From 31351d447cfde0b89d0c1d127517d8f48cca0c08 Mon Sep 17 00:00:00 2001 From: alisceon Date: Sat, 30 May 2026 15:18:13 +0200 Subject: [PATCH 1/3] blogbox reverted to alisceon-core --- flake.nix | 1 - nixos/hosts/blogbox/configuration.nix | 446 +++++++------------------- 2 files changed, 114 insertions(+), 333 deletions(-) diff --git a/flake.nix b/flake.nix index f3074c1..32dbd1b 100644 --- a/flake.nix +++ b/flake.nix @@ -175,7 +175,6 @@ system = "x86_64-linux"; nixosModules = serverModules; hmModules = serverHomeModules; - homeManagerUsers = false; }; }; }; diff --git a/nixos/hosts/blogbox/configuration.nix b/nixos/hosts/blogbox/configuration.nix index 22bb128..fabab79 100644 --- a/nixos/hosts/blogbox/configuration.nix +++ b/nixos/hosts/blogbox/configuration.nix @@ -1,114 +1,16 @@ { lib, pkgs, modulesPath, ... }: -let - siteDomain = "blogbox.alisceon.com"; - repoDir = "/home/alisceon/blogbox-site"; - stateDir = "/var/lib/blogbox"; - publicDir = "${stateDir}/www"; - - updateBlogboxSite = pkgs.writeShellApplication { - name = "update-blogbox-site"; - runtimeInputs = [ - pkgs.coreutils - pkgs.git - pkgs.hugo - pkgs.rsync - ]; - text = '' - set -euo pipefail - - if [ ! -d ${lib.escapeShellArg repoDir}/.git ]; then - echo "${repoDir} is not a git checkout yet; skipping Hugo publish" - exit 0 - fi - - install -d -m 0755 ${lib.escapeShellArg stateDir} ${lib.escapeShellArg publicDir} - - git -C ${lib.escapeShellArg repoDir} pull --ff-only - git -C ${lib.escapeShellArg repoDir} submodule sync --recursive - git -C ${lib.escapeShellArg repoDir} submodule update --init --recursive - - rm -rf ${lib.escapeShellArg stateDir}/hugo-public - hugo \ - --source ${lib.escapeShellArg repoDir} \ - --destination ${lib.escapeShellArg stateDir}/hugo-public \ - --minify \ - --cleanDestinationDir - - rsync -a --delete ${lib.escapeShellArg stateDir}/hugo-public/ ${lib.escapeShellArg publicDir}/ - ''; - }; - - updateNamecheapDyndns = pkgs.writeShellApplication { - name = "update-namecheap-dyndns"; - runtimeInputs = [ - pkgs.coreutils - pkgs.ddclient - ]; - text = '' - set -euo pipefail - - : "''${NAMECHEAP_DOMAIN:?Set NAMECHEAP_DOMAIN in /etc/blogbox-namecheap-ddns.env}" - : "''${NAMECHEAP_PASSWORD:?Set NAMECHEAP_PASSWORD in /etc/blogbox-namecheap-ddns.env}" - : "''${NAMECHEAP_HOSTS:?Set NAMECHEAP_HOSTS in /etc/blogbox-namecheap-ddns.env}" - - config_file="''${RUNTIME_DIRECTORY}/ddclient.conf" - install -m 0600 /dev/null "$config_file" - - { - printf 'daemon=0\n' - printf 'cache=/var/cache/blogbox-dyndns/ddclient.cache\n' - printf 'ssl=yes\n' - printf 'protocol=namecheap\n' - printf 'usev4=webv4, webv4=dynamicdns.park-your-domain.com/getip\n' - printf 'server=dynamicdns.park-your-domain.com\n' - printf 'login=%s\n' "$NAMECHEAP_DOMAIN" - printf 'password=%s\n' "$NAMECHEAP_PASSWORD" - printf '%s\n' "$NAMECHEAP_HOSTS" - } > "$config_file" - - ddclient -file "$config_file" - ''; - }; - - ensureBlogboxSwapfile = pkgs.writeShellApplication { - name = "ensure-blogbox-swapfile"; - runtimeInputs = [ - pkgs.coreutils - pkgs.gnugrep - pkgs.util-linux - ]; - text = '' - set -euo pipefail - - if swapon --show=NAME --noheadings | grep -Fxq /swapfile; then - exit 0 - fi - - if [ ! -f /swapfile ] || [ "$(stat -c %s /swapfile)" -ne 8589934592 ]; then - rm -f /swapfile - install -m 0600 /dev/null /swapfile - fallocate -l 8G /swapfile || dd if=/dev/zero