From bde2cb101d5789216e359655fcc49bf90351e69f Mon Sep 17 00:00:00 2001 From: alisceon Date: Tue, 26 Aug 2025 14:00:14 +0200 Subject: [PATCH] starting light work on serer infra --- flake.nix | 16 +++ home/alisceon/workstation.nix | 10 ++ hosts/alisceon-core/configuration.nix | 13 ++ hosts/blogbox/configuration.nix | 165 ++++++++++++++++++++++++++ hosts/common/base.nix | 3 + hosts/common/server.nix | 6 +- 6 files changed, 212 insertions(+), 1 deletion(-) create mode 100644 hosts/alisceon-core/configuration.nix create mode 100644 hosts/blogbox/configuration.nix diff --git a/flake.nix b/flake.nix index 1e87405..7410cd4 100644 --- a/flake.nix +++ b/flake.nix @@ -98,6 +98,22 @@ }) # end home-manager ]; # end modules }; # end tesla-nixos + blogbox = nixpkgs.lib.nixosSystem { + inherit system; + inherit pkgs; + specialArgs = sharedSpecialArgs // {}; + modules = sharedModules ++ [ + ./hosts/common/server.nix + ./hosts/blogbox/configuration.nix + home-manager.nixosModules.home-manager + ({ config, ...}: { + home-manager.users.alisceon.imports = [ + ./home/alisceon/base.nix + ./home/alisceon/server.nix + ]; + }) # end home-manager + ]; # end modules + }; # end tesla-nixos }; # end nixos conf }; # end "in" } # end file diff --git a/home/alisceon/workstation.nix b/home/alisceon/workstation.nix index d9d7d06..78b5b1a 100644 --- a/home/alisceon/workstation.nix +++ b/home/alisceon/workstation.nix @@ -24,6 +24,16 @@ # nixpkgs config xdg.configFile."nixpkgs/config.nix".source = ../conf/config.nix; + xdg.autostart = { + enable = true; + entries = [ + "${pkgs.firefox}/share/applications/firefox.desktop" + "${pkgs.discord}/share/applications/discord.desktop" + "${pkgs.signal-desktop}/share/applications/signal.desktop" + "${pkgs.obsidian}/share/applications/obsidian.desktop" + ]; + }; # end xdg.autostart + home.packages = with pkgs; [ signal-desktop discord diff --git a/hosts/alisceon-core/configuration.nix b/hosts/alisceon-core/configuration.nix new file mode 100644 index 0000000..e6a4de8 --- /dev/null +++ b/hosts/alisceon-core/configuration.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ... }: + +{ + imports = + [ ./hardware-configuration.nix ]; + networking.hostName = "alisceon-core"; + boot.initrd.enable = true; + boot.loader = { + systemd-boot = { + enable = true; + }; # end loader.systemd-boot + }; # end boot +} # end file diff --git a/hosts/blogbox/configuration.nix b/hosts/blogbox/configuration.nix new file mode 100644 index 0000000..25ac58f --- /dev/null +++ b/hosts/blogbox/configuration.nix @@ -0,0 +1,165 @@ +{ config, pkgs, ... }: + +{ + imports = + [ ./hardware-configuration.nix ]; + networking.hostName = "blogbox"; + boot.initrd.enable = true; + boot.loader = { + systemd-boot = { + enable = true; + }; # end loader.systemd-boot + }; # end boot + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + allowedUDPPorts = [ 443 ]; + }; + systemd = { + services = { + "pull-blog" = { + script = '' + + ''; + serviceConfig = { + type = "oneshot"; + user = "root" + }; + }; + }; + timers = { + "pull-blog" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "*:0/5"; + Persistent = true; + }; + }; + }; + }; + + environment = { + etc = { + "blogbox/blogbox.env" = { + text = ""; + mode = "644"; + }; + "blogbox/acme.json" = { + text = ""; + mode = "600"; + }; + }; # end etc + }; + + virtualisation = { + podman.dockerSocket.enable = true; + oci-containers = { + backend = "podman"; + containers = { + traefik = { + image = "docker.io/library/traefik:beaufort"; + autoStart = true; + autoRemoveOnStop = true; + privileged = true; + networks = [ "Containet" ]; + ports = [ "80:80" "443:443" "443:443/udp" ]; + volumes = [ + "${pkgs.podman}/run/podman/podman.sock:/var/run/docker.sock:ro" + "/etc/traefik/acme.json:/acme.json" + ]; + environmentFiles = [ "/etc/traefik/blogbox.env" ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.http-catchall.rule" = "hostregexp(`{host:.+}`)"; + "traefik.http.routers.http-catchall.entrypoints" = "web"; + }; + cmd = '' + --accesslog \ + --accesslog.format=json \ + --accesslog.fields.headers.names.User-Agent=keep \ + --log.level=INFO \ + --providers.docker=true \ + --providers.docker.network=Containet \ + --providers.docker.exposedbydefault=false \ + --entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \ + --entryPoints.web.