added services to blogbox and added new nic to alisceon-core

2026-05-30 17:17:47 +02:00 · 2026-05-30 17:17:47 +02:00 · ecde469fe7
commit ecde469fe7
parent 8a2e2532bd
4 changed files with 452 additions and 2 deletions
--- a/nixos/modules/services/blogbox.nix
+++ b/nixos/modules/services/blogbox.nix
@ -0,0 +1,313 @@
+{
+  config,
+  lib,
+  pkgs,
+  pkgs-unstable,
+  ...
+}:
+let
+  cfg = config.alisceon.blogbox;
+  user = config.users.users.${cfg.user};
+  repoDir = "${user.home}/${cfg.repoDirectoryName}";
+  outputDir = toString cfg.outputDir;
+  outputParent = dirOf outputDir;
+
+  caddyfile = pkgs.writeText "blogbox-Caddyfile" ''
+    {$BLOGBOX_DOMAIN} {
+      encode zstd gzip
+      root * ${outputDir}
+      file_server
+    }
+  '';
+
+  publishSite = pkgs.writeShellApplication {
+    name = "blogbox-publish-site";
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.git
+      pkgs.gnugrep
+      pkgs-unstable.hugo
+    ];
+    text = ''
+      repo_dir="''${BLOGBOX_REPO_DIR:-${repoDir}}"
+      output_dir="''${BLOGBOX_OUTPUT_DIR:-${outputDir}}"
+      hugo_args="''${BLOGBOX_HUGO_ARGS:-}"
+
+      if [ ! -d "$repo_dir/.git" ]; then
+        echo "Skipping blog publish: $repo_dir is not an initialized git repository"
+        exit 0
+      fi
+
+      cd "$repo_dir"
+
+      old_rev="$(git rev-parse HEAD 2>/dev/null || true)"
+      if [ -z "$old_rev" ]; then
+        echo "Skipping blog publish: unable to resolve HEAD in $repo_dir"
+        exit 0
+      fi
+
+      if ! git remote get-url origin >/dev/null 2>&1; then
+        echo "Skipping blog publish: $repo_dir has no origin remote"
+        exit 0
+      fi
+
+      git fetch --prune --tags origin
+
+      upstream="$(git rev-parse --abbrev-ref --symbolic-full-name '@{u}' 2>/dev/null || true)"
+      if [ -n "$upstream" ]; then
+        git merge --ff-only "$upstream"
+      else
+        git pull --ff-only
+      fi
+
+      new_rev="$(git rev-parse HEAD)"
+      built_rev_file="$output_dir/.blogbox-built-rev"
+
+      if [ -f "$built_rev_file" ] && [ "$old_rev" = "$new_rev" ] && grep -qxF "$new_rev" "$built_rev_file"; then
+        echo "No blog repository updates since $new_rev; skipping Hugo build"
+        exit 0
+      fi
+
+      output_parent="$(dirname "$output_dir")"
+      mkdir -p "$output_parent"
+
+      build_dir="$(mktemp -d "$output_parent/.hugo-build.XXXXXX")"
+      trap 'rm -rf "$build_dir"' EXIT
+
+      # shellcheck disable=SC2086
+      hugo --source "$repo_dir" --destination "$build_dir/public" --cleanDestinationDir $hugo_args
+      printf '%s\n' "$new_rev" > "$build_dir/public/.blogbox-built-rev"
+
+      rm -rf "$output_dir.previous"
+      if [ -d "$output_dir" ]; then
+        mv "$output_dir" "$output_dir.previous"
+      fi
+
+      mv "$build_dir/public" "$output_dir"
+      rm -rf "$output_dir.previous"
+      trap - EXIT
+      rm -rf "$build_dir"
+
+      echo "Published blog revision $new_rev to $output_dir"
+    '';
+  };
+
+  updateNamecheap = pkgs.writeShellApplication {
+    name = "blogbox-namecheap-ddns";
+    runtimeInputs = [
+      pkgs.curl
+      pkgs.gnugrep
+    ];
+    text = ''
+      domain="''${NAMECHEAP_DOMAIN:-''${BLOGBOX_DOMAIN:-}}"
+      host="''${NAMECHEAP_HOST:-@}"
+      password="''${NAMECHEAP_DDNS_PASSWORD:-''${NAMECHEAP_PASSWORD:-}}"
+
+      if [ -z "$domain" ] || [ -z "$password" ]; then
+        echo "Skipping Namecheap DDNS: BLOGBOX_DOMAIN/NAMECHEAP_DOMAIN or NAMECHEAP_DDNS_PASSWORD is not configured"
+        exit 0
+      fi
+
+      ip="''${NAMECHEAP_IP:-}"
+      if [ -z "$ip" ]; then
+        ip_url="''${NAMECHEAP_IP_URL:-https://dynamicdns.park-your-domain.com/getip}"
+        ip="$(curl --fail --silent --show-error --max-time 15 "$ip_url")"
+      fi
+
+      response="$(
+        curl --fail --silent --show-error --get "https://dynamicdns.park-your-domain.com/update" \
+          --data-urlencode "host=$host" \
+          --data-urlencode "domain=$domain" \
+          --data-urlencode "password=$password" \
+          --data-urlencode "ip=$ip"
+      )"
+
+      printf '%s\n' "$response"
+
+      if printf '%s\n' "$response" | grep -qiE '<ErrCount>0</ErrCount>|<Done>true</Done>'; then
+        exit 0
+      fi
+
+      echo "Namecheap DDNS response did not indicate success"
+      exit 1
+    '';
+  };
+in
+{
+  options.alisceon.blogbox = {
+    enable = lib.mkEnableOption "blogbox static site publishing";
+
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "alisceon";
