diff --git a/hosts/blogbox/configuration.nix b/hosts/blogbox/configuration.nix index 25ac58f..386eff5 100644 --- a/hosts/blogbox/configuration.nix +++ b/hosts/blogbox/configuration.nix @@ -1,5 +1,7 @@ { config, pkgs, ... }: - +let + hugoDir = "/home/alisceon/blog"; +in { imports = [ ./hardware-configuration.nix ]; @@ -15,151 +17,99 @@ allowedTCPPorts = [ 22 80 443 ]; allowedUDPPorts = [ 443 ]; }; + environment = { + systemPackages = with pkgs; [ + hugo + caddy + ddclient + ]; # end systemPackages + }; # end environment systemd = { services = { "pull-blog" = { + wantedBy = [ "multi-user.target" ]; script = '' - + git pull origin main + hugo ''; serviceConfig = { type = "oneshot"; - user = "root" - }; - }; - }; + user = "alisceon"; + workingDirectory = hugoDir; + }; # end serviceConfig + }; # end pull-blog + "ddclient" = { + description = "Dynamic DNS client"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.ddclient}/bin/ddclient -foreground -file /etc/blogbox/ddclient.conf"; + Restart = "on-failure"; + User = "root"; + EnvironmentFile = "/etc/blogbox/.env"; + }; # end serviceConfig + }; # end ddclient + }; # end services timers = { "pull-blog" = { wantedBy = [ "timers.target" ]; timerConfig = { - OnCalendar = "*:0/5"; + OnBootSec = "5min"; + OnUnitActiveSec = "5min"; Persistent = true; - }; - }; - }; - }; - + }; # end timerConfig + }; # end pull-blog + "ddclient" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "5min"; + OnUnitActiveSec = "5min"; + Persistent = true; + }; # end timerConfig + }; # end ddclient + }; # end timers + }; # end systemd + services= { + caddy = { + enable = true; + environmentFile = "/etc/blogbox/.env"; + virtualHosts = { + "blog" = { + hostName = "${DOMAIN}"; + forceSSL = true; + root = "${hugoDir}/public"; + index = "index.html"; + log = [ "stdout" "stderr" ]; + fileServer = { }; + tls = { + email = "" + }; # end tls + }; # end {$DOMAIN} + }; # end virtualHosts + }; # end caddy + }; # end services.caddy environment = { etc = { - "blogbox/blogbox.env" = { - text = ""; - mode = "644"; - }; - "blogbox/acme.json" = { - text = ""; + "blogbox/ddclient.conf" = { + text = '' + use=web, web=dynamicdns.park-your-domain.com/getip + protocol=namecheap + server=dynamicdns.park-your-domain.com + login_env=DOMAIN + password_env=DDNS_PASSWORD + @ + ''; mode = "600"; - }; + }; + "blogbox/.env.example" = { + text = '' + HUGO_DIR=${hugoDir} + HUGO_ENV=production + DOMAIN=example.com + DDNS_PASSWORD=yourpassword + NAMECHEAP_API_KEY=yourapikey + ''; + mode = "600"; + }; }; # end etc }; - - virtualisation = { - podman.dockerSocket.enable = true; - oci-containers = { - backend = "podman"; - containers = { - traefik = { - image = "docker.io/library/traefik:beaufort"; - autoStart = true; - autoRemoveOnStop = true; - privileged = true; - networks = [ "Containet" ]; - ports = [ "80:80" "443:443" "443:443/udp" ]; - volumes = [ - "${pkgs.podman}/run/podman/podman.sock:/var/run/docker.sock:ro" - "/etc/traefik/acme.json:/acme.json" - ]; - environmentFiles = [ "/etc/traefik/blogbox.env" ]; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.http-catchall.rule" = "hostregexp(`{host:.+}`)"; - "traefik.http.routers.http-catchall.entrypoints" = "web"; - }; - cmd = '' - --accesslog \ - --accesslog.format=json \ - --accesslog.fields.headers.names.User-Agent=keep \ - --log.level=INFO \ - --providers.docker=true \ - --providers.docker.network=Containet \ - --providers.docker.exposedbydefault=false \ - --entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \ - --entryPoints.web.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \ - --entryPoints.web.forwardedHeaders.insecure=false \ - --entryPoints.web.proxyProtocol.insecure=false \ - --entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \ - --entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \ - --entryPoints.websecure.forwardedHeaders.insecure=false \ - --entryPoints.websecure.proxyProtocol.insecure=false \ - --entrypoints.web.address=:80 \ - --entrypoints.websecure.address=:443 \ - --entryPoints.metrics.address=:8082 \ - --entrypoints.web.http.redirections.entryPoint.to=websecure \ - --entrypoints.web.http.redirections.entryPoint.scheme=https \ - --entrypoints.web.http.redirections.entrypoint.permanent=true \ - --entrypoints.websecure.http3 \ - --entrypoints.name.http3.advertisedport=443 \ - --entrypoints.websecure.http.tls.certResolver=leresolver \ - --entrypoints.websecure.http.tls.domains[0].main=$DOMAIN \ - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAIN \ - --certificatesresolvers.leresolver.acme.dnschallenge=true \ - --certificatesresolvers.leresolver.acme.dnschallenge.provider=namecheap \ - --certificatesresolvers.leresolver.acme.storage=./acme.json \ - --certificatesresolvers.leresolver.acme.dnschallenge.resolvers=dns1.registrar-servers.com:53,dns2.registrar-servers.com:53 \ - --metrics.prometheus=true \ - --metrics.prometheus.addrouterslabels=true \ - --metrics.prometheus.entryPoint=metrics - '' - }; # end traefik - hugo = { - labels = { - "traefik.enable" = true; - "traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)"; - "traefik.http.routers.hugo-router.entrypoints" = "websecure"; - "traefik.http.services.hugo-router.loadbalancer.server.port" = "8080"; - "traefik.http.routers.hugo-router.service" = "hugo-router"; - "traefik.http.middlewares.compression.compress" = "true"; - "traefik.http.middlewares.retry.retry.attempts" = "8"; - "traefik.http.middlewares.retry.retry.initialInterval" = "2"; - "traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml"; - "traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = ""; - "traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false"; - "traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true"; - "traefik.http.middlewares.hugo-headers.headers.stspreload" = "true"; - "traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000"; - "traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true"; - "traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';"; - "traefik.http.middlewares.hugo-headers.headers.framedeny" = "true"; - "traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true"; - "traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin"; - }; - }; # end hugo - cats = { - labels = { - "traefik.http.routers.cats-router.priority"="1"; - "traefik.http.middlewares.cats.errors.status"="400-599"; - "traefik.http.middlewares.cats.errors.service"="cats-router"; - "traefik.http.middlewares.cats.errors.query"="/{status}.html"; - "traefik.enable" = true; - "traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)"; - "traefik.http.routers.hugo-router.entrypoints" = "websecure"; - "traefik.http.services.hugo-router.loadbalancer.server.port" = "8080"; - "traefik.http.routers.hugo-router.service" = "hugo-router"; - "traefik.http.middlewares.compression.compress" = "true"; - "traefik.http.middlewares.retry.retry.attempts" = "8"; - "traefik.http.middlewares.retry.retry.initialInterval" = "2"; - "traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml"; - "traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = ""; - "traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false"; - "traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true"; - "traefik.http.middlewares.hugo-headers.headers.stspreload" = "true"; - "traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000"; - "traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true"; - "traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';"; - "traefik.http.middlewares.hugo-headers.headers.framedeny" = "true"; - "traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true"; - "traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin"; - }; - }; # end cats - }; # end containers - }; # end oci-containers - }; # end virtualisation } # end file diff --git a/hosts/common/base.nix b/hosts/common/base.nix index 1cd0aa6..111692a 100644 --- a/hosts/common/base.nix +++ b/hosts/common/base.nix @@ -64,7 +64,6 @@ LC_TELEPHONE = "sv_SE.UTF-8"; LC_TIME = "sv_SE.UTF-8"; }; - security.sudo.wheelNeedsPassword = false; environment = { systemPackages = with pkgs; [ @@ -108,10 +107,14 @@ ]; }; # end environment - virtualisation.podman = { - enable = true; - dockerCompat = true; - defaultNetwork.settings.dns_enabled = true; + virtualisation = { + containers.enable = true; + podman = { + enable = true; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; + }; # end podman + oci-containers.backend = "podman"; }; # end virtualisation users.users.alisceon = { @@ -154,9 +157,9 @@ description = "fuzzy completions for xonsh"; license = pkgs.lib.licenses.mit; maintainers = [ ]; - }; - } - ) + }; # end meta + } # end buildPythonPackage + ) ]; # end extraPackages config = (builtins.readFile ../../home/conf/xonsh/xonshrc); }; # end xonsh diff --git a/hosts/common/server.nix b/hosts/common/server.nix index 9ef5f61..5d30dc7 100644 --- a/hosts/common/server.nix +++ b/hosts/common/server.nix @@ -1,6 +1,7 @@ { config, pkgs, ... }: { + security.sudo.wheelNeedsPassword = true; services = { openssh = { enable = true; @@ -9,8 +10,6 @@ }; # end openssh }; # end services - services.fwupd.enable = true; - environment = { systemPackages = with pkgs; [ devenv diff --git a/hosts/tesla-nixos/configuration.nix b/hosts/tesla-nixos/configuration.nix index 14c0e0a..4b963c7 100644 --- a/hosts/tesla-nixos/configuration.nix +++ b/hosts/tesla-nixos/configuration.nix @@ -10,4 +10,14 @@ enable = true; }; # end loader.systemd-boot }; # end boot + virtualisation.oci-containers.containers = { + isponsorblocktv = { + image = "ghcr.io/dmunozv04/isponsorblocktv:latest"; + autoStart = true; + volumes = [ + "/home/alisceon/isponsorblocktv::/app/data" + ] + }; # end isponsorblocktv + }; + } # end file