blogbox reverted to alisceon-core

2026-05-30 15:18:13 +02:00 · 2026-05-30 15:18:13 +02:00 · 31351d447c
commit 31351d447c
parent 56961c34fa
2 changed files with 114 additions and 333 deletions
--- a/flake.nix
+++ b/flake.nix
@ -175,7 +175,6 @@
          system = "x86_64-linux";
          nixosModules = serverModules;
          hmModules = serverHomeModules;
          homeManagerUsers = false;
        };
      };
    };
--- a/nixos/hosts/blogbox/configuration.nix
+++ b/nixos/hosts/blogbox/configuration.nix
@ -1,114 +1,16 @@
 { lib, pkgs, modulesPath, ... }:
 let
  siteDomain = "blogbox.alisceon.com";
  repoDir = "/home/alisceon/blogbox-site";
  stateDir = "/var/lib/blogbox";
  publicDir = "${stateDir}/www";
  updateBlogboxSite = pkgs.writeShellApplication {
    name = "update-blogbox-site";
    runtimeInputs = [
      pkgs.coreutils
      pkgs.git
      pkgs.hugo
      pkgs.rsync
    ];
    text = ''
      set -euo pipefail
      if [ ! -d ${lib.escapeShellArg repoDir}/.git ]; then
        echo "${repoDir} is not a git checkout yet; skipping Hugo publish"
        exit 0
      fi
      install -d -m 0755 ${lib.escapeShellArg stateDir} ${lib.escapeShellArg publicDir}
      git -C ${lib.escapeShellArg repoDir} pull --ff-only
      git -C ${lib.escapeShellArg repoDir} submodule sync --recursive
      git -C ${lib.escapeShellArg repoDir} submodule update --init --recursive
      rm -rf ${lib.escapeShellArg stateDir}/hugo-public
      hugo \
        --source ${lib.escapeShellArg repoDir} \
        --destination ${lib.escapeShellArg stateDir}/hugo-public \
        --minify \
        --cleanDestinationDir
      rsync -a --delete ${lib.escapeShellArg stateDir}/hugo-public/ ${lib.escapeShellArg publicDir}/
    '';
  };
  updateNamecheapDyndns = pkgs.writeShellApplication {
    name = "update-namecheap-dyndns";
    runtimeInputs = [
      pkgs.coreutils
      pkgs.ddclient
    ];
    text = ''
      set -euo pipefail
      : "''${NAMECHEAP_DOMAIN:?Set NAMECHEAP_DOMAIN in /etc/blogbox-namecheap-ddns.env}"
      : "''${NAMECHEAP_PASSWORD:?Set NAMECHEAP_PASSWORD in /etc/blogbox-namecheap-ddns.env}"
      : "''${NAMECHEAP_HOSTS:?Set NAMECHEAP_HOSTS in /etc/blogbox-namecheap-ddns.env}"
      config_file="''${RUNTIME_DIRECTORY}/ddclient.conf"
      install -m 0600 /dev/null "$config_file"
      {
        printf 'daemon=0\n'
        printf 'cache=/var/cache/blogbox-dyndns/ddclient.cache\n'
        printf 'ssl=yes\n'
        printf 'protocol=namecheap\n'
        printf 'usev4=webv4, webv4=dynamicdns.park-your-domain.com/getip\n'
        printf 'server=dynamicdns.park-your-domain.com\n'
        printf 'login=%s\n' "$NAMECHEAP_DOMAIN"
        printf 'password=%s\n' "$NAMECHEAP_PASSWORD"
        printf '%s\n' "$NAMECHEAP_HOSTS"
      } > "$config_file"
      ddclient -file "$config_file"
    '';
  };
  ensureBlogboxSwapfile = pkgs.writeShellApplication {
    name = "ensure-blogbox-swapfile";
    runtimeInputs = [
      pkgs.coreutils
      pkgs.gnugrep
      pkgs.util-linux
    ];
    text = ''
      set -euo pipefail
      if swapon --show=NAME --noheadings | grep -Fxq /swapfile; then
        exit 0
      fi
      if [ ! -f /swapfile ] || [ "$(stat -c %s /swapfile)" -ne 8589934592 ]; then
        rm -f /swapfile
        install -m 0600 /dev/null /swapfile
        fallocate -l 8G /swapfile || dd if=/dev/zero of=/swapfile bs=1M count=8192 status=none
        chmod 0600 /swapfile
      fi
      mkswap -f /swapfile
      swapon /swapfile
    '';
  };
 in
 {
  imports = [
    "${modulesPath}/virtualisation/oci-image.nix"
    ../../modules/services/cloud-init.nix
    ../../modules/services/forgejo.nix
    ../../modules/services/nginx.nix
    ../../modules/services/oci-authorized-keys.nix
    ../../modules/services/tor.nix
  ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  oci.efi = lib.mkForce false;
  virtualisation.diskSize = lib.mkForce (16 * 1024);
  networking = {
    hostName = "blogbox";
    networkmanager.enable = lib.mkForce false;
@ -116,6 +18,11 @@ in
      22
      80
      443
      22000
      24601
    ];
    firewall.allowedUDPPorts = [
      22000
    ];
  };
@ -127,72 +34,13 @@ in
      "virtio_net"
      "xhci_pci"
    ];
    kernelParams = lib.mkForce [
      "nvme.shutdown_timeout=10"
      "nvme_core.shutdown_timeout=10"
      "libiscsi.debug_libiscsi_eh=1"
      "crash_kexec_post_notifiers"
      "console=tty1"
      "console=ttyS0,115200n8"
    ];
    kernelPackages = lib.mkForce pkgs.linuxPackages;
