@moon

ah, beautiful api docs. I reworked the api docs (because they were a messy mess because of my past laziness [not understandable!!]) and now they are organized in pretty folders (tags) with correct descriptions and titles. now its even helpful to read the api docs to understand how to use a api handler, not having to dig into the code [noone does that :(]

right, I DID THE EMAIL CHANGE THING and LOGIN tooo wohooo…. yeah it isn’t that amazing lol. at the start i was just thinking about using the typical chacha encryption that ive used for the TOTP stuff but for a random token nanoid’d… you just don’t, hMAc is fine. Ended up with a dual like verification flow where both the old email AND the new email get a token link (well, now it just the token string because, ahem, i dont have a frontend). both have to be verified before the change goes through. sooo, no more “oh noes, not again, someone got into my account and changed the mail to their own, smh”. then you just get the notif saying “hey, your email has been changed”.

SEEECOND, login (your username) changing magic that is way simpler because I just check if you have sudo enabled and that you havent changed it in the last 24 days (why not). Just like with the email stuff, you get a notification saying “yay, you changed it!”.

and I think that’s the last of the tiny stuff i wanted to do before the BIG and PAINFUL oauth stuff. i think i am going to burst into flames and go boom and the floor is covered with dust and feathers.

OH wait, i sitll need to do account deletion… whatever its just a simple “hya you need sudo”, “are you sure about this”, “ok, bye” flow. meh. i also need profile pictures… heh backblaze or maybe cloudflare idk i like backblaze more but uhh I GOTTA RESEARCH OKAY!?!

shall you see the probabaly useless screenshots that atleast show the tiny progress that i always do. great

I added what I always forget to do because I am lazy!!! A readme. That’s it. There’s not much to it, like I explain about the secret stuff and services AND how to deploy it. short short commit that make other people than me happy

okay so today was mostly “polish and quality of life” stuff… if you can call it that.
i added a proper nix dev shell so when i’m working on the config I just do nix develop and boom I have deploy-rs, agenix and nixos-anywhere all ready to go without installing anything globally. pretty neat (thanks you tube).
also added nixfmt-tree as the formatter so the nix files are all consistently formatted now, no more weird stuff i guess… i mean they ARE already correctly formatted (somehow) so this was useless.
fixed a stupid issue with mr home manager where it really wasnt homemanaging mr fish aliases because stupid me didnt know you had to set the fish shell to “enabled” to be able to use the aliases that i set on the home manager thingy when i already have IT enabled on the whole system (right?).
anddd added a motd when going into the vps with the name that i’ve give to the vps, it just shows disk usage, ram and swap usage, and uptime. now when i am bored i can ssh to my vps and see pretty stats and be again bored for the rest of the day and keep repeating the cycle until i am dust.
honestly the vps config feels pretty much done at this point. i think the service factory is working (gotta test it with my auth thingy), caddy with cloudflare is set up (don’t know if it really works yet), agenix for secrets, tailscale, postgres with per service users, deploy-rs for deploying… i just gotta deploy something to it so i can have something to actually show, like “oh yeah look at my auth server, its running my vps!11!1 woo… (silence)”. oh right, i also did “nix flake update”. what a useless devlog

okay, we got now what I call “the service factory” (wooo). Instead of C&P the same systemd boilerplate and caddy config, postgres user and database setup and agenix env loading every single time i want to slap a new service on the server. Sooo, I just call makeService (that’s the name I gave it) with a name, a flake, and then whatever config like domain or postgres config and boom works.

everything is nested underneath the “moonix” umbrella, which is neat. I set up options for the typical stuff like enabling or disabling the service and the other things i commented up there. I mean, it is a bit janky with me doing some stupid things but it works! And i even “hardened” the systemd service of the service, which i didn’t know even existed but okay lol.

AH, and i also fixed the stupid interactiveSudo annoying “hey it aint secure using a password, you should use a ssh key correctly setup, dummy.” by just setting the sudo security to none :D. I am using ssh keys anyway to connect to the vps, might have thrown to the trash the security but i dunno :3.

AND one of the cool hings about this factory thingy is that now each service gets its own postgres user and database automagically. Like, it creates its role and databases with the service being the owner without me doing anything… so no manual labor muahahahaahhahahahah.

I mean, this is pretty short and quick but GOD i take too much time trying to make stuff and then having to search and stuff because it aint working as I wanted lol, but still, I do be eating too much time for simple things like god. Even the commit changes are really tiny like gosh. the only great thing is that I am will no longer touch this hecking thing, I will JUST USE IT and boom deployment made.

oh god, nono, I just thought about automated deploys via github’s ci. i actually don’t even hecking know how would that even work agh, hecking hell.

pew pew. I added tailscale, happily learn that home manager and agenix exists and we got caddy with cloudflare dns working!!

why tailscale?… well, with it i don’t need to expose my machine to the outside world, i can just connect to it via tailscale and do the same stuff i would if i was connecting to it via its public ip. Now i can just firewall it and only let in cloudflare ips :D.

home manager to just give me the birb kisses (mwa :3), giving me the same stuff I already have on mah terminal in my arch laptop but on my vps AND it do be using some pretty syntax making me not juggle around config files for each hecking thing I want to add. and also it lets me install stuff for “my user” instead of the whole system, pretty neat.

