alisceon/nixos_config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add blogbox target

Browse source
This commit is contained in:
alisceon 2026-05-29 19:30:07 +02:00
parent e2b41c8129
commit 2ac05607a2
5 changed files with 394 additions and 68 deletions
Download patch file Download diff file Expand all files Collapse all files

82
nixos/hosts/alisceon-core/configuration.nix
View file

@ -1,38 +1,11 @@
{ lib, pkgs, modulesPath, ... }:
let
forgejoDomain = "git.alisceon.com";
syncthingDomain = "syncthing.alisceon.com";
fetchOciAuthorizedKeys = pkgs.writeShellApplication {
name = "fetch-oci-authorized-keys";
runtimeInputs = [
pkgs.coreutils
pkgs.curl
];
text = ''
install -d -m 0700 -o alisceon -g users /home/alisceon/.ssh
if [ -s /home/alisceon/.ssh/authorized_keys ]; then
echo "OCI authorized_keys already present for alisceon"
exit 0
fi
curl --fail --silent --show-error --location \
--header "Authorization: Bearer Oracle" \
--output /home/alisceon/.ssh/authorized_keys \
http://169.254.169.254/opc/v2/instance/metadata/ssh_authorized_keys
chown alisceon:users /home/alisceon/.ssh/authorized_keys
chmod 0600 /home/alisceon/.ssh/authorized_keys
'';
};
in
{
imports = [
"${modulesPath}/virtualisation/oci-image.nix"
../../modules/services/cloud-init.nix
../../modules/services/forgejo.nix
../../modules/services/nginx.nix
../../modules/services/oci-authorized-keys.nix
../../modules/services/tor.nix
];
@ -90,6 +63,14 @@ in
users.users.alisceon.extraGroups = [ "systemd-journal" ];
alisceon = {
cloud-init = {
enable = true;
defaultShell = "/run/current-system/sw/bin/xonsh";
};
ociAuthorizedKeys.enable = true;
};
security = {
acme = {
acceptTerms = true;
@ -129,7 +110,7 @@ in
};
};
alisceon.forgejo.domain = forgejoDomain;
alisceon.forgejo.domain = "forgejo.alisceon.com";
services.gitea-actions-runner.instances.alisceon-core-podman.labels = [
"podman"
@ -138,8 +119,8 @@ in
];
services.nginx.virtualHosts = {
${forgejoDomain} = {
serverName = forgejoDomain;
${"forgejo.alisceon.com"} = {
serverName = "forgejo.alisceon.com";
forceSSL = true;
enableACME = true;
locations."/" = {
@ -147,8 +128,8 @@ in
recommendedProxySettings = true;
};
};
${syncthingDomain} = {
serverName = syncthingDomain;
${"syncthing.alisceon.com"} = {
serverName = "syncthing.alisceon.com";
forceSSL = true;
enableACME = true;
locations."/" = {
@ -167,39 +148,6 @@ in
};
};
services.cloud-init = {
enable = true;
network.enable = true;
settings = {
datasource_list = [ "Oracle" "ConfigDrive" "NoCloud" ];
users = [ "default" ];
system_info.default_user = {
name = "alisceon";
gecos = "Alisceon";
groups = [ "wheel" "systemd-journal" ];
shell = "/run/current-system/sw/bin/xonsh";
lock_passwd = true;
};
};
};
systemd.services.fetch-oci-authorized-keys = {
description = "Fetch OCI metadata authorized_keys for alisceon";
wantedBy = [ "sshd.service" ];
before = [ "sshd.service" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
StandardError = "journal+console";
StandardOutput = "journal+console";
};
script = lib.getExe fetchOciAuthorizedKeys;
};
systemd.services.fetch-ssh-keys.enable = false;
systemd.services.syncthing = {
serviceConfig = {
LockPersonality = true;