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \ + --entryPoints.web.forwardedHeaders.insecure=false \ + --entryPoints.web.proxyProtocol.insecure=false \ + --entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \ + --entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \ + --entryPoints.websecure.forwardedHeaders.insecure=false \ + --entryPoints.websecure.proxyProtocol.insecure=false \ + --entrypoints.web.address=:80 \ + --entrypoints.websecure.address=:443 \ + --entryPoints.metrics.address=:8082 \ + --entrypoints.web.http.redirections.entryPoint.to=websecure \ + --entrypoints.web.http.redirections.entryPoint.scheme=https \ + --entrypoints.web.http.redirections.entrypoint.permanent=true \ + --entrypoints.websecure.http3 \ + --entrypoints.name.http3.advertisedport=443 \ + --entrypoints.websecure.http.tls.certResolver=leresolver \ + --entrypoints.websecure.http.tls.domains[0].main=$DOMAIN \ + --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAIN \ + --certificatesresolvers.leresolver.acme.dnschallenge=true \ + --certificatesresolvers.leresolver.acme.dnschallenge.provider=namecheap \ + --certificatesresolvers.leresolver.acme.storage=./acme.json \ + --certificatesresolvers.leresolver.acme.dnschallenge.resolvers=dns1.registrar-servers.com:53,dns2.registrar-servers.com:53 \ + --metrics.prometheus=true \ + --metrics.prometheus.addrouterslabels=true \ + --metrics.prometheus.entryPoint=metrics + '' + }; # end traefik + hugo = { + labels = { + "traefik.enable" = true; + "traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)"; + "traefik.http.routers.hugo-router.entrypoints" = "websecure"; + "traefik.http.services.hugo-router.loadbalancer.server.port" = "8080"; + "traefik.http.routers.hugo-router.service" = "hugo-router"; + "traefik.http.middlewares.compression.compress" = "true"; + "traefik.http.middlewares.retry.retry.attempts" = "8"; + "traefik.http.middlewares.retry.retry.initialInterval" = "2"; + "traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml"; + "traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = ""; + "traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false"; + "traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true"; + "traefik.http.middlewares.hugo-headers.headers.stspreload" = "true"; + "traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000"; + "traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true"; + "traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';"; + "traefik.http.middlewares.hugo-headers.headers.framedeny" = "true"; + "traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true"; + "traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin"; + }; + }; # end hugo + cats = { + labels = { + "traefik.http.routers.cats-router.priority"="1"; + "traefik.http.middlewares.cats.errors.status"="400-599"; + "traefik.http.middlewares.cats.errors.service"="cats-router"; + "traefik.http.middlewares.cats.errors.query"="/{status}.html"; + "traefik.enable" = true; + "traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)"; + "traefik.http.routers.hugo-router.entrypoints" = "websecure"; + "traefik.http.services.hugo-router.loadbalancer.server.port" = "8080"; + "traefik.http.routers.hugo-router.service" = "hugo-router"; + "traefik.http.middlewares.compression.compress" = "true"; + "traefik.http.middlewares.retry.retry.attempts" = "8"; + "traefik.http.middlewares.retry.retry.initialInterval" = "2"; + "traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml"; + "traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = ""; + "traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false"; + "traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true"; + "traefik.http.middlewares.hugo-headers.headers.stspreload" = "true"; + "traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000"; + "traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true"; + "traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';"; + "traefik.http.middlewares.hugo-headers.headers.framedeny" = "true"; + "traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true"; + "traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin"; + }; + }; # end cats + }; # end containers + }; # end oci-containers + }; # end virtualisation +} # end file diff --git a/hosts/common/base.nix b/hosts/common/base.nix index 15d6fd7..c721d34 100644 --- a/hosts/common/base.nix +++ b/hosts/common/base.nix @@ -115,6 +115,9 @@ isNormalUser = true; extraGroups = [ "wheel" "networkmanager" "podman" ]; shell = pkgs.nushell; + openssh.authorizedKeys.keys = [ + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPN1Cd2UlHo03Jqgi5Yb4io/3gh/X4wCb8LcmKlpAovQa271CKDBtYOUKn+Fts03g6dBMfaWMty6VGPMGDMONmc= alisceon@electra" + ]; }; # end users programs.command-not-found.enable = true; diff --git a/hosts/common/server.nix b/hosts/common/server.nix index a82bfd2..9ef5f61 100644 --- a/hosts/common/server.nix +++ b/hosts/common/server.nix @@ -2,7 +2,11 @@ { services = { - openssh.enable = true; + openssh = { + enable = true; + permitRootLogin = "no"; + passwordAuthentication = false; + }; # end openssh }; # end services services.fwupd.enable = true;