nix: improve a little

Also add personal AGE public key.

.gitattributes

@@ -0,0 +1,2 @@
+*.webp filter=lfs diff=lfs merge=lfs -text
+*.ico filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -1,4 +1,7 @@
-/.hugo_cache/
+# Hugo
 /public/
 /resources/
 /.hugo_build.lock
+
+# Nix
+/result

.gitlab-ci.yml

@@ -5,41 +5,15 @@ default:
     - linux
 
 stages:
-  - build
   - deploy
 
-workflow:
-  rules:
-    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
-
-build:hugo:
-  stage: build
-  image: alpine:edge
-  variables:
-    HUGO_CACHEDIR: $CI_PROJECT_DIR/.hugo_cache
-  script:
-    - echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
-    - apk add --no-cache hugo dart-sass
-    - hugo --logLevel=info --gc --panicOnWarning
-  cache:
-    key: resources-$CI_COMMIT_REF_NAME
-    paths:
-      - resources/
-      - .hugo_cache/
-  artifacts:
-    expire_in: 1 hour
-    paths:
-      - public/
-
 deploy:cloudflare_pages:
   stage: deploy
-  image:
-    name: node:20-alpine
-    entrypoint: [""]
-  script: |
-    npx wrangler pages deploy \
-      --project-name=folliehiyuki \
-      --branch="$CI_COMMIT_REF_NAME" \
-      public/
-  dependencies:
-    - build:hugo
+  image: nixos/nix:2.18.1
+  variables:
+    NIX_CONFIG: experimental-features = nix-command flakes
+  script:
+    - nix build .
+    - nix run .#publish
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

LICENSE-MIT

@@ -1,4 +1,4 @@
-MIT License Copyright (c) 2021-2023 FollieHiyuki
+MIT License Copyright (c) 2021-2023 Hoang Nguyen <folliekazetani@protonmail.com>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -9,6 +9,10 @@ Powered by [hugo](https://gohugo.io/) static site generator.
 - [ ] Toggle TOC (check <https://github.com/alex-shpak/hugo-book>)
 - [ ] Add KaTeX support (maybe?)
 - [ ] More icons fonts: [Weather Icons](https://github.com/erikflowers/weather-icons), [Codicons](https://github.com/microsoft/vscode-codicons), [Material Design Icons](https://github.com/Templarian/MaterialDesign)
+- [ ] JSON feed
+- [ ] Schema.org
+  - Test: https://developers.google.com/search/docs/appearance/structured-data
+  - Types to consider: Website, Article, BlogPosting, Blog
 
 ## Ideas
 
@@ -23,7 +27,7 @@ These are things I've encountered and found interesting to talk about. I might w
 
 ## 🌟 Credits
 
-The website's theme is initially based on [hugo-flex](https://github.com/de-souza/hugo-flex).
+The website's theme was initially based on [hugo-flex](https://github.com/de-souza/hugo-flex).
 
 ## 📋 Licenses
 

assets/css/_base.scss

@@ -123,7 +123,7 @@ a {
     color: var(--color-cyan);
     border-bottom: 0.1rem solid var(--color-cyan);
 
-    &:has(img) {
+    &:has(> img) {
       border-bottom: none;
     }
   }
@@ -149,6 +149,50 @@ table, th, td {
   word-break: normal;
 }
 
+dl {
+  display: grid;
+  grid-template-columns: max-content auto;
+}
+
+dt {
+  grid-column-start: 1;
+  font-weight: 700;
+}
+
+dd {
+  grid-column-start: 2;
+}
+
+ul, ol {
+  padding-left: 1.5rem;
+}
+
+nav[id="TableOfContents"] ul {
+  padding-left: 2.25rem;
+}
+
+li:has(> input[type="checkbox"]) {
+  list-style-type: none;
+}
+
+input[type="checkbox"] {
+  width: 1rem;
+  height: 1rem;
+  appearance: none;
+  border-radius: 0.2rem;
+  border: 0.1rem solid var(--color-fg);
+
+  &:checked {
+    background: var(--color-green);
+
+    &:after {
+      color: var(--color-fg);
+      content: '\2714';
+      font-size: 1rem;
+    }
+  }
+}
+
 hr {
   color: var(--color-fg);
 }

