starting light work on serer infra

flake.nix

@@ -98,6 +98,22 @@
             }) # end home-manager
           ]; # end modules
         }; # end tesla-nixos 
+        blogbox = nixpkgs.lib.nixosSystem {
+          inherit system;
+          inherit pkgs;
+          specialArgs = sharedSpecialArgs // {};
+          modules = sharedModules ++ [
+            ./hosts/common/server.nix
+            ./hosts/blogbox/configuration.nix
+            home-manager.nixosModules.home-manager
+            ({ config, ...}: {
+              home-manager.users.alisceon.imports = [
+                ./home/alisceon/base.nix
+                ./home/alisceon/server.nix
+              ];
+            }) # end home-manager
+          ]; # end modules
+        }; # end tesla-nixos 
       }; # end nixos conf
     }; # end "in"
 } # end file

home/alisceon/workstation.nix

@@ -24,6 +24,16 @@
   # nixpkgs config
   xdg.configFile."nixpkgs/config.nix".source =  ../conf/config.nix;
 
+  xdg.autostart = {
+    enable = true;
+    entries = [
+      "${pkgs.firefox}/share/applications/firefox.desktop"
+      "${pkgs.discord}/share/applications/discord.desktop"
+      "${pkgs.signal-desktop}/share/applications/signal.desktop"
+      "${pkgs.obsidian}/share/applications/obsidian.desktop"
+    ];
+  }; # end xdg.autostart
+
   home.packages = with pkgs; [
     signal-desktop
     discord

hosts/alisceon-core/configuration.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ ./hardware-configuration.nix ];
+  networking.hostName = "alisceon-core";
+  boot.initrd.enable = true;
+  boot.loader = {
+    systemd-boot = {
+      enable = true;
+    }; # end loader.systemd-boot
+  }; # end boot
+} # end file