    loader.systemd-boot.configurationLimit = lib.mkForce 3;
  };
  documentation = {
    enable = lib.mkForce false;
    man.enable = lib.mkForce false;
    doc.enable = lib.mkForce false;
    info.enable = lib.mkForce false;
    nixos.enable = lib.mkForce false;
  };
  environment = {
    defaultPackages = lib.mkForce [ ];
    shells = lib.mkForce [ pkgs.bash ];
    systemPackages = lib.mkForce (with pkgs; [
      curl
      git
      hugo
      vim
    ]);
  };
  programs = {
    command-not-found.enable = lib.mkForce false;
    fish.enable = lib.mkForce false;
    fzf.fuzzyCompletion = lib.mkForce false;
    xonsh.enable = lib.mkForce false;
  };
  users = {
    defaultUserShell = lib.mkForce pkgs.bash;
    groups.blogbox-dyndns = { };
    users.alisceon = {
      createHome = true;
      extraGroups = lib.mkForce [ "wheel" "systemd-journal" ];
      openssh.authorizedKeys.keys = [
        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPN1Cd2UlHo03Jqgi5Yb4io/3gh/X4wCb8LcmKlpAovQa271CKDBtYOUKn+Fts03g6dBMfaWMty6VGPMGDMONmc= alisceon@electra"
      ];
      shell = lib.mkForce pkgs.bash;
    };
    users.blogbox-dyndns = {
      group = "blogbox-dyndns";
      isSystemUser = true;
    };
  };
  alisceon = {
    cloud-init.enable = true;
    ociAuthorizedKeys.enable = true;
  };
  nix = {
    settings = {
-      cores = lib.mkForce 1;
+      min-free = lib.mkForce (512 * 1024 * 1024);
-      max-jobs = lib.mkForce 1;
+      max-free = lib.mkForce (2 * 1024 * 1024 * 1024);
      min-free = lib.mkForce (256 * 1024 * 1024);
      max-free = lib.mkForce (1024 * 1024 * 1024);
    };
    gc = {
      dates = lib.mkForce "daily";
@ -200,9 +48,27 @@ in
    };
  };
-  system.autoUpgrade = {
+  virtualisation = {
-    persistent = lib.mkForce false;
+    docker.enable = lib.mkForce false;
-    randomizedDelaySec = lib.mkForce "4h";
+    podman = {
      enable = true;
      dockerSocket.enable = true;
      autoPrune = {
        enable = true;
        dates = "daily";
        flags = [ "--all" ];
      };
    };
  };
  users.users.alisceon.extraGroups = [ "systemd-journal" ];
  alisceon = {
    cloud-init = {
      enable = true;
      defaultShell = "/run/current-system/sw/bin/xonsh";
    };
    ociAuthorizedKeys.enable = true;
  };
  security = {
@ -213,189 +79,105 @@ in
    sudo-rs.wheelNeedsPassword = false;
  };
-  services = {
+  services.openssh.settings = {
-    openssh.settings = {
+    PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
+    PermitRootLogin = lib.mkForce "prohibit-password";
-      PasswordAuthentication = false;
+  };
-      PermitRootLogin = lib.mkForce "prohibit-password";
+
  services.syncthing = {
    enable = true;
    dataDir = "/var/lib/syncthing";
    guiAddress = "127.0.0.1:8384";
    openDefaultPorts = false;
    overrideDevices = false;
    overrideFolders = false;
    settings = {
      gui = {
        insecureAdminAccess = false;
        insecureSkipHostcheck = false;
      };
      options = {
        globalAnnounceEnabled = false;
        localAnnounceEnabled = false;
        listenAddresses = [
          "tcp://0.0.0.0:22000"
          "quic://0.0.0.0:22000"
        ];
        natEnabled = false;
        relaysEnabled = false;
        urAccepted = -1;
      };
    };
  };
-    journald.extraConfig = ''
+  alisceon.forgejo.domain = "forgejo.alisceon.com";
      SystemMaxUse=64M
      RuntimeMaxUse=32M
    '';
-    nginx.virtualHosts.${siteDomain} = {
+  services.gitea-actions-runner.instances.alisceon-core-podman.labels = [
-      serverName = siteDomain;
+    "podman"
    "x86_64"
    "amd64"
  ];
  services.nginx.virtualHosts = {
    ${"forgejo.alisceon.com"} = {
      serverName = "forgejo.alisceon.com";
      forceSSL = true;
      enableACME = true;
-      root = publicDir;
+      locations."/" = {
-      locations."/".extraConfig = ''
+        proxyPass = "http://127.0.0.1:3000";
-        try_files $uri $uri/ =404;
+        recommendedProxySettings = true;
      '';
    };
  };
  systemd = {
    tmpfiles.rules = [
      "d ${repoDir} 0755 alisceon users - -"
      "d ${stateDir} 0755 alisceon users - -"
      "d ${publicDir} 0755 alisceon users - -"
    ];
    services.update-blogbox-site = {
      description = "Pull and publish the Blogbox Hugo site";
      after = [ "network-online.target" ];
      wants = [ "network-online.target" ];
      serviceConfig = {
        Type = "oneshot";
        User = "alisceon";
        Group = "users";