assets/css/_fonts.scss

@@ -1,103 +0,0 @@
-@font-face {
-  font-family: "Iosevka Aile Web";
-  font-display: swap;
-  font-weight: 400;
-  font-stretch: normal;
-  font-style: normal;
-  src: url("/fonts/iosevka-aile-regular.woff2") format("woff2");
-}
-
-@font-face {
-  font-family: "Iosevka Aile Web";
-  font-display: swap;
-  font-weight: 400;
-  font-stretch: normal;
-  font-style: italic;
-  src: url("/fonts/iosevka-aile-italic.woff2") format("woff2");
-}
-
-@font-face {
-  font-family: "Iosevka Aile Web";
-  font-display: swap;
-  font-weight: 700;
-  font-stretch: normal;
-  font-style: normal;
-  src: url("/fonts/iosevka-aile-bold.woff2") format("woff2");
-}
-
-@font-face {
-  font-family: "Iosevka Aile Web";
-  font-display: swap;
-  font-weight: 700;
-  font-stretch: normal;
-  font-style: italic;
-  src: url("/fonts/iosevka-aile-bolditalic.woff2") format("woff2");
-}
-
-@font-face {
-  font-family: "Iosevka Web";
-  font-display: swap;
-  font-weight: 400;
-  font-stretch: normal;
-  font-style: normal;
-  src: url("/fonts/iosevka-regular.woff2") format("woff2");
-}
-
-@font-face {
-  font-family: "Iosevka Web";
-  font-display: swap;
-  font-weight: 400;
-  font-stretch: normal;
-  font-style: italic;
-  src: url("/fonts/iosevka-italic.woff2") format("woff2");
-}
-
-@font-face {
-  font-family: "Iosevka Web";
-  font-display: swap;
-  font-weight: 700;
-  font-stretch: normal;
-  font-style: normal;
-  src: url("/fonts/iosevka-bold.woff2") format("woff2");
-}
-
-@font-face {
-  font-family: "Iosevka Web";
-  font-display: swap;
-  font-weight: 700;
-  font-stretch: normal;
-  font-style: italic;
-  src: url("/fonts/iosevka-bolditalic.woff2") format("woff2");
-}
-
-@font-face {
-  font-family: "Font Awesome 6 Free";
-  font-display: block;
-  font-weight: 900;
-  font-style: normal;
-  src: url("/fonts/fa-solid-900.woff2") format("woff2");
-}
-
-@font-face {
-  font-family: "Font Awesome 6 Brands";
-  font-display: block;
-  font-weight: 400;
-  font-style: normal;
-  src: url("/fonts/fa-brands-400.woff2") format("woff2");
-}
-
-@font-face {
-  font-family: "devicon";
-  font-display: block;
-  font-weight: 400;
-  font-style: normal;
-  src: url("/fonts/devicon.woff") format("woff");
-}
-
-@font-face {
-  font-family: "font-logos";
-  font-display: block;
-  font-weight: 400;
-  font-style: normal;
-  src: url("/fonts/font-logos.woff2") format("woff2");
-}

