diff --git a/nixos/hosts/alisceon-core/configuration.nix b/nixos/hosts/alisceon-core/configuration.nix
index 222cfa6..3f1a941 100644
--- a/nixos/hosts/alisceon-core/configuration.nix
+++ b/nixos/hosts/alisceon-core/configuration.nix
@@ -6,6 +6,7 @@
../../modules/services/forgejo.nix
../../modules/services/nginx.nix
../../modules/services/oci-authorized-keys.nix
+ ../../modules/services/oci-secondary-vnics.nix
../../modules/services/tor.nix
];
@@ -69,6 +70,7 @@
defaultShell = "/run/current-system/sw/bin/xonsh";
};
ociAuthorizedKeys.enable = true;
+ ociSecondaryVnics.enable = true;
};
security = {
diff --git a/nixos/hosts/blogbox/configuration.nix b/nixos/hosts/blogbox/configuration.nix
index c4f6e0d..16c259d 100644
--- a/nixos/hosts/blogbox/configuration.nix
+++ b/nixos/hosts/blogbox/configuration.nix
@@ -2,6 +2,7 @@
{
imports = [
"${modulesPath}/virtualisation/oci-image.nix"
+ ../../modules/services/blogbox.nix
../../modules/services/cloud-init.nix
../../modules/services/oci-authorized-keys.nix
];
@@ -71,6 +72,7 @@
users.users.alisceon.extraGroups = [ "systemd-journal" ];
alisceon = {
+ blogbox.enable = true;
cloud-init.enable = true;
ociAuthorizedKeys.enable = true;
};
@@ -95,13 +97,20 @@
'';
system.autoUpgrade = {
- enable = lib.mkForce false;
- persistent = lib.mkForce false;
+ enable = lib.mkForce true;
+ persistent = lib.mkForce true;
};
systemd = {
services = {
dev-flake-garbage-collect.enable = lib.mkForce false;
+ nixos-upgrade.serviceConfig = {
+ IOSchedulingClass = "idle";
+ MemoryHigh = "512M";
+ MemoryMax = "900M";
+ Nice = 15;
+ OOMPolicy = "stop";
+ };
};
timers.dev-flake-garbage-collect.enable = lib.mkForce false;
};
diff --git a/nixos/modules/services/blogbox.nix b/nixos/modules/services/blogbox.nix
new file mode 100644
index 0000000..fe1d695
--- /dev/null
+++ b/nixos/modules/services/blogbox.nix
@@ -0,0 +1,313 @@
+{
+ config,
+ lib,
+ pkgs,
+ pkgs-unstable,
+ ...
+}:
+let
+ cfg = config.alisceon.blogbox;
+ user = config.users.users.${cfg.user};
+ repoDir = "${user.home}/${cfg.repoDirectoryName}";
+ outputDir = toString cfg.outputDir;
+ outputParent = dirOf outputDir;
+
+ caddyfile = pkgs.writeText "blogbox-Caddyfile" ''
+ {$BLOGBOX_DOMAIN} {
+ encode zstd gzip
+ root * ${outputDir}
+ file_server
+ }
+ '';
+
+ publishSite = pkgs.writeShellApplication {
+ name = "blogbox-publish-site";
+ runtimeInputs = [
+ pkgs.coreutils
+ pkgs.git
+ pkgs.gnugrep
+ pkgs-unstable.hugo
+ ];
+ text = ''
+ repo_dir="''${BLOGBOX_REPO_DIR:-${repoDir}}"
+ output_dir="''${BLOGBOX_OUTPUT_DIR:-${outputDir}}"
+ hugo_args="''${BLOGBOX_HUGO_ARGS:-}"
+
+ if [ ! -d "$repo_dir/.git" ]; then
+ echo "Skipping blog publish: $repo_dir is not an initialized git repository"
+ exit 0
+ fi
+
+ cd "$repo_dir"
+
+ old_rev="$(git rev-parse HEAD 2>/dev/null || true)"
+ if [ -z "$old_rev" ]; then
+ echo "Skipping blog publish: unable to resolve HEAD in $repo_dir"
+ exit 0
+ fi
+
+ if ! git remote get-url origin >/dev/null 2>&1; then
+ echo "Skipping blog publish: $repo_dir has no origin remote"
+ exit 0
+ fi
+
+ git fetch --prune --tags origin
+
+ upstream="$(git rev-parse --abbrev-ref --symbolic-full-name '@{u}' 2>/dev/null || true)"
+ if [ -n "$upstream" ]; then
+ git merge --ff-only "$upstream"
+ else
+ git pull --ff-only
+ fi
+
+ new_rev="$(git rev-parse HEAD)"
+ built_rev_file="$output_dir/.blogbox-built-rev"
+
+ if [ -f "$built_rev_file" ] && [ "$old_rev" = "$new_rev" ] && grep -qxF "$new_rev" "$built_rev_file"; then