+      description = "User that owns and updates the blog git repository.";
+    };
+
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = "users";
+      description = "Group for blogbox writable state.";
+    };
+
+    repoDirectoryName = lib.mkOption {
+      type = lib.types.str;
+      default = "blogbox-site";
+      description = "Directory name under the user's home where the runtime git repository lives.";
+    };
+
+    outputDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/blogbox/public";
+      description = "Stable directory served by Caddy and replaced after successful Hugo builds.";
+    };
+
+    environmentFile = lib.mkOption {
+      type = lib.types.path;
+      default = "/etc/blogbox/blogbox.env";
+      description = "Runtime environment file for non-secret domain and repository settings.";
+    };
+
+    ddnsEnvironmentFile = lib.mkOption {
+      type = lib.types.path;
+      default = "/etc/blogbox/namecheap.env";
+      description = "Runtime environment file for Namecheap dynamic DNS credentials.";
+    };
+
+    publishInterval = lib.mkOption {
+      type = lib.types.str;
+      default = "2min";
+      description = "Interval for git pull and Hugo publish attempts.";
+    };
+
+    ddnsInterval = lib.mkOption {
+      type = lib.types.str;
+      default = "5min";
+      description = "Interval for Namecheap dynamic DNS updates.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    environment.etc."blogbox/blogbox.env.example".text = ''
+      # Required for HTTPS virtual hosting.
+      BLOGBOX_DOMAIN=example.com
+
+      # Optional. Defaults to /home/${cfg.user}/${cfg.repoDirectoryName}.
+      # BLOGBOX_REPO_DIR=/home/${cfg.user}/${cfg.repoDirectoryName}
+
+      # Optional. Defaults to ${outputDir}.
+      # BLOGBOX_OUTPUT_DIR=${outputDir}
+
+      # Optional extra flags passed to hugo. Keep this shell-word-safe.
+      # BLOGBOX_HUGO_ARGS=--minify
+    '';
+
+    environment.etc."blogbox/namecheap.env.example".text = ''
+      # Required for Namecheap DDNS.
+      # NAMECHEAP_DOMAIN defaults to BLOGBOX_DOMAIN from blogbox.env when omitted.
+      # NAMECHEAP_DOMAIN=example.com
+      NAMECHEAP_HOST=@
+      NAMECHEAP_DDNS_PASSWORD=change-me
+
+      # Optional. If unset, the updater asks Namecheap for the current public IP.
+      # NAMECHEAP_IP=203.0.113.10
+    '';
+
+    services.caddy = {
+      enable = true;
+      adapter = "caddyfile";
+      configFile = caddyfile;
+      environmentFile = cfg.environmentFile;
+    };
+
+    systemd.tmpfiles.rules = [
+      "d /etc/blogbox 0750 root root -"
+      "d ${outputParent} 0755 ${cfg.user} ${cfg.group} -"
+      "d ${outputDir} 0755 ${cfg.user} ${cfg.group} -"
+    ];
+
+    systemd.services = {
+      caddy.unitConfig.ConditionPathExists = cfg.environmentFile;
+
+      blogbox-publish-site = {
+        description = "Pull and publish the blogbox Hugo site";
+        after = [ "network-online.target" ];
+        wants = [ "network-online.target" ];
+        serviceConfig = {
+          Type = "oneshot";
+          User = cfg.user;
+          Group = cfg.group;
+          EnvironmentFile = [ "-${toString cfg.environmentFile}" ];
+          Environment = [
+            "HOME=${user.home}"
+            "GIT_TERMINAL_PROMPT=0"
+          ];
+          Nice = 10;
+          IOSchedulingClass = "idle";
+          TimeoutStartSec = "10min";
+        };
+        script = lib.getExe publishSite;
+      };
+
+      blogbox-namecheap-ddns = {
+        description = "Update Namecheap dynamic DNS for blogbox";
+        after = [ "network-online.target" ];
+        wants = [ "network-online.target" ];
+        serviceConfig = {
+          Type = "oneshot";
+          DynamicUser = true;
+          EnvironmentFile = [
+            "-${toString cfg.environmentFile}"
+            "-${toString cfg.ddnsEnvironmentFile}"
+          ];
+          Nice = 10;
+          IOSchedulingClass = "idle";
+          TimeoutStartSec = "45s";
+        };
+        script = lib.getExe updateNamecheap;
+      };
+
+      blogbox-reload-caddy = {
+        description = "Restart Caddy after blogbox runtime configuration changes";
+        serviceConfig.Type = "oneshot";
+        script = ''
+          ${pkgs.systemd}/bin/systemctl restart caddy.service
+        '';
+      };
+    };
+
+    systemd.timers = {
+      blogbox-publish-site = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnBootSec = "2min";