assets/css/_vendor/normalize.css

@@ -1,349 +0,0 @@
-/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */
-
-/* Document
-   ========================================================================== */
-
-/**
- * 1. Correct the line height in all browsers.
- * 2. Prevent adjustments of font size after orientation changes in iOS.
- */
-
-html {
-  line-height: 1.15; /* 1 */
-  -webkit-text-size-adjust: 100%; /* 2 */
-}
-
-/* Sections
-   ========================================================================== */
-
-/**
- * Remove the margin in all browsers.
- */
-
-body {
-  margin: 0;
-}
-
-/**
- * Render the `main` element consistently in IE.
- */
-
-main {
-  display: block;
-}
-
-/**
- * Correct the font size and margin on `h1` elements within `section` and
- * `article` contexts in Chrome, Firefox, and Safari.
- */
-
-h1 {
-  font-size: 2em;
-  margin: 0.67em 0;
-}
-
-/* Grouping content
-   ========================================================================== */
-
-/**
- * 1. Add the correct box sizing in Firefox.
- * 2. Show the overflow in Edge and IE.
- */
-
-hr {
-  box-sizing: content-box; /* 1 */
-  height: 0; /* 1 */
-  overflow: visible; /* 2 */
-}
-
-/**
- * 1. Correct the inheritance and scaling of font size in all browsers.
- * 2. Correct the odd `em` font sizing in all browsers.
- */
-
-pre {
-  font-family: monospace, monospace; /* 1 */
-  font-size: 1em; /* 2 */
-}
-
-/* Text-level semantics
-   ========================================================================== */
-
-/**
- * Remove the gray background on active links in IE 10.
- */
-
-a {
-  background-color: transparent;
-}
-
-/**
- * 1. Remove the bottom border in Chrome 57-
- * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari.
- */
-
-abbr[title] {
-  border-bottom: none; /* 1 */
-  text-decoration: underline; /* 2 */
-  text-decoration: underline dotted; /* 2 */
-}
-
-/**
- * Add the correct font weight in Chrome, Edge, and Safari.
- */
-
-b,
-strong {
-  font-weight: bolder;
-}
-
-/**
- * 1. Correct the inheritance and scaling of font size in all browsers.
- * 2. Correct the odd `em` font sizing in all browsers.
- */
-
-code,
-kbd,
-samp {
-  font-family: monospace, monospace; /* 1 */
-  font-size: 1em; /* 2 */
-}
-
-/**
- * Add the correct font size in all browsers.
- */
-
-small {
-  font-size: 80%;
-}
-
-/**
- * Prevent `sub` and `sup` elements from affecting the line height in
- * all browsers.
- */
-
-sub,
-sup {
-  font-size: 75%;
-  line-height: 0;
-  position: relative;
-  vertical-align: baseline;
-}
-
-sub {
-  bottom: -0.25em;
-}
-
-sup {
-  top: -0.5em;
-}
-
-/* Embedded content
-   ========================================================================== */
-
-/**
- * Remove the border on images inside links in IE 10.
- */
-
-img {
-  border-style: none;
-}
-
-/* Forms
-   ========================================================================== */
-
-/**
- * 1. Change the font styles in all browsers.
- * 2. Remove the margin in Firefox and Safari.
- */
-
-button,
-input,
-optgroup,
-select,
-textarea {
-  font-family: inherit; /* 1 */
-  font-size: 100%; /* 1 */
-  line-height: 1.15; /* 1 */
-  margin: 0; /* 2 */
-}
-
-/**
- * Show the overflow in IE.
- * 1. Show the overflow in Edge.
- */
-
-button,
-input { /* 1 */
-  overflow: visible;
-}
-
-/**
- * Remove the inheritance of text transform in Edge, Firefox, and IE.
- * 1. Remove the inheritance of text transform in Firefox.
- */
-
-button,
-select { /* 1 */
-  text-transform: none;
-}
-
-/**
- * Correct the inability to style clickable types in iOS and Safari.
- */
-
-button,
-[type="button"],
-[type="reset"],
-[type="submit"] {
-  -webkit-appearance: button;
-}
-
-/**
- * Remove the inner border and padding in Firefox.
- */
-
-button::-moz-focus-inner,
-[type="button"]::-moz-focus-inner,
-[type="reset"]::-moz-focus-inner,
-[type="submit"]::-moz-focus-inner {
-  border-style: none;
-  padding: 0;
-}
-
-/**
- * Restore the focus styles unset by the previous rule.
- */
-
-button:-moz-focusring,
-[type="button"]:-moz-focusring,
-[type="reset"]:-moz-focusring,
-[type="submit"]:-moz-focusring {
-  outline: 1px dotted ButtonText;
-}
-
-/**
- * Correct the padding in Firefox.
- */
-
-fieldset {
-  padding: 0.35em 0.75em 0.625em;
-}
-
-/**
- * 1. Correct the text wrapping in Edge and IE.
- * 2. Correct the color inheritance from `fieldset` elements in IE.
- * 3. Remove the padding so developers are not caught out when they zero out
- *    `fieldset` elements in all browsers.
- */
-
-legend {
-  box-sizing: border-box; /* 1 */
-  color: inherit; /* 2 */
-  display: table; /* 1 */
-  max-width: 100%; /* 1 */
-  padding: 0; /* 3 */
-  white-space: normal; /* 1 */
-}
-
-/**
- * Add the correct vertical alignment in Chrome, Firefox, and Opera.
- */
-
-progress {
-  vertical-align: baseline;
-}
-
-/**
- * Remove the default vertical scrollbar in IE 10+.
- */
-
-textarea {
-  overflow: auto;
-}
-
-/**
- * 1. Add the correct box sizing in IE 10.
- * 2. Remove the padding in IE 10.
- */
-
-[type="checkbox"],
-[type="radio"] {
-  box-sizing: border-box; /* 1 */
-  padding: 0; /* 2 */
-}
-
-/**
- * Correct the cursor style of increment and decrement buttons in Chrome.
- */
-
-[type="number"]::-webkit-inner-spin-button,
-[type="number"]::-webkit-outer-spin-button {
-  height: auto;
-}
-
-/**
- * 1. Correct the odd appearance in Chrome and Safari.
- * 2. Correct the outline style in Safari.
- */
-
-[type="search"] {
-  -webkit-appearance: textfield; /* 1 */
-  outline-offset: -2px; /* 2 */
-}
-
-/**
- * Remove the inner padding in Chrome and Safari on macOS.
- */
-
-[type="search"]::-webkit-search-decoration {
-  -webkit-appearance: none;
-}
-
-/**
- * 1. Correct the inability to style clickable types in iOS and Safari.
- * 2. Change font properties to `inherit` in Safari.
- */
-
-::-webkit-file-upload-button {
-  -webkit-appearance: button; /* 1 */
-  font: inherit; /* 2 */
-}
-
-/* Interactive
-   ========================================================================== */
-
-/*
- * Add the correct display in Edge, IE 10+, and Firefox.
- */
-
-details {
-  display: block;
-}
-
-/*
- * Add the correct display in all browsers.
- */
-
-summary {
-  display: list-item;
-}
-
-/* Misc
-   ========================================================================== */
-
-/**
- * Add the correct display in IE 10+.
- */
-
-template {
-  display: none;
-}
-
-/**
- * Add the correct display in IE 10.
- */
-
-[hidden] {
-  display: none;
-}

assets/css/main.tpl.scss

@@ -1,7 +1,5 @@
 @charset "UTF-8";
 
-@use "_vendor/normalize";
-@use "fonts";
 @use "chroma";
 @use "base";
 
@@ -63,7 +61,7 @@
   margin: 0;
   padding: 0;
 
