nixos_config/nixos/hosts/oci-a1/configuration.nix

{ lib, pkgs, modulesPath, ... }:
let
  fetchOciAuthorizedKeys = pkgs.writeShellApplication {
    name = "fetch-oci-authorized-keys";
    runtimeInputs = [
      pkgs.coreutils
      pkgs.curl
    ];
    text = ''
      install -d -m 0700 -o alisceon -g users /home/alisceon/.ssh

      if [ -s /home/alisceon/.ssh/authorized_keys ]; then
        echo "OCI authorized_keys already present for alisceon"
        exit 0
      fi

      curl --fail --silent --show-error --location \
        --header "Authorization: Bearer Oracle" \
        --output /home/alisceon/.ssh/authorized_keys \
        http://169.254.169.254/opc/v2/instance/metadata/ssh_authorized_keys

      chown alisceon:users /home/alisceon/.ssh/authorized_keys
      chmod 0600 /home/alisceon/.ssh/authorized_keys
    '';
  };
in
{
  imports = [
    "${modulesPath}/virtualisation/oci-image.nix"
  ];

  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";

  networking = {
    hostName = "nixos-oci-a1";
    networkmanager.enable = lib.mkForce false;
  };

  boot.initrd.availableKernelModules = [
    "virtio_pci"
    "virtio_blk"
    "virtio_scsi"
    "virtio_net"
    "xhci_pci"
  ];

  users.users.alisceon.extraGroups = [ "systemd-journal" ];

  security.sudo-rs.wheelNeedsPassword = false;

  services.openssh.settings = {
    PasswordAuthentication = false;
    PermitRootLogin = lib.mkForce "prohibit-password";
  };

  services.cloud-init = {
    enable = true;
    network.enable = true;
    settings = {
      datasource_list = [ "Oracle" "ConfigDrive" "NoCloud" ];
      users = [ "default" ];
      system_info.default_user = {
        name = "alisceon";
        gecos = "Alisceon";
        groups = [ "wheel" "systemd-journal" ];
        shell = "/run/current-system/sw/bin/xonsh";
        lock_passwd = true;
      };
    };
  };

  systemd.services.fetch-oci-authorized-keys = {
    description = "Fetch OCI metadata authorized_keys for alisceon";
    wantedBy = [ "sshd.service" ];
    before = [ "sshd.service" ];
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      StandardError = "journal+console";
      StandardOutput = "journal+console";
    };
    script = lib.getExe fetchOciAuthorizedKeys;
  };

  systemd.services.fetch-ssh-keys.enable = false;

  environment.systemPackages = with pkgs; [
    curl
    git
    htop
    jq
    vim
    wget
  ];

  system.stateVersion = lib.mkForce "25.11";
}
add oci target 2026-05-27 16:39:26 +02:00			`{ lib, pkgs, modulesPath, ... }:`
			`let`
			`fetchOciAuthorizedKeys = pkgs.writeShellApplication {`
			`name = "fetch-oci-authorized-keys";`
			`runtimeInputs = [`
			`pkgs.coreutils`
			`pkgs.curl`
			`];`
			`text = ''`
			`install -d -m 0700 -o alisceon -g users /home/alisceon/.ssh`

			`if [ -s /home/alisceon/.ssh/authorized_keys ]; then`
			`echo "OCI authorized_keys already present for alisceon"`
			`exit 0`
			`fi`

			`curl --fail --silent --show-error --location \`
			`--header "Authorization: Bearer Oracle" \`
			`--output /home/alisceon/.ssh/authorized_keys \`
			`http://169.254.169.254/opc/v2/instance/metadata/ssh_authorized_keys`

			`chown alisceon:users /home/alisceon/.ssh/authorized_keys`
			`chmod 0600 /home/alisceon/.ssh/authorized_keys`
			`'';`
			`};`
			`in`
			`{`
			`imports = [`
			`"${modulesPath}/virtualisation/oci-image.nix"`
			`];`

			`nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";`

			`networking = {`
			`hostName = "nixos-oci-a1";`
			`networkmanager.enable = lib.mkForce false;`
			`};`

			`boot.initrd.availableKernelModules = [`
			`"virtio_pci"`
			`"virtio_blk"`
			`"virtio_scsi"`
			`"virtio_net"`
			`"xhci_pci"`
			`];`

			`users.users.alisceon.extraGroups = [ "systemd-journal" ];`

			`security.sudo-rs.wheelNeedsPassword = false;`

			`services.openssh.settings = {`
			`PasswordAuthentication = false;`
			`PermitRootLogin = lib.mkForce "prohibit-password";`
			`};`

			`services.cloud-init = {`
			`enable = true;`
			`network.enable = true;`
			`settings = {`
			`datasource_list = [ "Oracle" "ConfigDrive" "NoCloud" ];`
			`users = [ "default" ];`
			`system_info.default_user = {`
			`name = "alisceon";`
			`gecos = "Alisceon";`
			`groups = [ "wheel" "systemd-journal" ];`
			`shell = "/run/current-system/sw/bin/xonsh";`
			`lock_passwd = true;`
			`};`
			`};`
			`};`

			`systemd.services.fetch-oci-authorized-keys = {`
			`description = "Fetch OCI metadata authorized_keys for alisceon";`
			`wantedBy = [ "sshd.service" ];`
			`before = [ "sshd.service" ];`
			`after = [ "network-online.target" ];`
			`wants = [ "network-online.target" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = true;`
			`StandardError = "journal+console";`
			`StandardOutput = "journal+console";`
			`};`
			`script = lib.getExe fetchOciAuthorizedKeys;`
			`};`

			`systemd.services.fetch-ssh-keys.enable = false;`

			`environment.systemPackages = with pkgs; [`
			`curl`
			`git`
			`htop`
			`jq`
			`vim`
			`wget`
			`];`

			`system.stateVersion = lib.mkForce "25.11";`
			`}`