Merge pull request #7 from numtide/feat/hsts

feat: add optional HTTP Strict Transport Security (HSTS) headers

.envrc

@@ -0,0 +1 @@
+use flake

.github/workflows/nix.yml

@@ -0,0 +1,46 @@
+name: Nix
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  workflow_dispatch:
+jobs:
+  build:
+    strategy:
+      matrix:
+        os: [ ubuntu-20.04 ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: cachix/install-nix-action@v17
+      - uses: cachix/cachix-action@v10
+        with:
+          name: numtide
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - run: |
+          export PRJ_ROOT=$PWD
+          nix-shell --pure --run "just lint"
+      - run: nix-build
+  flakes:
+    strategy:
+      matrix:
+        os: [ ubuntu-20.04 ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Nix Flakes doesn't work on shallow clones
+          fetch-depth: 0
+      - uses: cachix/install-nix-action@v17
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+      - uses: cachix/cachix-action@v10
+        with:
+          name: numtide
+          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+      - run: nix flake check
+      - run: nix develop -c echo OK
+      - name: Run nix flake archive
+        run: nix flake archive

.gitignore

@@ -1 +1,3 @@
 /serve-go
+/.direnv
+/result*

default.nix

@@ -0,0 +1,44 @@
+{
+  system ? builtins.currentSystem,
+  inputs ? import ./flake.lock.nix {},
+  nixpkgs ?
+    import inputs.nixpkgs {
+      inherit system;
+      # Makes the config pure as well. See <nixpkgs>/top-level/impure.nix:
+      config = {};
+      overlays = [];
+    },
+  buildGoModule ? nixpkgs.buildGoModule,
+}: let
+  serve-go =
+    buildGoModule
+    {
+      name = "serve-go";
+      src = ./.;
+      vendorSha256 = null;
+      meta = with nixpkgs.lib; {
+        description = "HTTP web server for SPA";
+        homepage = "https://github.com/numtide/serve-go";
+        license = licenses.mit;
+        maintainers = with maintainers; [zimbatm jfroche];
+        platforms = platforms.linux;
+      };
+    };
+  devShell =
+    nixpkgs.mkShellNoCC
+    {
+      buildInputs = with nixpkgs; [
+        gofumpt
+        golangci-lint
+        alejandra
+        go
+        golint
+        treefmt
+        just
+        gcc
+      ];
+    };
+in {
+  inherit serve-go devShell;
+  default = serve-go;
+}

flake.lock.nix

@@ -0,0 +1,134 @@
+# Adapted from https://github.com/edolstra/flake-compat/blob/master/default.nix
+#
+# This version only gives back the inputs. In that mode, flake becomes little
+# more than a niv replacement.
+{src ? ./.}: let
+  lockFilePath = src + "/flake.lock";
+
+  lockFile = builtins.fromJSON (builtins.readFile lockFilePath);
+
+  # Emulate builtins.fetchTree
+  #
+  # TODO: only implement polyfill if the builtin doesn't exist?
+  fetchTree = info:
+    if info.type == "github"
+    then {
+      outPath = fetchTarball {
+        url = "https://api.${info.host or "github.com"}/repos/${info.owner}/${info.repo}/tarball/${info.rev}";
+        sha256 = info.narHash;
+      };
+      rev = info.rev;
+      shortRev = builtins.substring 0 7 info.rev;
+      lastModified = info.lastModified;
+      narHash = info.narHash;
+    }
+    else if info.type == "git"
+    then
+      {
+        outPath =
+          builtins.fetchGit
+          (
+            {
+              url = info.url;
+              sha256 = info.narHash;
+            }
+            // (
+              if info ? rev
+              then {inherit (info) rev;}
+              else {}
+            )
+            // (
+              if info ? ref
+              then {inherit (info) ref;}
+              else {}
+            )
+          );
+        lastModified = info.lastModified;
+        narHash = info.narHash;
+      }
+      // (
+        if info ? rev
+        then {
+          rev = info.rev;
+          shortRev = builtins.substring 0 7 info.rev;
+        }
+        else {}
+      )
+    else if info.type == "path"
+    then {
+      outPath = builtins.path {path = info.path;};
+      narHash = info.narHash;
+    }
+    else if info.type == "tarball"
+    then {
+      outPath = fetchTarball {
+        url = info.url;
+        sha256 = info.narHash;
+      };
+      narHash = info.narHash;
+    }
+    else if info.type == "gitlab"
+    then {
+      inherit (info) rev narHash lastModified;
+      outPath = fetchTarball {
+        url = "https://${info.host or "gitlab.com"}/api/v4/projects/${info.owner}%2F${info.repo}/repository/archive.tar.gz?sha=${info.rev}";
+        sha256 = info.narHash;
+      };
+      shortRev = builtins.substring 0 7 info.rev;
+    }
+    else
+      # FIXME: add Mercurial, tarball inputs.
+      throw "flake input has unsupported input type '${info.type}'";
+
+  allNodes =
+    builtins.mapAttrs
+    (
+      key: node: let
+        sourceInfo =
+          if key == lockFile.root
+          then {}
+          else fetchTree (node.info or {} // removeAttrs node.locked ["dir"]);
+
+        inputs =
+          builtins.mapAttrs
+          (inputName: inputSpec: allNodes.${resolveInput inputSpec})
+          (node.inputs or {});
+
+        # Resolve a input spec into a node name. An input spec is
+        # either a node name, or a 'follows' path from the root
+        # node.
+        resolveInput = inputSpec:
+          if builtins.isList inputSpec
+          then getInputByPath lockFile.root inputSpec
+          else inputSpec;
+
+        # Follow an input path (e.g. ["dwarffs" "nixpkgs"]) from the
+        # root node, returning the final node.
+        getInputByPath = nodeName: path:
+          if path == []
+          then nodeName
+          else
+            getInputByPath
+            # Since this could be a 'follows' input, call resolveInput.
+            (resolveInput lockFile.nodes.${nodeName}.inputs.${builtins.head path})
+            (builtins.tail path);
+
+        result =
+          sourceInfo
+          // {
+            inherit inputs;
+            inherit sourceInfo;
+          };
+      in
+        if node.flake or true
+        then result
+        else sourceInfo
+    )
+    lockFile.nodes;
+
+  result =
+    if lockFile.version >= 5 && lockFile.version <= 7
+    then allNodes.${lockFile.root}.inputs
+    else throw "lock file '${lockFilePath}' has unsupported version ${toString lockFile.version}";
+in
+  result

flake.nix

@@ -0,0 +1,38 @@
+{
+  description = "HTTP web server for SPA";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+    flake-utils.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+    ...
+  }:
+    flake-utils.lib.eachSystem ["x86_64-linux"] (
+      system: let
+        nixpkgs' = nixpkgs.legacyPackages.${system};
+        pkgs = import self {
+          inherit system;
+          inputs = null;
+          nixpkgs = nixpkgs';
+        };
+      in {
+        defaultPackage = pkgs.default;
+        packages = pkgs;
+        devShells.default = pkgs.devShell;
+        checks = {
+          fmt = with nixpkgs';
+            runCommandLocal "fmt" {} ''
+              export HOME=$(mktemp -d)
+              cd ${./.}
+              ${treefmt}/bin/treefmt --fail-on-change > $out
+            '';
+        };
+      }
+    );
+}

justfile

@@ -0,0 +1,14 @@
+default:
+    @just --list
+
+# Format and lint project
+fmt:
+    treefmt
+
+# Build the project
+build:
+    go build .
+
+# Run linters not covered by treefmt
+lint:
+    golangci-lint run