-  &-item--title {
+  &-item-title {
     flex-grow: 1;
   }
 
@@ -117,7 +115,7 @@
   padding: 0.5rem;
   background: var(--color-gray);
 
-  > div > div > span {
+  > div > span {
     margin: 0.5rem 0.75rem;
   }
 }
@@ -128,10 +126,6 @@
     margin: auto;
   }
 
-  &-padding {
-    padding: 0 1rem;
-  }
-
   &-background {
     background: var(--color-gray);
   }
@@ -143,6 +137,11 @@
   }
 }
 
+// Slightly smaller width for the article's space
+main > .u-wrapper {
+  max-width: 46rem;
+}
+
 .toc {
   float: right;
   margin: 1rem 0rem 1rem 1rem;

content/_index.md

@@ -5,4 +5,4 @@ css: css/pages/homepage.css
 ---
 {{< figure src="avatar.webp" alt="avatar" class="avatar" width=100% height=100% >}}
 
-### YAML editor by day, anime nerd by night
+### Full-time ~~CUE/Jsonnet/Nickel/Nix~~ YAML engineer

content/about/index.md

@@ -14,6 +14,7 @@ My name is Hoang Nguyen Huy, a DevOps engineer and a massive weeb that likes FOS
 ## Public keys
 
 - PGP: [0xB0567C20730E9B11](publickey.txt)
+- age: `age1qjdsw949yvhlkttldda5ar4t0mma9vwey8gal425qckh67h7taws96vsey`
 
 ## Code forges
 

content/blog/gitlab-is-an-awesome-mess/index.md

@@ -12,13 +12,13 @@ Beside the sluggish frontend, the gigantic amount of bloated features I'd rather
 
 Firstly, I like its micro-component architecture. You have [Gitaly](https://gitlab.com/gitlab-org/gitaly) as the middle-man for Git storage, [Gitlab-Shell](https://gitlab.com/gitlab-org/gitlab-shell) specifically to manage SSH access, and so on. It allows each part to horizontally scale independently of the other, which is always a plus. Also, [Geo](https://docs.gitlab.com/ee/administration/geo/), for me personally with a month of experimenting, is a greate Disaster Recovery implementation. In comparison, Gitea, at the time of writing, straightforwardly doesn't scale, at all.
 
-Then, there is the famous CI/CD to talk about. It's so well integrated into GitLab that when you use GitLab as your code platform, no other CI/CD solutions matter anymore. Putting a few misleading predefined CI/CD variables, and occasional weird YAML merging behaviors aside, the `.gitlab-ci.yml` schema is pretty clean (not many nested keywords like GitHub Actions), well-defined and flexible. My only complaint, as of now, is that it's still a YAML document. `default:`, `include:` and `!reference[]` exist, but, at the end of the day, no YAML anchors or fancy features inside the YAML engine can save you from a big, ugly CI/CD configuration. I'll be glad if they add support for Jsonnet[^1].
+Then, there is the famous CI/CD to talk about. Putting a few misleading predefined CI/CD variables, and occasional weird YAML merging behaviors aside, the `.gitlab-ci.yml` schema is pretty clean, well-defined and flexible. My only complaint, as of now, is that it's still a YAML document. `default:`, `include:` and `!reference[]` exist, but, at the end of the day, no YAML anchors or fancy features inside the YAML engine can save you from a big, ugly CI/CD configuration[^1]. GitLab Runner is, in my opinion, also superior in its feature set compared to GitHub or Drone's ones.
 
 ## The bad
 
 ### Paid features
 
-Just look at [the feature comparison table](https://about.gitlab.com/pricing/feature-comparison/), it's obvious that the Free tier comes with so many bloated, unnecessary features, while lacking what I deem fundamental ones. More features are being locked down in Premium/Ultimate tier as days go by, while the price for them increase every year. Considering the terms of their [Buyer Based Tiering model](https://about.gitlab.com/company/pricing/#buyer-based-tiering-clarification), I guess it somehow makes sense. I still wish to have CODEOWNERS, Merge Train, Geo and Audit Log in Free tier though.
+Just look at [the feature comparison table](https://about.gitlab.com/pricing/feature-comparison/), it's obvious that the Free tier comes with so many bloated, unnecessary features, while lacking what I deem fundamental ones. More features are being locked down in Premium and Ultimate tiers as days go by, while the price for them increase every single year. Considering the terms of their [Buyer Based Tiering model](https://about.gitlab.com/company/pricing/#buyer-based-tiering-clarification), I guess it somehow makes sense. I still wish to have CODEOWNERS, Merge Train, Geo and Audit Log in Free tier though.
 
 ### Shipping unfinished features on new releases
 
@@ -55,18 +55,19 @@ Another example, just recently, is the introduction of [*admin_mode* scope for P
 
 Since I mentioned tokens, let's take a look at all the different ways for your automations to access private GitLab resources[^2].
 