        ExecStart = lib.getExe updateBlogboxSite;
        Nice = 10;
        IOSchedulingClass = "idle";
        LockPersonality = true;
        MemoryHigh = "384M";
        MemoryMax = "512M";
        NoNewPrivileges = true;
        OOMPolicy = "stop";
        PrivateDevices = true;
        PrivateIPC = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "strict";
        ReadWritePaths = [
          repoDir
          stateDir
        ];
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        SystemCallArchitectures = "native";
        TimeoutStartSec = "15min";
        UMask = "0022";
      };
    };
-
+    ${"syncthing.alisceon.com"} = {
-    services.blogbox-dyndns = {
+      serverName = "syncthing.alisceon.com";
-      description = "Update Namecheap dynamic DNS records for Blogbox";
+      forceSSL = true;
-      after = [ "network-online.target" ];
+      enableACME = true;
-      wants = [ "network-online.target" ];
+      locations."/" = {
-      unitConfig.ConditionPathExists = "/etc/blogbox-namecheap-ddns.env";
+        proxyPass = "http://127.0.0.1:8384";
-      serviceConfig = {
+        recommendedProxySettings = false;
-        Type = "oneshot";
+        extraConfig = ''
-        User = "blogbox-dyndns";
+          proxy_set_header Host $proxy_host;
-        Group = "blogbox-dyndns";
+          proxy_set_header X-Real-IP $remote_addr;
-        ExecStart = lib.getExe updateNamecheapDyndns;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        CacheDirectory = "blogbox-dyndns";
+          proxy_set_header X-Forwarded-Host $host;
-        EnvironmentFile = "/etc/blogbox-namecheap-ddns.env";
+          proxy_set_header X-Forwarded-Proto $scheme;
-        LockPersonality = true;
+          proxy_read_timeout 600s;
-        MemoryMax = "128M";
+          proxy_send_timeout 600s;
-        MemoryDenyWriteExecute = true;
+        '';
        NoNewPrivileges = true;
        OOMPolicy = "stop";
        PrivateDevices = true;
        PrivateIPC = true;
        PrivateTmp = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProtectSystem = "strict";
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_NETLINK"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        RuntimeDirectory = "blogbox-dyndns";
        RuntimeDirectoryMode = "0700";
        SystemCallArchitectures = "native";
        SystemCallErrorNumber = "EPERM";
        SystemCallFilter = "@system-service";
        TimeoutStartSec = "2min";
        UMask = "0177";
      };
    };
    timers.update-blogbox-site = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "10min";
        OnUnitInactiveSec = "5min";
        Persistent = true;
      };
    };
    timers.blogbox-dyndns = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "5min";
        OnUnitInactiveSec = "10min";
        Persistent = true;
      };
    };
  };
-  systemd.services.nixos-upgrade.serviceConfig = {
+  systemd.services.syncthing = {
    IOSchedulingClass = "idle";
    MemoryHigh = "512M";
    MemoryMax = "768M";
    Nice = 15;
    OOMPolicy = "stop";
  };
  systemd.services.growpart.serviceConfig = {
    IOSchedulingClass = "idle";
    Nice = 15;
    TimeoutStartSec = "2min";
  };
  systemd.services.blogbox-swapfile = {
    description = "Create and enable Blogbox swapfile";
    after = [
      "sshd.service"
      "systemd-growfs-root.service"
    ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
-      Type = "oneshot";
+      LockPersonality = true;
-      ExecStart = lib.getExe ensureBlogboxSwapfile;
+      PrivateIPC = true;
-      IOSchedulingClass = "idle";
+      ProcSubset = "pid";
-      Nice = 19;
+      ProtectClock = true;
-      RemainAfterExit = true;
+      ProtectHome = true;
-      TimeoutStartSec = "20min";
+      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ReadWritePaths = [ "/var/lib/syncthing" ];
      RemoveIPC = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_NETLINK"
        "AF_UNIX"
      ];
      SystemCallArchitectures = "native";
      UMask = "0077";
    };
  };
-  zramSwap = {
+  environment.systemPackages = with pkgs; [
-    enable = true;
+    curl
-    memoryPercent = 50;
+    git
-  };
+    htop
-
+    jq
-  virtualisation = {
+    vim
-    containers.enable = lib.mkForce false;
+    wget
-    docker.enable = lib.mkForce false;
+  ];
    libvirtd = {
      enable = lib.mkForce false;
      qemu.swtpm.enable = lib.mkForce false;
    };
    podman.enable = lib.mkForce false;
  };
  system.stateVersion = lib.mkForce "25.11";
 }