+          OnUnitActiveSec = cfg.publishInterval;
+          RandomizedDelaySec = "20s";
+          Persistent = true;
+        };
+      };
+
+      blogbox-namecheap-ddns = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnBootSec = "1min";
+          OnUnitActiveSec = cfg.ddnsInterval;
+          RandomizedDelaySec = "30s";
+          Persistent = true;
+        };
+      };
+    };
+
+    systemd.paths.blogbox-reload-caddy = {
+      wantedBy = [ "multi-user.target" ];
+      pathConfig = {
+        PathExists = cfg.environmentFile;
+        PathChanged = cfg.environmentFile;
+      };
+    };
+  };
+}
--- a/nixos/modules/services/oci-secondary-vnics.nix
+++ b/nixos/modules/services/oci-secondary-vnics.nix
@ -0,0 +1,126 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.alisceon.ociSecondaryVnics;
+
+  configureSecondaryVnics = pkgs.writeShellApplication {
+    name = "configure-oci-secondary-vnics";
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.curl
+      pkgs.gnugrep
+      pkgs.iproute2
+      pkgs.jq
+      pkgs.systemd
+    ];
+    text = ''
+      metadata_url="http://169.254.169.254/opc/v2/vnics"
+      network_dir="/run/systemd/network"
+      mkdir -p "$network_dir"
+
+      vnics="$(curl --fail --silent --show-error --max-time 10 \
+        -H "Authorization: Bearer Oracle" \
+        "$metadata_url")"
+
+      index=0
+      configured=0
+
+      while IFS= read -r vnic; do
+        index=$((index + 1))
+
+        mac="$(jq -r '.macAddr // empty' <<< "$vnic" | tr '[:upper:]' '[:lower:]')"
+        address="$(jq -r '.privateIp // empty' <<< "$vnic")"
+        cidr="$(jq -r '.subnetCidrBlock // empty' <<< "$vnic")"
+        gateway="$(jq -r '.virtualRouterIp // empty' <<< "$vnic")"
+
+        if [ -z "$mac" ] || [ -z "$address" ] || [ -z "$cidr" ] || [ -z "$gateway" ]; then
+          echo "Skipping incomplete OCI VNIC metadata entry: $vnic"
+          continue
+        fi
+
+        iface="$(
+          for candidate in /sys/class/net/*; do
+            [ -e "$candidate/address" ] || continue
+            candidate_mac="$(tr '[:upper:]' '[:lower:]' < "$candidate/address")"
+            if [ "$candidate_mac" = "$mac" ]; then
+              basename "$candidate"
+              break
+            fi
+          done
+        )"
+
+        if [ -z "$iface" ]; then
+          echo "Skipping OCI VNIC $mac: no matching Linux interface"
+          continue
+        fi
+
+        if ip -4 address show dev "$iface" | grep -q "inet $address/"; then
+          echo "OCI VNIC $iface already has $address configured"
+          continue
+        fi
+
+        prefix="''${cidr#*/}"
+        table=$((1000 + index))
+        priority=$((1000 + index))
+        unit_name="$(systemd-escape --template=20-oci-secondary-vnic@.network "$iface")"
+        network_file="$network_dir/$unit_name"
+
+        {
+          printf '%s\n' \
+            "[Match]" \
+            "MACAddress=$mac" \
+            "" \
+            "[Link]" \
+            "MTUBytes=9000" \
+            "" \
+            "[Network]" \
+            "Address=$address/$prefix" \
+            "" \
+            "[Route]" \
+            "Destination=$cidr" \
+            "Scope=link" \
+            "Table=$table" \
+            "" \
+            "[Route]" \
+            "Gateway=$gateway" \
+            "GatewayOnLink=yes" \
+            "Table=$table" \
+            "" \
+            "[RoutingPolicyRule]" \
+            "From=$address/32" \
+            "Table=$table" \
+            "Priority=$priority"
+        } > "$network_file"
+
+        echo "Configuring OCI secondary VNIC $iface as $address/$prefix via $gateway in table $table"
+        networkctl reload
+        networkctl reconfigure "$iface"
+        configured=1
+      done < <(jq -c '.[]' <<< "$vnics")
+
+      if [ "$configured" = 0 ]; then
+        echo "No unconfigured OCI secondary VNICs found"
+      fi
+    '';
+  };
+in
+{
+  options.alisceon.ociSecondaryVnics.enable =
+    lib.mkEnableOption "runtime configuration of OCI secondary VNICs from instance metadata";
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.configure-oci-secondary-vnics = {
+      description = "Configure OCI secondary VNICs from instance metadata";
+      after = [
+        "network-online.target"
+        "systemd-networkd.service"
+      ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = lib.getExe configureSecondaryVnics;
+    };
+  };
+}