-- `CI_JOB_TOKEN` is the unique one and is nicely implemented, security wise, but its scopes are so limited it turns out to be useless most of the time.
+- `CI_JOB_TOKEN` is the unique one and is nicely implemented, security wise, but its fixed scopes are so limited it turns out to be useless most of the time[^3].
 - I wonder why [Deploy Keys](https://docs.gitlab.com/ee/user/project/deploy_keys/index.html) even exists. It doesn't enforce expiration date, so would quickly become stale and unmanageable. And I find people usually use it the same way as [Deploy Tokens](https://docs.gitlab.com/ee/user/project/deploy_tokens/index.html).
 - [Personal Access Token](https://docs.gitlab.com/ee/security/token_overview.html#personal-access-tokens), [Project Access Token](https://docs.gitlab.com/ee/security/token_overview.html#project-access-tokens) and [Group Access Token](https://docs.gitlab.com/ee/security/token_overview.html#group-access-tokens) are a mess. They are powerful, but can quickly and easily be forgotten, as the usual case is to generate one and set it in a CI/CD variable. With the future 16.0 release, all your old, poorly maintained pipelines might suddenly break out of nowhere as their lost tokens expire.
-- To make things worse, instance-level access token isn't a thing[^3], so you get stuck with bot-like accounts for cross top-level groups automations, which occupy license seats and waste ~~$19~~ [$29 USD/month](https://about.gitlab.com/pricing/) each on your **Premium** plan[^4].
+- To make things worse, instance-level access token isn't a thing[^4], so you get stuck with bot-like accounts for cross top-level groups automations, which occupy license seats and waste ~~$19~~ [$29 USD/month](https://about.gitlab.com/pricing/) each on your **Premium** plan[^5].
 
 ## Afterwords
 
-Beside technical knowledge, these 2 months of hands-on experience with GitLab also gave me some good memories. All those times pulling all-nighters with co-workers to upgrade GitLab, gossiping about random things while waiting for the pre-upgrade backup to finish, they were really fun and memorable. I, overall, enjoy being a GitLab instance administrator (who doesn't like almighty power over all the company's projects, to be honest :smile:).
+Beside technical knowledge, these 2 months of hands-on experience with GitLab also gave me some good memories. All those times pulling all-nighters with co-workers to upgrade GitLab, gossiping about random things while waiting for the pre-upgrade backup to finish, it was really fun and memorable. I, overall, enjoy being a GitLab instance administrator (who doesn't like almighty power over all the company's projects, to be honest :smile:).
 
 That's all for me. Thanks for reading until the end!
 
-[^1]: A praise for [DroneCI](https://www.drone.io/) and [Agola](https://agola.io/) for doing something way better than GitLab CI/CD.
+[^1]: You think writing YAML config for GitHub Actions is a better experience? Think twice! It doesn't even [support YAML anchor](https://github.com/actions/runner/issues/1182).
 [^2]: https://docs.gitlab.com/ee/security/token_overview.html.
-[^3]: There is a [2-year-old opened issue](https://gitlab.com/gitlab-org/gitlab/-/issues/263248).
-[^4]: Even GitLab organization themselves haven't gotten away from [@gitlab-bot](https://gitlab.com/gitlab-bot) yet, after all these time.
+[^3]: GitHub Runner's ephemeral token is actually better at this, since you can define its access scopes in CI/CD configuration
+[^4]: There is a [2-year-old opened issue](https://gitlab.com/gitlab-org/gitlab/-/issues/263248).
+[^5]: Even GitLab organization themselves haven't gotten away from [@gitlab-bot](https://gitlab.com/gitlab-bot) yet, after all these time.

content/blog/rootfull-rootless-containers-on-btrfs-zfs/index.md

@@ -49,8 +49,6 @@ Here's what we'll use for rootless mode:
 
 Notice that we'll make use of `native` snapshotter for nerdctl on ZFS. Why not the default overlayfs? The answer is because ZFS doesn't like having an overlayfs mount being on top of it[^10]. Other snapshotters (fuse-overlayfs, stargz) probably will also work, but they require installing corresponding gRPC helper binaries and setting up additional services alongside containerd, so `native` is the easiest choice here.
 
-Now comes the actual setup process.
-
 ## nerdctl
 
 ### Rootfull mode
@@ -83,20 +81,20 @@ Pretty simple, right? For something new, I'll do it the Ansible way:
 
 #### Btrfs
 
-It's pretty similar with Btrfs storage backend. Most Btrfs on root setups don't mount the root subvolume on `/`, and you probably would want to keep container layers when switching the subvolume mounted on `/`, so there are some extra steps involved:
+It's pretty similar with Btrfs storage backend. Most Btrfs on root setups don't mount the root subvolume on /, and you probably would want to keep container layers when switching the subvolume mounted on /, so there are some extra steps involved:
 
 ```bash
 # Mount the root subvolume somewhere first, assuming it is /dev/sda1 in this case
 mount -t btrfs -o rw,noatime,user_subvol_rm_allowed,subvol=/ /dev/sda1 /mnt
 
-# Create a top level subvolume (rootid=5) for containerd' storage
+# Create a top level subvolume (rootid=5) for containerd's storage
 btrfs subvolume create /mnt/@containerd
 ```
 