225
nixos/hosts/blogbox/configuration.nix Normal file
View file

@ -0,0 +1,225 @@
{ lib, pkgs, modulesPath, ... }:
let
siteDomain = "blogbox.alisceon.com";
repoDir = "/home/alisceon/blogbox-site";
stateDir = "/var/lib/blogbox";
publicDir = "${stateDir}/www";
updateBlogboxSite = pkgs.writeShellApplication {
name = "update-blogbox-site";
runtimeInputs = [
pkgs.coreutils
pkgs.git
pkgs.hugo
pkgs.rsync
];
text = ''
set -euo pipefail
if [ ! -d ${lib.escapeShellArg repoDir}/.git ]; then
echo "${repoDir} is not a git checkout yet; skipping Hugo publish"
exit 0
fi
install -d -m 0755 ${lib.escapeShellArg stateDir} ${lib.escapeShellArg publicDir}
git -C ${lib.escapeShellArg repoDir} pull --ff-only
git -C ${lib.escapeShellArg repoDir} submodule sync --recursive
git -C ${lib.escapeShellArg repoDir} submodule update --init --recursive
rm -rf ${lib.escapeShellArg stateDir}/hugo-public
hugo \
--source ${lib.escapeShellArg repoDir} \
--destination ${lib.escapeShellArg stateDir}/hugo-public \
--minify \
--cleanDestinationDir
rsync -a --delete ${lib.escapeShellArg stateDir}/hugo-public/ ${lib.escapeShellArg publicDir}/
'';
};
in
{
imports = [
"${modulesPath}/virtualisation/oci-image.nix"
../../modules/services/cloud-init.nix
../../modules/services/nginx.nix
../../modules/services/oci-authorized-keys.nix
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
networking = {
hostName = "blogbox";
networkmanager.enable = lib.mkForce false;
useDHCP = lib.mkDefault true;
firewall.allowedTCPPorts = [
22
80
443
];
};
boot = {
kernelPackages = lib.mkForce pkgs.linuxPackages;
loader.systemd-boot.configurationLimit = lib.mkForce 3;
};
documentation = {
enable = lib.mkForce false;
man.enable = lib.mkForce false;
doc.enable = lib.mkForce false;
info.enable = lib.mkForce false;
nixos.enable = lib.mkForce false;
};
environment = {
defaultPackages = lib.mkForce [ ];
shells = lib.mkForce [ pkgs.bash ];
systemPackages = lib.mkForce (with pkgs; [
curl
git
hugo
vim
]);
};
programs = {
command-not-found.enable = lib.mkForce false;
fish.enable = lib.mkForce false;
fzf.fuzzyCompletion = lib.mkForce false;
xonsh.enable = lib.mkForce false;
};
users = {
defaultUserShell = lib.mkForce pkgs.bash;
users.alisceon = {
createHome = true;
extraGroups = lib.mkForce [ "wheel" "systemd-journal" ];
shell = lib.mkForce pkgs.bash;
};
};
alisceon = {
cloud-init.enable = true;
ociAuthorizedKeys.enable = true;
};
nix = {
settings = {
min-free = lib.mkForce (256 * 1024 * 1024);
max-free = lib.mkForce (1024 * 1024 * 1024);
};
gc = {
dates = lib.mkForce "daily";
options = lib.mkForce "--delete-older-than 3d";
};
};
security = {
acme = {
acceptTerms = true;
defaults.email = "acme@alisceon.com";
};
sudo-rs.wheelNeedsPassword = false;
};
services = {
openssh.settings = {
PasswordAuthentication = false;
PermitRootLogin = lib.mkForce "prohibit-password";
};
journald.extraConfig = ''
SystemMaxUse=64M
RuntimeMaxUse=32M
'';
nginx.virtualHosts.${siteDomain} = {
serverName = siteDomain;
forceSSL = true;
enableACME = true;
root = publicDir;
locations."/".extraConfig = ''
try_files $uri $uri/ =404;
'';
};
};
systemd = {
tmpfiles.rules = [
"d ${repoDir} 0755 alisceon users - -"
"d ${stateDir} 0755 alisceon users - -"
"d ${publicDir} 0755 alisceon users - -"
];
services.update-blogbox-site = {
description = "Pull and publish the Blogbox Hugo site";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = "alisceon";
Group = "users";
ExecStart = lib.getExe updateBlogboxSite;
Nice = 10;
IOSchedulingClass = "idle";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateIPC = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ReadWritePaths = [
repoDir
stateDir
];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
UMask = "0022";
};
};
timers.update-blogbox-site = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "5m";
Persistent = true;
};
};
};
zramSwap = {
enable = true;
memoryPercent = 50;
};
swapDevices = [
{
device = "/swapfile";
size = 8 * 1024;
}
];
virtualisation = {
containers.enable = lib.mkForce false;
docker.enable = lib.mkForce false;
libvirtd = {
enable = lib.mkForce false;
qemu.swtpm.enable = lib.mkForce false;
};
podman.enable = lib.mkForce false;
};
system.stateVersion = lib.mkForce "25.11";
}