Add Nix package and NixOS moodule

Add a Scribe Nix package and NixOS module to the flake that a user can
build and install.

Includes the following supporting changes:
- Adding a name and version to package.json to make Nix's mkYarnPackage
  happy
- Update laravel-mix to fix ERR_OSSL_EVP_UNSUPPORTED on newer nodejs
  versions

default.nix

@@ -0,0 +1,58 @@
+{ crystal
+, mkYarnPackage
+, fetchYarnDeps
+}:
+
+let
+  version = "1.0.0";
+
+  ui = mkYarnPackage {
+    pname = "scribe-ui";
+    inherit version;
+    src = ./.;
+    packageJSON = ./package.json;
+
+    offlineCache = fetchYarnDeps {
+      yarnLock = ./yarn.lock;
+      sha256 = "sha256-PuxfuqgqJHh6NnyrQiFCxixGry9yGBSeSIPpa4jamKw=";
+    };
+
+    configurePhase = ''
+      runHook preConfigure
+      cp -r $node_modules node_modules
+      chmod +w node_modules
+      runHook postConfigure
+    '';
+
+    buildPhase = ''
+      runHook preBuild
+      export HOME=$(mktemp -d)
+      OUTPUT_DIR=$out yarn --offline prod
+      runHook postBuild
+    '';
+
+    installPhase = ''
+      mkdir -p "$out"
+      mv public "$out/public"
+    '';
+    distPhase = "true";
+  };
+in
+crystal.buildCrystalPackage rec {
+  pname = "scribe";
+  inherit version;
+
+  src = ./.;
+  shardsFile = ./shards.nix;
+
+  preBuild = ''
+    cp -a ${ui}/public/mix-manifest.json public/mix-manifest.json
+  '';
+
+  doCheck = false;
+  doInstallCheck = false;
+  format = "shards";
+  postInstall = ''
+    cp -r ${ui}/public "$out/public"
+  '';
+}

flake.lock

@@ -17,15 +17,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1634282420,
-        "narHash": "sha256-YOI78SSF4Q/ZFoEgfO8Xy3EnjCW/F9VgB2Qz9YljzhI=",
+        "lastModified": 1701253981,
+        "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0a68ef410b40f49de76aecb5c8b5cc5111bac91d",
+        "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
         "type": "github"
       },
       "original": {
         "id": "nixpkgs",
+        "ref": "nixos-unstable",
         "type": "indirect"
       }
     },

flake.nix

@@ -1,8 +1,21 @@
 {
-  inputs = { flake-utils.url = "github:numtide/flake-utils"; };
+  description = "Scribe";
+
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
 
   outputs = { self, nixpkgs, flake-utils }:
-    flake-utils.lib.eachDefaultSystem (system:
-      let pkgs = nixpkgs.legacyPackages.${system};
-      in { devShell = import ./shell.nix { inherit pkgs; }; });
+    flake-utils.lib.eachDefaultSystem
+      (system:
+        let pkgs = nixpkgs.legacyPackages.${system};
+        in
+        {
+          devShell = import ./shell.nix { inherit pkgs; };
+          packages.default = pkgs.callPackage ./default.nix { };
+        })
+    // {
+      nixosModules.default = import ./module.nix self;
+    };
 }

module.nix

@@ -0,0 +1,111 @@
+self: { config, lib, pkgs, ... }:
+let
+  cfg = config.services.scribe;
+in
+{
+  options.services.scribe = {
+    enable = lib.mkEnableOption (lib.mdDoc "Enable or disable the Scribe service");
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = self.packages."${pkgs.system}".default;
+      description = lib.mdDoc "Overridable attribute of the scribe package to use.";
+    };
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "scribe";
+      description = lib.mdDoc "User to run the Scribe service as.";
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "scribe";
+      description = lib.mdDoc "Group to run the Scribe service as.";
+    };
+
+    appDomain = lib.mkOption {
+      type = lib.types.str;
+      description = lib.mdDoc ''
+        The domain that Scribe is being run on. This will appear on the Scribe homepage.
+      '';
+    };
+
+    port = lib.mkOption {
+      type = lib.types.port;
+      description = lib.mdDoc "Port for the Scribe service to use.";
+    };
+
+    environmentFile = lib.mkOption {
+      type = lib.types.str;
+      description = lib.mdDoc ''
+        The path to a file containing environment varible to be set in Scribes environment.
+        This should be user to set SECRET_KEY_BASE, GITHUB_USERNAME, and GITHUB_PERSONAL_ACCESS_TOKEN. 
+        Descriptions of these settings can be found
+        [in the official docs](https://sr.ht/~edwardloveall/Scribe/#configuration).
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.scribe = {
+      description = "Scribe";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment = {
+        LUCKY_ENV = "production";
+        APP_DOMAIN = cfg.appDomain;
+        PORT = (toString cfg.port);
+      };
+      serviceConfig = {
+        ExecStart = "${cfg.package}/bin/scribe";
+        EnvironmentFile = cfg.environmentFile;
+        Restart = "on-failure";
+        User = cfg.user;
+        Group = cfg.group;
+        UMask = "0007";
+        ProtectSystem = "strict";
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        SystemCallArchitectures = "native";
+        ProtectHome = true;
+        ProtectProc = "noaccess";
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        CapabilityBoundingSet = [
+          "~CAP_SYS_PTRACE"
+          "~CAP_SYS_ADMIN"
+          "~CAP_SETGID"
+          "~CAP_SETUID"
+          "~CAP_SETPCAP"
+          "~CAP_SYS_TIME"
+          "~CAP_KILL"
+          "~CAP_SYS_PACCT"
+          "~CAP_SYS_TTY_CONFIG "
+          "~CAP_SYS_CHROOT"
+          "~CAP_SYS_BOOT"
+          "~CAP_NET_ADMIN"
+        ];
+      };
+    };
+    users.users = lib.optionalAttrs (cfg.user == "scribe") {
+      "scribe" = {
+        group = "scribe";
+        isSystemUser = true;
+      };
+    };
+    users.groups = lib.optionalAttrs (cfg.group == "scribe") {
+      "scribe" = { };
+    };
+  };
+}