 Then stick the newly created subvolume into `/etc/fstab` and mount it:
 
 ```bash
-# Replace /dev/sda1 with something more proper, like UUID=...
+# Replace /dev/sda1 with something more proper, such as UUID=...
 /dev/sda1	/var/lib/containerd/io.containerd.snapshotter.v1.btrfs	btrfs	rw,noatime,nodev,compress-force=zstd,rescue=usebackuproot,ssd,space_cache=v2,commit=60,subvol=/@containerd 0 2
 ```
 
@@ -210,7 +208,7 @@ KillMode=mixed
 
 ### Rootfull
 
-The filesystem setup in rootfull mode for podman is roughly the same process as nerdctl. You just need to change the storage mountpoint from `/var/lib/containerd/io.containerd.snapshotter.v1.{zfs,btrfs}` to `/var/lib/containers/storage` and create a ZFS dataset / Btrfs subvolume there. Additionally, a system configuration is required:
+The filesystem setup in rootfull mode for podman is roughly the same process as nerdctl. You just need to change the storage mountpoint from `/var/lib/containerd/io.containerd.snapshotter.v1.{zfs,btrfs}` to `/var/lib/containers/storage` and create a ZFS dataset or a Btrfs subvolume there. Additionally, a system configuration is required:
 
 ***/etc/containers/storage.conf***:
 
@@ -273,11 +271,11 @@ I'm quite happy with the experiment so far. podman and nerdctl, since, have been
 
 I'll probably write another blog post if they appear to be interesting, and if I have some free time to test them in the future. See you then, and thanks for reading this until the end!
 
-[^1]: Docker has [an extensive document](https://docs.docker.com/engine/security/rootless/) for setting up rootless container. I think it is good enough already. In short Btrfs works while ZFS support is absent.
+[^1]: Docker has [an extensive document](https://docs.docker.com/engine/security/rootless/) for setting up rootless container. I think it is good enough already. In short, Btrfs works while ZFS support is absent.
 [^2]: containerd uses the term ***"snapshotter"*** while podman calls it ***"storage driver"***.
 [^3]: you can [do the same with nerdctl][1] by the way, though it is highly discouraged.
 [^4]: see <https://github.com/containers/podman/blob/main/rootless.md>
-[^5]: detailed instruction available at <https://rootlesscontaine.rs/getting-started/common/>.
+[^5]: detailed instruction is available at <https://rootlesscontaine.rs/getting-started/common/>.
 [^6]: be aware that containerd's Btrfs storage implementation has some performance issues, e.g. not using Btrfs quota (see [containerd/containerd#4217](https://github.com/containerd/containerd/issues/4217), [containerd/containerd#6067](https://github.com/containerd/containerd/issues/6067) and [containerd/containerd#6581](https://github.com/containerd/containerd/issues/6581))
 [^7]: check out [this answer](https://github.com/containers/podman/issues/11415#issuecomment-912015581).
 [^8]: I opened issue [containerd/containerd#7514](https://github.com/containerd/containerd/issues/7514) on GitHub. You can keep track of the bug there.

content/blog/test-post/index.md

@@ -84,13 +84,20 @@ Ordered?
 3. No one cares
 { .ordered }
 
+Definition lists:
+
+Some words
+: This is a long definition of "some words" :joy:, explaining what it is (in details) and some further information
+
 Todo list?
 
 - [ ] 1st item
 - [x] 2nd item (DONE)
   - [ ] 3rd item (not yet)
 
-### Shortcodes
+### Shortcodes {#shortcodes}
+
+NOTE: the previous heading has a [custom heading ID](#shortcodes)
 
 {{< details text="This is a spoiler block" >}}
 This shouldn't be shown at first.

flake.lock

@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1699099776,
+        "narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,68 @@
+{
+  description = "FollieHiyuki's personal blog";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        inherit (nixpkgs) lib;
+        pkgs = nixpkgs.legacyPackages."${system}";
+
+        hugoBuildInputs = with pkgs; [ hugo dart-sass ];
+
+        tasks = with pkgs; {
+          serve = {
+            runtimeInputs = hugoBuildInputs;
+            script = "hugo server -D";
+          };
+          publish = {
+            runtimeInputs = [ nodePackages.wrangler ];
+
+            # NOTE: either CLOUDFLARE_ACCOUNT_ID, CLOUDFLARE_API_TOKEN need to be set outside (.e.g CI/CD variable)
+            # or run `wrangler login` first
+            script = ''
+              wrangler pages deploy \
+                --project-name=folliehiyuki \
+                --branch=main \
+                result/
+            '';
+          };
+        };
+      in
+      {
+        apps = (lib.attrsets.mapAttrs
+          (k: v: flake-utils.lib.mkApp {
+            drv = pkgs.writeShellApplication {
+              name = k;
+              runtimeInputs = v.runtimeInputs;
+              text = v.script;
+            };
+          })
+          tasks);
+
+        packages.default = with pkgs; stdenv.mkDerivation {
+          name = "folliehiyuki.com";
+          src = lib.cleanSource ./.;
+          buildInputs = hugoBuildInputs;
+
+          buildPhase = ''
+            export HUGO_CACHEDIR="$TMPDIR/.hugo_cache"
+            hugo --gc --panicOnWarning
+          '';
+
+          installPhase = ''
+            mkdir -p "$out"
+            cp -r public/* "$out"/
+          '';
+        };
+
+        devShells.default = with pkgs; mkShell {
+          nativeBuildInputs = hugoBuildInputs ++ [ git nodePackages.wrangler ];
+        };
+      }
+    );
+}

