---
title: 'blag: blogging in bash'
description: ..or fullstack web app development in bash using bingus-blog. either works
author: slonkazoid
written_at: 2024-12-29T23:42:00+03:00
tags:
 - hellish
 - meta
 - bash
 - draft
---

# blag: blogging in bash

have you ever wanted to write blog posts in bash?
well, now you can, with [blag](https://git.slonk.ing/slonk/blag) and bingus-blog.

## what

it all started in a conversation i was having with [lily](https://lilymeow.ing/)
about blog engines.

![discord conversation between me and lily, the messages are as follows:
lily: can next do ssg
me: yes
lily: i can only find articles talking about it, no real projects that use it like that
me: smh
me: gonna @ domi and tell them to make bash blog ssg
me: actually i should totally do that](/media/blag/convo.png)

it is important to note that this project ended up being ssr, not ssg. i just
find ssr to be far more comfortable and extensible (more on that later).

a few days later, i got to work, and shared a screenshot of the first
functioning draft [in a fedi post](https://donotsta.re/notice/AodxsF6Db3Kid8nZku).

![a fedi post by me, the post text reads "making a thing", and attached is a screenshot of the 
the screenshot contents are as follows:
firefox and a terminal window open on my desktop
the terminal displays the 3 commands ran:
"bat post.sh", the output of which is the line annotated and syntax highlighted contents of post.sh,
"time ./render.sh post.sh > rendered.html", and
"firefox rendered.html"
firefox has rendered.html open, displaying the output of the script. it is exactly as described in the script.](/media/blag/fedi.png)

in classic slonk fashion i started overengineering it soon after.
not before long, bingus-blog had a refactor abstracting away the post
provider in a trait object, improving caching, and more. overall, one
could argue that the `blag` engine mode is actually more robust than
`markdown`…

## i want to see it in action

sure! a bingus-blog instance configured with the `blag` engine and some
funky blag-posts is live over at [blag.slonk.ing](https://blag.slonk.ing)!  
just please don't hack me. or do. your choice. if you do though, please tell me
so i can fix it😅

## security

now for the obvious question, is this secure?

easy answer: no. i do not consider this secure enough to host on actual hardware,
even i use a dedicated vm to host [bingus-blag](https://blag.slonk.ing/)  

however, it *should* be secure enough unless you do something wrong, allowing
for rce or something. and it's *really* easy to do something wrong with this.

presently only one code execution vulnerability was found, which involved
providing an url encoded path as the post name in the url, and led to
an attacker being able to source local shell scripts. this has been fixed,
but still, please don't host this on your production servers.

## how to blag

to get started, you must first obtain the `blag` command:

```sh
git clone https://git.slonk.ing/slonk/blag
sudo install -Dt /usr/local/bin blag/blag # install blag in the global PATH
# if you don't want to do this, you can install it anywhere where bingus-blog
# can reach, but if it's not in it's PATH, you must set `blag.bin` to the path
# to the blag executable in the config
```

after that, it's a matter of simply deploying bingus-blog as usual,
but with `engine.mode = "blag"` in the config

further instructions are available in [blag's README file](https://git.slonk.ing/slonk/blag/src/branch/main/README.md)