+ echo "No blog repository updates since $new_rev; skipping Hugo build"
+ exit 0
+ fi
+
+ output_parent="$(dirname "$output_dir")"
+ mkdir -p "$output_parent"
+
+ build_dir="$(mktemp -d "$output_parent/.hugo-build.XXXXXX")"
+ trap 'rm -rf "$build_dir"' EXIT
+
+ # shellcheck disable=SC2086
+ hugo --source "$repo_dir" --destination "$build_dir/public" --cleanDestinationDir $hugo_args
+ printf '%s\n' "$new_rev" > "$build_dir/public/.blogbox-built-rev"
+
+ rm -rf "$output_dir.previous"
+ if [ -d "$output_dir" ]; then
+ mv "$output_dir" "$output_dir.previous"
+ fi
+
+ mv "$build_dir/public" "$output_dir"
+ rm -rf "$output_dir.previous"
+ trap - EXIT
+ rm -rf "$build_dir"
+
+ echo "Published blog revision $new_rev to $output_dir"
+ '';
+ };
+
+ updateNamecheap = pkgs.writeShellApplication {
+ name = "blogbox-namecheap-ddns";
+ runtimeInputs = [
+ pkgs.curl
+ pkgs.gnugrep
+ ];
+ text = ''
+ domain="''${NAMECHEAP_DOMAIN:-''${BLOGBOX_DOMAIN:-}}"
+ host="''${NAMECHEAP_HOST:-@}"
+ password="''${NAMECHEAP_DDNS_PASSWORD:-''${NAMECHEAP_PASSWORD:-}}"
+
+ if [ -z "$domain" ] || [ -z "$password" ]; then
+ echo "Skipping Namecheap DDNS: BLOGBOX_DOMAIN/NAMECHEAP_DOMAIN or NAMECHEAP_DDNS_PASSWORD is not configured"
+ exit 0
+ fi
+
+ ip="''${NAMECHEAP_IP:-}"
+ if [ -z "$ip" ]; then
+ ip_url="''${NAMECHEAP_IP_URL:-https://dynamicdns.park-your-domain.com/getip}"
+ ip="$(curl --fail --silent --show-error --max-time 15 "$ip_url")"
+ fi
+
+ response="$(
+ curl --fail --silent --show-error --get "https://dynamicdns.park-your-domain.com/update" \
+ --data-urlencode "host=$host" \
+ --data-urlencode "domain=$domain" \
+ --data-urlencode "password=$password" \
+ --data-urlencode "ip=$ip"
+ )"
+
+ printf '%s\n' "$response"
+
+ if printf '%s\n' "$response" | grep -qiE '0|true'; then
+ exit 0
+ fi
+
+ echo "Namecheap DDNS response did not indicate success"
+ exit 1
+ '';
+ };
+in
+{
+ options.alisceon.blogbox = {
+ enable = lib.mkEnableOption "blogbox static site publishing";
+
+ user = lib.mkOption {
+ type = lib.types.str;
+ default = "alisceon";
+ description = "User that owns and updates the blog git repository.";
+ };
+
+ group = lib.mkOption {
+ type = lib.types.str;
+ default = "users";
+ description = "Group for blogbox writable state.";
+ };
+
+ repoDirectoryName = lib.mkOption {
+ type = lib.types.str;
+ default = "blogbox-site";
+ description = "Directory name under the user's home where the runtime git repository lives.";
+ };
+
+ outputDir = lib.mkOption {
+ type = lib.types.path;
+ default = "/var/lib/blogbox/public";
+ description = "Stable directory served by Caddy and replaced after successful Hugo builds.";
+ };
+
+ environmentFile = lib.mkOption {
+ type = lib.types.path;
+ default = "/etc/blogbox/blogbox.env";
+ description = "Runtime environment file for non-secret domain and repository settings.";
+ };
+
+ ddnsEnvironmentFile = lib.mkOption {
+ type = lib.types.path;
+ default = "/etc/blogbox/namecheap.env";
+ description = "Runtime environment file for Namecheap dynamic DNS credentials.";
+ };
+
+ publishInterval = lib.mkOption {
+ type = lib.types.str;
+ default = "2min";
+ description = "Interval for git pull and Hugo publish attempts.";
+ };
+
+ ddnsInterval = lib.mkOption {
+ type = lib.types.str;
+ default = "5min";
+ description = "Interval for Namecheap dynamic DNS updates.";
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
+
+ environment.etc."blogbox/blogbox.env.example".text = ''
+ # Required for HTTPS virtual hosting.