hugo.toml

@@ -1,5 +1,5 @@
 baseURL = "https://www.folliehiyuki.com"
-languageCode = 'en-us'
+languageCode = "en-us"
 title = "FollieHiyuki's blog"
 hasCJKLanguage = true
 enableEmoji = true
@@ -11,6 +11,7 @@ disableKinds = ["taxonomy", "term"]
 
 [menu]
 nav = [
+  { name = "Docs", url = "https://docs.folliehiyuki.com", weight = 5 },
   { name = "Blog", url = "blog/", weight = 10 },
   { name = "About", url = "about/", weight = 20 },
 ]

layouts/_default/_markup/render-link.html

@@ -1,2 +1,5 @@
-{{ $isRemote := strings.HasPrefix .Destination "http" }}
-<a href="{{ .Destination | safeURL }}"{{ with .Title }} title="{{ . }}"{{ end }}{{ if $isRemote }} target="_blank" rel="noopener external"{{ end }}>{{ .Text | safeHTML }}</a>
+<a href="{{ .Destination | safeURL }}"
+  {{ with .Title }} title="{{ . }}"{{ end }}
+  {{ if (strings.HasPrefix .Destination "http") }} target="_blank" rel="noopener external"{{ end }}>
+  {{ .Text | safeHTML }}
+</a>

layouts/_default/baseof.html

@@ -7,9 +7,7 @@
     {{ partialCached "banner.html" . }}
     <main>
       <div class="u-wrapper">
-        <div class="u-padding">
-          {{ block "main" . }}{{ end }}
-        </div>
+        {{ block "main" . }}{{ end }}
       </div>
     </main>
     {{ partialCached "footer.html" . }}

layouts/partials/banner.html

@@ -1,12 +1,12 @@
 <nav class="u-background">
   <div class="u-wrapper">
     <ul class="Banner">
-      <li class="Banner-item Banner-item--title">
+      <li class="Banner-item Banner-item-title">
         <a class="Banner-link u-clickable" href="{{ relURL nil }}">Home</a>
       </li>
       {{ range site.Menus.nav }}
         <li class="Banner-item">
-          <a class="Banner-link u-clickable" href="{{ relURL .URL }}">{{ .Name }}</a>
+          <a class="Banner-link u-clickable"{{ if (strings.HasPrefix .URL "http") }} target="_blank" rel="noopener external"{{ end }} href="{{ relURL .URL }}">{{ .Name }}</a>
         </li>
       {{ end }}
     </ul>

layouts/partials/footer.html

@@ -1,14 +1,11 @@
 <footer class="Footer">
   <div class="u-wrapper">
-    <div class="u-padding">
-      <span><a href="https://docs.folliehiyuki.com" target="_blank" rel="noopener external">Docs</a></span>
-      <span><a href="/index.xml">RSS feed</a></span>
-      <span><a href="https://gitlab.com/FollieHiyuki/site" target="_blank" rel="noopener external">Source code</a></span>
-      <span>
-        <a href="https://fediring.net/previous?host=www.folliehiyuki.com" rel="noopener external"><<</a>
-        <a href="https://fediring.net/" target="_blank" rel="noopener external">Fediring</a>
-        <a href="https://fediring.net/next?host=www.folliehiyuki.com" rel="noopener external">>></a>
-      </span>
-    </div>
+    <span><a href="/index.xml">RSS feed</a></span>
+    <span><a href="https://gitlab.com/FollieHiyuki/site" target="_blank" rel="noopener external">Source code</a></span>
+    <span>
+      <a href="https://fediring.net/previous?host=www.folliehiyuki.com" rel="noopener external"><<</a>
+      <a href="https://fediring.net/" target="_blank" rel="noopener external">Fediring</a>
+      <a href="https://fediring.net/next?host=www.folliehiyuki.com" rel="noopener external">>></a>
+    </span>
   </div>
 </footer>

layouts/partials/head.html

@@ -28,6 +28,22 @@
     {{ printf "<link rel=%q type=%q href=%q title=%q />" .Rel .MediaType .Permalink site.Title | safeHTML }}
   {{ end }}
 