package.json

@@ -1,10 +1,11 @@
 {
+  "name": "scribe-ui",
   "license": "UNLICENSED",
   "private": true,
   "dependencies": {
     "@rails/ujs": "^6.0.0",
     "compression-webpack-plugin": "^8.0.1",
-    "laravel-mix": "^6.0.28",
+    "laravel-mix": "^6.0.49",
     "modern-normalize": "^1.1.0",
     "postcss": "^8.3.6",
     "tufte-css": "^1.8.0",
@@ -22,5 +23,6 @@
     "resolve-url-loader": "^3.1.1",
     "sass": "^1.26.10",
     "sass-loader": "^10.0.2"
-  }
+  },
+  "version": "0.0.0"
 }

shards.nix

@@ -0,0 +1,176 @@
+{
+  authentic = {
+    owner = "luckyframework";
+    repo = "authentic";
+    rev = "v1.0.0";
+    sha256 = "0mc7xqh0zm4jg8vc1awlzr249fviiy1y40w4fvyvq959hlpd6zx4";
+  };
+  avram = {
+    owner = "luckyframework";
+    repo = "avram";
+    rev = "v1.0.0";
+    sha256 = "18w90m5iq0jy026zma05swh2am936j132fs3j730lq7x5yr8289c";
+  };
+  backtracer = {
+    owner = "sija";
+    repo = "backtracer.cr";
+    rev = "v1.2.2";
+    sha256 = "1rknyylsi14m7i77x7c3138wdw27i4f6sd78m3srw851p47bwr20";
+  };
+  cadmium_transliterator = {
+    owner = "cadmiumcr";
+    repo = "transliterator";
+    rev = "46c4c14594057dbcfaf27e7e7c8c164d3f0ce3f1";
+    sha256 = "15x9xbgybqrmqb7s5cpx3fgwysp5ld97vlvz8b196lqmyqnnp3d3";
+  };
+  cry = {
+    owner = "luckyframework";
+    repo = "cry";
+    rev = "v0.4.3";
+    sha256 = "0bcvpbi418855cq1jq911dv6r9wmg81rcvcirqrbw8fv2a093ss5";
+  };
+  crystar = {
+    owner = "naqvis";
+    repo = "crystar";
+    rev = "56db8bb9dfbd5ed6d7908353405a5fae632a6561";
+    sha256 = "0bzq7im3z3asr22wzwyj1z0m3m5aq5hh1kscp5gd8vjw192w2z2a";
+  };
+  db = {
+    owner = "crystal-lang";
+    repo = "crystal-db";
+    rev = "v0.11.0";
+    sha256 = "1ylfhpn64p72ywi39niqb179f61z08q4qd4hhjza05z18mdaghl3";
+  };
+  dexter = {
+    owner = "luckyframework";
+    repo = "dexter";
+    rev = "v0.3.4";
+    sha256 = "08fv3ns0wxkyr2rcifj3ihyaf7g4lsmfamfhdxbkdkmxa9l1z6cj";
+  };
+  exception_page = {
+    owner = "crystal-loot";
+    repo = "exception_page";
+    rev = "v0.3.0";
+    sha256 = "1w82283mgaaw1hy5xk997a1av4sxaa01ydipbxm5nb9nq7fgfydk";
+  };
+  fnv = {
+    owner = "naqvis";
+    repo = "crystal-fnv";
+    rev = "v0.1.3";
+    sha256 = "1vhy3j0ifc0rlrx5b6wbpcvjzw15k303jrz3bzvnxqvi600fvv2b";
+  };
+  habitat = {
+    owner = "luckyframework";
+    repo = "habitat";
+    rev = "v0.4.7";
+    sha256 = "0d183pnswgjwqg388zmnx7s41ai88ca96nl5cybi0z6icr5npw64";
+  };
+  html5 = {
+    owner = "naqvis";
+    repo = "crystal-html5";
+    rev = "v0.4.0";
+    sha256 = "0mr4vd4bl3a22jl8h698zrh8rz6m5lm2lcyx11055gn6fw0yq57k";
+  };
+  lucky = {
+    owner = "luckyframework";
+    repo = "lucky";
+    rev = "v1.0.0";
+    sha256 = "13by6bbgpbbbdncgj87cqy5y6z7s9zb3nr88dh3fwl5mfgygk66z";
+  };
+  lucky_cache = {
+    owner = "luckyframework";
+    repo = "lucky_cache";
+    rev = "v0.1.1";
+    sha256 = "1ic9nfmiv89q5v82ybshd9xqnwv62bv8a5n8rhmsm9cwvdhgc92x";