+ BLOGBOX_DOMAIN=example.com
+
+ # Optional. Defaults to /home/${cfg.user}/${cfg.repoDirectoryName}.
+ # BLOGBOX_REPO_DIR=/home/${cfg.user}/${cfg.repoDirectoryName}
+
+ # Optional. Defaults to ${outputDir}.
+ # BLOGBOX_OUTPUT_DIR=${outputDir}
+
+ # Optional extra flags passed to hugo. Keep this shell-word-safe.
+ # BLOGBOX_HUGO_ARGS=--minify
+ '';
+
+ environment.etc."blogbox/namecheap.env.example".text = ''
+ # Required for Namecheap DDNS.
+ # NAMECHEAP_DOMAIN defaults to BLOGBOX_DOMAIN from blogbox.env when omitted.
+ # NAMECHEAP_DOMAIN=example.com
+ NAMECHEAP_HOST=@
+ NAMECHEAP_DDNS_PASSWORD=change-me
+
+ # Optional. If unset, the updater asks Namecheap for the current public IP.
+ # NAMECHEAP_IP=203.0.113.10
+ '';
+
+ services.caddy = {
+ enable = true;
+ adapter = "caddyfile";
+ configFile = caddyfile;
+ environmentFile = cfg.environmentFile;
+ };
+
+ systemd.tmpfiles.rules = [
+ "d /etc/blogbox 0750 root root -"
+ "d ${outputParent} 0755 ${cfg.user} ${cfg.group} -"
+ "d ${outputDir} 0755 ${cfg.user} ${cfg.group} -"
+ ];
+
+ systemd.services = {
+ caddy.unitConfig.ConditionPathExists = cfg.environmentFile;
+
+ blogbox-publish-site = {
+ description = "Pull and publish the blogbox Hugo site";
+ after = [ "network-online.target" ];
+ wants = [ "network-online.target" ];
+ serviceConfig = {
+ Type = "oneshot";
+ User = cfg.user;
+ Group = cfg.group;
+ EnvironmentFile = [ "-${toString cfg.environmentFile}" ];
+ Environment = [
+ "HOME=${user.home}"
+ "GIT_TERMINAL_PROMPT=0"
+ ];
+ Nice = 10;
+ IOSchedulingClass = "idle";
+ TimeoutStartSec = "10min";
+ };
+ script = lib.getExe publishSite;
+ };
+
+ blogbox-namecheap-ddns = {
+ description = "Update Namecheap dynamic DNS for blogbox";
+ after = [ "network-online.target" ];
+ wants = [ "network-online.target" ];
+ serviceConfig = {
+ Type = "oneshot";
+ DynamicUser = true;
+ EnvironmentFile = [
+ "-${toString cfg.environmentFile}"
+ "-${toString cfg.ddnsEnvironmentFile}"
+ ];
+ Nice = 10;
+ IOSchedulingClass = "idle";
+ TimeoutStartSec = "45s";
+ };
+ script = lib.getExe updateNamecheap;
+ };
+
+ blogbox-reload-caddy = {
+ description = "Restart Caddy after blogbox runtime configuration changes";
+ serviceConfig.Type = "oneshot";
+ script = ''
+ ${pkgs.systemd}/bin/systemctl restart caddy.service
+ '';
+ };
+ };
+
+ systemd.timers = {
+ blogbox-publish-site = {
+ wantedBy = [ "timers.target" ];
+ timerConfig = {
+ OnBootSec = "2min";
+ OnUnitActiveSec = cfg.publishInterval;
+ RandomizedDelaySec = "20s";
+ Persistent = true;
+ };
+ };
+
+ blogbox-namecheap-ddns = {
+ wantedBy = [ "timers.target" ];
+ timerConfig = {
+ OnBootSec = "1min";
+ OnUnitActiveSec = cfg.ddnsInterval;
+ RandomizedDelaySec = "30s";
+ Persistent = true;
+ };
+ };
+ };
+
+ systemd.paths.blogbox-reload-caddy = {
+ wantedBy = [ "multi-user.target" ];
+ pathConfig = {
+ PathExists = cfg.environmentFile;
+ PathChanged = cfg.environmentFile;
+ };
+ };
+ };
+}
diff --git a/nixos/modules/services/oci-secondary-vnics.nix b/nixos/modules/services/oci-secondary-vnics.nix
new file mode 100644
index 0000000..6d6b94d
--- /dev/null