hosts/blogbox/configuration.nix

@@ -0,0 +1,165 @@
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ ./hardware-configuration.nix ];
+  networking.hostName = "blogbox";
+  boot.initrd.enable = true;
+  boot.loader = {
+    systemd-boot = {
+      enable = true;
+    }; # end loader.systemd-boot
+  }; # end boot
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 22 80 443 ];
+    allowedUDPPorts = [ 443 ];
+  };
+  systemd = {
+    services = {
+      "pull-blog" = {
+        script = ''
+
+        '';
+        serviceConfig = {
+          type = "oneshot";
+          user = "root"
+        };
+      };
+    };
+    timers = {
+      "pull-blog" = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnCalendar = "*:0/5";
+          Persistent = true;
+        };
+      };
+    };
+  };
+
+  environment = {
+    etc = {
+      "blogbox/blogbox.env" = {
+        text = "";
+        mode = "644";
+      };
+      "blogbox/acme.json" = {
+        text = "";
+        mode = "600";
+      }; 
+    }; # end etc
+  };
+
+  virtualisation = {
+    podman.dockerSocket.enable = true;
+    oci-containers = {
+      backend = "podman";
+      containers = {
+        traefik = {
+          image = "docker.io/library/traefik:beaufort";
+          autoStart = true;
+          autoRemoveOnStop = true;
+          privileged = true;
+          networks = [ "Containet" ];
+          ports = [ "80:80" "443:443" "443:443/udp" ];
+          volumes = [
+            "${pkgs.podman}/run/podman/podman.sock:/var/run/docker.sock:ro"
+            "/etc/traefik/acme.json:/acme.json"
+          ];
+          environmentFiles = [ "/etc/traefik/blogbox.env" ];
+          labels = {
+              "traefik.enable" = "true";
+              "traefik.http.routers.http-catchall.rule" = "hostregexp(`{host:.+}`)";
+              "traefik.http.routers.http-catchall.entrypoints" = "web";
+          };
+          cmd = ''
+              --accesslog \
+              --accesslog.format=json \
+              --accesslog.fields.headers.names.User-Agent=keep \
+              --log.level=INFO \
+              --providers.docker=true \
+              --providers.docker.network=Containet \
+              --providers.docker.exposedbydefault=false \
+              --entryPoints.web.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
+              --entryPoints.web.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
+              --entryPoints.web.forwardedHeaders.insecure=false \
+              --entryPoints.web.proxyProtocol.insecure=false \
+              --entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
+              --entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,127.0.0.1/32 \
+              --entryPoints.websecure.forwardedHeaders.insecure=false \
+              --entryPoints.websecure.proxyProtocol.insecure=false \
+              --entrypoints.web.address=:80 \
+              --entrypoints.websecure.address=:443 \
+              --entryPoints.metrics.address=:8082 \
+              --entrypoints.web.http.redirections.entryPoint.to=websecure \
+              --entrypoints.web.http.redirections.entryPoint.scheme=https \
+              --entrypoints.web.http.redirections.entrypoint.permanent=true \
+              --entrypoints.websecure.http3 \
+              --entrypoints.name.http3.advertisedport=443 \
+              --entrypoints.websecure.http.tls.certResolver=leresolver \
+              --entrypoints.websecure.http.tls.domains[0].main=$DOMAIN \
+              --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAIN \
+              --certificatesresolvers.leresolver.acme.dnschallenge=true \
+              --certificatesresolvers.leresolver.acme.dnschallenge.provider=namecheap \
+              --certificatesresolvers.leresolver.acme.storage=./acme.json \
+              --certificatesresolvers.leresolver.acme.dnschallenge.resolvers=dns1.registrar-servers.com:53,dns2.registrar-servers.com:53 \
+              --metrics.prometheus=true \
+              --metrics.prometheus.addrouterslabels=true \
+              --metrics.prometheus.entryPoint=metrics
+          ''
+        }; # end traefik
+        hugo = {
+          labels = {
+            "traefik.enable" = true;
+            "traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)";
+            "traefik.http.routers.hugo-router.entrypoints" = "websecure";
+            "traefik.http.services.hugo-router.loadbalancer.server.port" = "8080";
+            "traefik.http.routers.hugo-router.service" = "hugo-router";
+            "traefik.http.middlewares.compression.compress" = "true";
+            "traefik.http.middlewares.retry.retry.attempts" = "8";
+            "traefik.http.middlewares.retry.retry.initialInterval" = "2";
+            "traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml";
+            "traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = "";
+            "traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false";
+            "traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true";
+            "traefik.http.middlewares.hugo-headers.headers.stspreload" = "true";
+            "traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000";
+            "traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true";
+            "traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';";
+            "traefik.http.middlewares.hugo-headers.headers.framedeny" = "true";
+            "traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true";
+            "traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin";
+          };
+        }; # end hugo
+        cats = {
+          labels = {
+            "traefik.http.routers.cats-router.priority"="1";
+            "traefik.http.middlewares.cats.errors.status"="400-599";
+            "traefik.http.middlewares.cats.errors.service"="cats-router";
+            "traefik.http.middlewares.cats.errors.query"="/{status}.html";
+            "traefik.enable" = true;
+            "traefik.http.routers.hugo-router.rule" = "Host(`alisceon.com`)";
+            "traefik.http.routers.hugo-router.entrypoints" = "websecure";
+            "traefik.http.services.hugo-router.loadbalancer.server.port" = "8080";
+            "traefik.http.routers.hugo-router.service" = "hugo-router";
+            "traefik.http.middlewares.compression.compress" = "true";
+            "traefik.http.middlewares.retry.retry.attempts" = "8";
+            "traefik.http.middlewares.retry.retry.initialInterval" = "2";
+            "traefik.http.routers.hugo-router.middlewares" = "/home/alisceon/Projects/cloud/stacks/alisceondotcom/compose.yml";
+            "traefik.http.middlewares.hugo-headers.headers.customresponseheaders.server" = "";
+            "traefik.http.middlewares.hugo-headers.headers.isdevelopment" = "false";
+            "traefik.http.middlewares.hugo-headers.headers.stsincludesubdomains" = "true";
+            "traefik.http.middlewares.hugo-headers.headers.stspreload" = "true";
+            "traefik.http.middlewares.hugo-headers.headers.stsseconds" = "31536000";
+            "traefik.http.middlewares.hugo-headers.headers.forcestsheader" = "true";
+            "traefik.http.middlewares.hugo-headers.headers.contentSecurityPolicy" = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; font-src 'self'; connect-src 'self';";
+            "traefik.http.middlewares.hugo-headers.headers.framedeny" = "true";
+            "traefik.http.middlewares.hugo-headers.headers.contenttypenosniff" = "true";
+            "traefik.http.middlewares.hugo-headers.headers.referrerpolicy" = "same-origin";
+          };
+        }; # end cats
+      }; # end containers
+    }; # end oci-containers
+  }; # end virtualisation
+} # end file

hosts/common/base.nix

@@ -115,6 +115,9 @@
     isNormalUser = true;
     extraGroups = [ "wheel" "networkmanager" "podman" ];
     shell = pkgs.nushell;
+    openssh.authorizedKeys.keys = [
+      "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPN1Cd2UlHo03Jqgi5Yb4io/3gh/X4wCb8LcmKlpAovQa271CKDBtYOUKn+Fts03g6dBMfaWMty6VGPMGDMONmc= alisceon@electra"
+    ];
   }; # end users
 
   programs.command-not-found.enable = true;

hosts/common/server.nix

@@ -2,7 +2,11 @@
 
 {  
   services = {
-    openssh.enable = true;
+    openssh = {
+      enable = true;
+      permitRootLogin = "no";
+      passwordAuthentication = false;
+    }; # end openssh
   }; # end services
 
   services.fwupd.enable = true;