@
+{"subject":"acct:alan@alanpearce.eu","links":[{"rel":"http://openid.net/specs/connect/1.0/issuer","href":"https://id.alanpearce.eu/"}]}
\ No newline at end of file
diff --git a/vercel.json b/vercel.json
new file mode 100644
index 0000000..aebaf54
--- /dev/null
+++ b/vercel.json
@@ -0,0 +1,59 @@
+{
+  "$schema": "https://openapi.vercel.sh/vercel.json",
+  "buildCommand": null,
+  "framework": null,
+  "outputDirectory": "website/public",
+  "cleanUrls": false,
+  "trailingSlash": false,
+  "redirects": [
+    {
+      "source": "/.well-known/openid-configuration",
+      "destination": "https://id.alanpearce.eu/.well-known/openid-configuration",
+      "permanent": false
+    }
+  ],
+  "headers": [
+    {
+      "source": "/.well-known/webfinger",
+      "headers": [
+        {
+          "key": "Content-Type",
+          "value": "application/jrd+json"
+        }
+      ]
+    },
+    {
+      "source": "/(.*)",
+      "headers": [
+        {
+          "key": "X-Frame-Options",
+          "value": "DENY"
+        },
+        {
+          "key": "X-Content-Type-Options",
+          "value": "nosniff"
+        },
+        {
+          "key": "X-XSS-Protection",
+          "value": "1; mode=block"
+        },
+        {
+          "key": "Referrer-Policy",
+          "value": "strict-origin-when-cross-origin"
+        },
+        {
+          "key": "Strict-Transport-Security",
+          "value": "max-age=63072000; includeSubDomains; preload"
+        },
+        {
+          "key": "Content-Security-Policy",
+          "value": "default-src 'none'; img-src 'self' https://gc.zgo.at; object-src 'none'; script-src https://gc.zgo.at; style-src 'sha256-a4TPKWHB0aSu7cV10GthTEySTJ0w4r0bw6Q8JsNYMbk=' 'sha256-gyxzfgCOxeAAL8URUdaW2nHYDOr9bzbwFjgSqi7D+8U='; form-action 'none'; base-uri 'self'; frame-ancestors https://kagi.com; connect-src https://alanpearce-eu.goatcounter.com/count"
+        },
+        {
+          "key": "Cache-Control",
+          "value": "max-age=14400, s-maxage=86400, state-while-revalidate"
+        }
+      ]
+    }
+  ]
+}
-- 
cgit 1.4.1