+  {{ $cdn := "https://cdn.folliehiyuki.com" }}
+
+  {{/* Ref: https://developer.mozilla.org/en-US/docs/Web/Performance/Lazy_loading#fonts */}}
+  <link rel="preload" href="{{ $cdn }}/fonts/iosevka/iosevka-aile-bold.woff2" as="font" type="font/woff2" integrity="sha256-Hu4sqJ4m0rjWqqKYxhGKw1Lqz/VpftqKe0CeHACkSto=" crossorigin="anonymous" />
+  <link rel="preload" href="{{ $cdn }}/fonts/iosevka/iosevka-aile-bolditalic.woff2" as="font" type="font/woff2" integrity="sha256-fRJP2kQFy+xRyveNgFHkYWfHUG/DSkoUrXdfx7RGJMk=" crossorigin="anonymous" />
+  <link rel="preload" href="{{ $cdn }}/fonts/iosevka/iosevka-aile-italic.woff2" as="font" type="font/woff2" integrity="sha256-gH5Tq4ZWU0MJJQjXsdC00d++xrM842dN8pCVRmBnf0k=" crossorigin="anonymous" />
+  <link rel="preload" href="{{ $cdn }}/fonts/iosevka/iosevka-aile-regular.woff2" as="font" type="font/woff2" integrity="sha256-y6fQ+gvBFZWjeNgxiWQrYYgni3T5H+TLAwHCsSFSjKE=" crossorigin="anonymous" />
+
+  <link rel="stylesheet" href="{{ $cdn }}/css/normalize.css" integrity="sha256-Atknw9eu6T9FV6v//wFp8skKdJ5JcAqANQ1bPykR4go=" crossorigin="anonymous" />
+  <link rel="stylesheet" href="{{ $cdn }}/fonts/devicon/devicon.css" integrity="sha256-08KmrdZ/HBDZrOB6a5gBa6wH8IIw/6J/T7kni+FFhZM=" crossorigin="anonymous" />
+  <link rel="stylesheet" href="{{ $cdn }}/fonts/font-awesome/brands.css" integrity="sha256-hlCChWLJBZS0xMPH+lzZdFmZIV/6AJbVGoWQCvzwIsQ=" crossorigin="anonymous" />
+  <link rel="stylesheet" href="{{ $cdn }}/fonts/font-awesome/solid.css" integrity="sha256-xuw8YIIudFiLKxnOSDufxt0N2CFAJQXsK2lnTUPbofE=" crossorigin="anonymous" />
+  <link rel="stylesheet" href="{{ $cdn }}/fonts/font-logos/font-logos.css" integrity="sha256-ci1Go8qpl1be+ZJ1IDZTHq9/pcT3JI4emST3Be3Zhww=" crossorigin="anonymous" />
+  <link rel="stylesheet" href="{{ $cdn }}/fonts/iosevka/iosevka-aile.css" integrity="sha256-20HRMpRlRW2+dk9R7asoOl5/z8Xyc2BbjeLZsButUww=" crossorigin="anonymous" />
+  <link rel="stylesheet" href="{{ $cdn }}/fonts/iosevka/iosevka.css" integrity="sha256-O+SZ7wY51U5g20G3n93OYUnhmDat4lKGiqHyHQybqG8=" crossorigin="anonymous" />
+
   {{ $scss_options := dict "transpiler" "dartsass" }}
   {{ with resources.Get "css/main.tpl.scss" | resources.ExecuteAsTemplate "css/main.scss" . | resources.ToCSS $scss_options | minify | fingerprint }}
     <link rel="stylesheet" href="{{ .RelPermalink }}" integrity="{{ .Data.Integrity }}" crossorigin="anonymous" />
@@ -38,12 +54,4 @@
       <link rel="stylesheet" href="{{ .RelPermalink }}" integrity="{{ .Data.Integrity }}" crossorigin="anonymous" />
     {{ end }}
   {{ end }}
-
-  {{/*
-    https://developer.mozilla.org/en-US/docs/Web/Performance/Lazy_loading#fonts
-    NOTE: fonts/ directory is symlinked from static/ to assets/ to make the .Resources.Match work
-  */}}
-  {{ range resources.Match "/fonts/iosevka-aile*.woff2" }}
-    <link rel="preload" href="{{ . | relURL }}" as="font" type="font/woff2" crossorigin="anonymous" />
-  {{ end }}
 </head>

layouts/shortcodes/mark.html

@@ -1 +1 @@
-<mark>{{ with .Get 0 }}{{ . }}{{ end }}</mark>
+<mark>{{ with .Get 0 }}{{ . | markdownify | emojify }}{{ end }}</mark>

static/_headers

@@ -0,0 +1,7 @@
+/*
+  X-Frame-Options: DENY
+  X-Content-Type-Options: nosniff
+  X-DNS-Prefetch-Control: off
+  Referrer-Policy: no-referrer
+  Permissions-Policy: interest-cohort=(), geolocation=(), camera=(), microphone=(), display-capture=(), web-share=()
+  Content-Security-Policy: default-src 'self'; script-src 'none'; frame-ancestors 'none'; child-src 'none'; base-uri 'self'; font-src https://cdn.folliehiyuki.com; style-src 'self' 'unsafe-inline' https://cdn.folliehiyuki.com