AGENIX, ah, storing secrets havent been easier. I just have to do “agenix -e name.age” set the secrets in there and boom, i can use it in my config file without worrying about it being exposed because i somehow committed the .env file. It just decrypts it on the vps, i just followed the tutorial on the agenix repo and it really was straight forward. sadly i have to manually set the “where is this secret stored” to be able to really use it (i just use another .nix file to not make my main config file too cluttered with stuffies).

and finally, caddy with cloudflare dns. at first i was thinking about using cloudflared (cloudflare tunnels) but i indeed ended up not using it because I AM ALREADY PAYING FOR A ipv4 ADDRESS FOR GODS sake, soooo I just set up caddy with cloudflare dns, had some problemos because it didn’t like having “https://” on the url and that i needed a dummy hash so when building the flake (is that how its called?) it would give me the real hash. The idea is that i make something that lets me make new services, like a pretty template, setting up the caddy config, a systemd service and a user with a group for it.

oh and also, i enabled postgresql. there’s not much about, i just set it as an enabled service lol.

wow. that’s nix, first time touching it and god its soo cool but i don’t understand anything. i am serious, i have to watch some tutorials to understand how it works, but its cool nonetheless.

The use ill be giving it is to host my apps in my vps because i think its quite a bit wasteful to make a docker container running my already compiled rust binary, plus ill be trying to run stuff baremetal instead of running containers for small things …… its a tiny vp, not a big one because i am not made out of gold or precious items that a space birb can have (i have none ;3). I mean, i am following the nixos on hetzner guide and from the start it didn’t work because the vps didnt like to use kexec so I tried searching around, and found out about hetzner’s rescue system because i saw it on the dashboard, used it and boom it worked.

AND for the next minutes you have me hecking around with the stuff to try to learn by uhh touching stuff and then i broke it and it didnt install anymore. At that point i found out about the “nix-starter-configs” and boom it works again without doing much. i guess this will not take too much time to setup BUT it is useful on the long run :D

beep bwap. firstly, what a waste of argon2. I was using it for encrypting the otp codes and.. dude, that’s like its just 6 characters. I just swapped to the typical hmac256.

I also made a common cookies helper method to not have 2 (or more) instances of the same cookie making method. uhh, also I adde dhte forgotten passkey management handlers… and that’s it.

OH WAIT, i also added validation! I mean, its pretty rough and very bad but it works for what I want! I, in theory, was going to use Garde for the validation with axum-valid to provide me with the base stuff. I DID NOT WORK, like I had (and still have) to make a wrapper around their sutff so I can send out my own error messages and not some plaintext like before i handled them. right, it did not work because of something called the “Context”… I tried everything to make it work, but I just could not, not even doing workarounds and C&P examples directly and stuffies, it just would not work like it wanted the global context to have a trait implemented, which I did, but it still would not work. I guess its because to use my global context inside axum, i wrap it around an Arc and maybe it didnt like that? or whatever meh wa. I just swapped to using Validate, and ta-da works as it should. HERE’s your badly made screenshot showing the crappy validation messages (they just say: “this field is bad :(”)

added a better way to handle required authentication!… middleware. yup, i am very creative. it’s practically a qol improvement in the development side, making code look a bit nicer without seeing in every single protected route the same 3 lines to check if the user is authenticated. now i can “enforce” it when I want the user to be reallly unauthenticated to use a route. to use it, you just “add the middleware and maybe move one flag” and that’s it… goddamit I should have had that before to not write a heck ton of “if not authenticated or if authenticated…”.

i am trying to delay the inevitable.. the need of making the oauth side and the frontend ;D

I started using a master key for everything and fixed the server returning a plain text message when parsing goes wrong.

FIRST, I have seen the future and the future says that I WILL be suffering if I have more than 2 secret keys to manage when I can just derivate them from a single master key. AND EVEN rails does that! its just blake3’s key derivation with a xor to fill the remaining bytes that some libraries require. it works pretty great. neat.

SECOND, this was a problemo that one of the flavourtown (yes flavour not flavor) reviewers made me notice. When you send a malformed json body, like a new line on a field that really doesn’t expect a new line, the server would plainly return a error message in plain text, which is really bad for the client to handle and even for looks. Sooo, I tried fixing it trying to strap a error handler to axum… yes I dont even know if that even exists bruh. In the end i just created a newtype that wraps the original Json extractor from axum to catch its errors and THEN and only then wrap those with my own error messages. And bob’s your dad, the server now return a json error message like every other route error. shall you see the useless screen recording (its cropped by stardance’s ui, great)