+++ b/nixos/modules/services/oci-secondary-vnics.nix
@@ -0,0 +1,126 @@
+{ config, lib, pkgs, ... }:
+let
+ cfg = config.alisceon.ociSecondaryVnics;
+
+ configureSecondaryVnics = pkgs.writeShellApplication {
+ name = "configure-oci-secondary-vnics";
+ runtimeInputs = [
+ pkgs.coreutils
+ pkgs.curl
+ pkgs.gnugrep
+ pkgs.iproute2
+ pkgs.jq
+ pkgs.systemd
+ ];
+ text = ''
+ metadata_url="http://169.254.169.254/opc/v2/vnics"
+ network_dir="/run/systemd/network"
+ mkdir -p "$network_dir"
+
+ vnics="$(curl --fail --silent --show-error --max-time 10 \
+ -H "Authorization: Bearer Oracle" \
+ "$metadata_url")"
+
+ index=0
+ configured=0
+
+ while IFS= read -r vnic; do
+ index=$((index + 1))
+
+ mac="$(jq -r '.macAddr // empty' <<< "$vnic" | tr '[:upper:]' '[:lower:]')"
+ address="$(jq -r '.privateIp // empty' <<< "$vnic")"
+ cidr="$(jq -r '.subnetCidrBlock // empty' <<< "$vnic")"
+ gateway="$(jq -r '.virtualRouterIp // empty' <<< "$vnic")"
+
+ if [ -z "$mac" ] || [ -z "$address" ] || [ -z "$cidr" ] || [ -z "$gateway" ]; then
+ echo "Skipping incomplete OCI VNIC metadata entry: $vnic"
+ continue
+ fi
+
+ iface="$(
+ for candidate in /sys/class/net/*; do
+ [ -e "$candidate/address" ] || continue
+ candidate_mac="$(tr '[:upper:]' '[:lower:]' < "$candidate/address")"
+ if [ "$candidate_mac" = "$mac" ]; then
+ basename "$candidate"
+ break
+ fi
+ done
+ )"
+
+ if [ -z "$iface" ]; then
+ echo "Skipping OCI VNIC $mac: no matching Linux interface"
+ continue
+ fi
+
+ if ip -4 address show dev "$iface" | grep -q "inet $address/"; then
+ echo "OCI VNIC $iface already has $address configured"
+ continue
+ fi
+
+ prefix="''${cidr#*/}"
+ table=$((1000 + index))
+ priority=$((1000 + index))
+ unit_name="$(systemd-escape --template=20-oci-secondary-vnic@.network "$iface")"
+ network_file="$network_dir/$unit_name"
+
+ {
+ printf '%s\n' \
+ "[Match]" \
+ "MACAddress=$mac" \
+ "" \
+ "[Link]" \
+ "MTUBytes=9000" \
+ "" \
+ "[Network]" \
+ "Address=$address/$prefix" \
+ "" \
+ "[Route]" \
+ "Destination=$cidr" \
+ "Scope=link" \
+ "Table=$table" \
+ "" \
+ "[Route]" \
+ "Gateway=$gateway" \
+ "GatewayOnLink=yes" \
+ "Table=$table" \
+ "" \
+ "[RoutingPolicyRule]" \
+ "From=$address/32" \
+ "Table=$table" \
+ "Priority=$priority"
+ } > "$network_file"
+
+ echo "Configuring OCI secondary VNIC $iface as $address/$prefix via $gateway in table $table"
+ networkctl reload
+ networkctl reconfigure "$iface"
+ configured=1
+ done < <(jq -c '.[]' <<< "$vnics")
+
+ if [ "$configured" = 0 ]; then
+ echo "No unconfigured OCI secondary VNICs found"
+ fi
+ '';
+ };
+in
+{
+ options.alisceon.ociSecondaryVnics.enable =
+ lib.mkEnableOption "runtime configuration of OCI secondary VNICs from instance metadata";
+
+ config = lib.mkIf cfg.enable {
+ systemd.services.configure-oci-secondary-vnics = {
+ description = "Configure OCI secondary VNICs from instance metadata";
+ after = [
+ "network-online.target"
+ "systemd-networkd.service"
+ ];
+ wants = [ "network-online.target" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ };
+ script = lib.getExe configureSecondaryVnics;
+ };
+ };
+}