+  };
+  lucky_env = {
+    owner = "luckyframework";
+    repo = "lucky_env";
+    rev = "v0.1.4";
+    sha256 = "0rcz0kh9rkypgm34r7maqqmgirxblhwzycwxpp0y9ai68lq71qxk";
+  };
+  lucky_flow = {
+    owner = "luckyframework";
+    repo = "lucky_flow";
+    rev = "v0.9.0";
+    sha256 = "1gyxba7lbjhzbd7a5hcswr3i04mz6rqypihhpgx213aa2685c0mw";
+  };
+  lucky_router = {
+    owner = "luckyframework";
+    repo = "lucky_router";
+    rev = "v0.5.2";
+    sha256 = "1gl93rijnbaqybpry19rn951kbx1q1bb5w0npdp4fm0r212b3yh8";
+  };
+  lucky_task = {
+    owner = "luckyframework";
+    repo = "lucky_task";
+    rev = "v0.1.1";
+    sha256 = "0w0rnf22pvj3lp5z8c4sshzwhqgwpbjpm7nry9mf0iz3fa0v48f7";
+  };
+  monads = {
+    owner = "alex-lairan";
+    repo = "monads";
+    rev = "v1.0.0";
+    sha256 = "0wwhsmnzsmw03dn2j4n75sprp4baxg24i1hn1xhfzz9b33rmlxxf";
+  };
+  pg = {
+    owner = "will";
+    repo = "crystal-pg";
+    rev = "v0.26.0";
+    sha256 = "04fwbgrlf2nzma0p2c8ki7p8sk113jhziq2al3ivif2lpmhr39fy";
+  };
+  pulsar = {
+    owner = "luckyframework";
+    repo = "pulsar";
+    rev = "v0.2.3";
+    sha256 = "03pp0r1klqk49fkzjwg9mnxqplv6pdfjn6a1p59f2w1ha5piyy90";
+  };
+  selenium = {
+    owner = "matthewmcgarvey";
+    repo = "selenium.cr";
+    rev = "v0.10.0";
+    sha256 = "062baqafz2rn9czaj8wl2b1l7ngxdph2j8xcr088f2kd8bb0hj7v";
+  };
+  shell-table = {
+    owner = "luckyframework";
+    repo = "shell-table.cr";
+    rev = "v0.9.3";
+    sha256 = "046vymm2r37c6j5bqyjzxdgg5h62slsannzvfhbckkv2r9chwd3w";
+  };
+  splay_tree_map = {
+    owner = "wyhaines";
+    repo = "splay_tree_map.cr";
+    rev = "v0.2.2";
+    sha256 = "0196zpg0v190dv23mwnbia35znxz2j2g8dqynd2b8827qiwmz1vn";
+  };
+  teeplate = {
+    owner = "luckyframework";
+    repo = "teeplate";
+    rev = "v0.8.5";
+    sha256 = "1kr05qrp674rph1324wry57gzvgvcvlz0w27brlvdgd3gi4s8sdj";
+  };
+  webdrivers = {
+    owner = "matthewmcgarvey";
+    repo = "webdrivers.cr";
+    rev = "v0.4.1";
+    sha256 = "05q6z1rv29hrwq77wpas2ki4alwhx4fpallb94q4m9g5h5vfn6ag";
+  };
+  webless = {
+    owner = "matthewmcgarvey";
+    repo = "webless";
+    rev = "v0.1.0";
+    sha256 = "0fg79wy3fq0af77jm121pqfm43dzb7l5rlx13vrl74pgqagms0ih";
+  };
+  wordsmith = {
+    owner = "luckyframework";
+    repo = "wordsmith";
+    rev = "v0.4.0";
+    sha256 = "13fsmwdh431smbmsv869pa8p34g1hqd84za33xsymsycq5459xq2";
+  };
+  xpath2 = {
+    owner = "naqvis";
+    repo = "crystal-xpath2";
+    rev = "v0.1.3";
+    sha256 = "17jl0br2fibc22sz9qdpsqd17rsmnar0jwh4iq25y8rg64pgb1h0";
+  };
+}

shell.nix

@@ -1,16 +1,16 @@
 { pkgs ? import <nixpkgs> { } }:
 
 pkgs.mkShell {
-  shellHook = ''
-    export PKG_CONFIG_PATH=${pkgs.openssl.dev}/lib/pkgconfig
-  '';
   buildInputs = with pkgs; [
     crystal
     lucky-cli
     overmind
     nodejs
-    openssl.dev
+    openssl
+    pkg-config
     shards
     yarn
+    crystal2nix
+    pcre
   ];
 }