of=/swapfile bs=1M count=8192 status=none - chmod 0600 /swapfile - fi - - mkswap -f /swapfile - swapon /swapfile - ''; - }; -in { imports = [ "${modulesPath}/virtualisation/oci-image.nix" ../../modules/services/cloud-init.nix + ../../modules/services/forgejo.nix ../../modules/services/nginx.nix ../../modules/services/oci-authorized-keys.nix + ../../modules/services/tor.nix ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - oci.efi = lib.mkForce false; - virtualisation.diskSize = lib.mkForce (16 * 1024); - networking = { hostName = "blogbox"; networkmanager.enable = lib.mkForce false; @@ -116,6 +18,11 @@ in 22 80 443 + 22000 + 24601 + ]; + firewall.allowedUDPPorts = [ + 22000 ]; }; @@ -127,72 +34,13 @@ in "virtio_net" "xhci_pci" ]; - kernelParams = lib.mkForce [ - "nvme.shutdown_timeout=10" - "nvme_core.shutdown_timeout=10" - "libiscsi.debug_libiscsi_eh=1" - "crash_kexec_post_notifiers" - "console=tty1" - "console=ttyS0,115200n8" - ]; - kernelPackages = lib.mkForce pkgs.linuxPackages; loader.systemd-boot.configurationLimit = lib.mkForce 3; }; - documentation = { - enable = lib.mkForce false; - man.enable = lib.mkForce false; - doc.enable = lib.mkForce false; - info.enable = lib.mkForce false; - nixos.enable = lib.mkForce false; - }; - - environment = { - defaultPackages = lib.mkForce [ ]; - shells = lib.mkForce [ pkgs.bash ]; - systemPackages = lib.mkForce (with pkgs; [ - curl - git - hugo - vim - ]); - }; - - programs = { - command-not-found.enable = lib.mkForce false; - fish.enable = lib.mkForce false; - fzf.fuzzyCompletion = lib.mkForce false; - xonsh.enable = lib.mkForce false; - }; - - users = { - defaultUserShell = lib.mkForce pkgs.bash; - groups.blogbox-dyndns = { }; - users.alisceon = { - createHome = true; - extraGroups = lib.mkForce [ "wheel" "systemd-journal" ]; - openssh.authorizedKeys.keys = [ - "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPN1Cd2UlHo03Jqgi5Yb4io/3gh/X4wCb8LcmKlpAovQa271CKDBtYOUKn+Fts03g6dBMfaWMty6VGPMGDMONmc= alisceon@electra" - ]; - shell = lib.mkForce pkgs.bash; - }; - users.blogbox-dyndns = { - group = "blogbox-dyndns"; - isSystemUser = true; - }; - }; - - alisceon = { - cloud-init.enable = true; - ociAuthorizedKeys.enable = true; - }; - nix = { settings = { - cores = lib.mkForce 1; - max-jobs = lib.mkForce 1; - min-free = lib.mkForce (256 * 1024 * 1024); - max-free = lib.mkForce (1024 * 1024 * 1024); + min-free = lib.mkForce (512 * 1024 * 1024); + max-free = lib.mkForce (2 * 1024 * 1024 * 1024); }; gc = { dates = lib.mkForce "daily"; @@ -200,9 +48,27 @@ in }; }; - system.autoUpgrade = { - persistent = lib.mkForce false; - randomizedDelaySec = lib.mkForce "4h"; + virtualisation = { + docker.enable = lib.mkForce false; + podman = { + enable = true; + dockerSocket.enable = true; + autoPrune = { + enable = true; + dates = "daily"; + flags = [ "--all" ]; + }; + }; + }; + + users.users.alisceon.extraGroups = [ "systemd-journal" ]; + + alisceon = { + cloud-init = { + enable = true; + defaultShell = "/run/current-system/sw/bin/xonsh"; + }; + ociAuthorizedKeys.enable = true; }; security = { @@ -213,189 +79,105 @@ in sudo-rs.wheelNeedsPassword = false; }; - services = { - openssh.settings = { - KbdInteractiveAuthentication = false; - PasswordAuthentication = false; - PermitRootLogin = lib.mkForce "prohibit-password"; + services.openssh.settings = { + PasswordAuthentication = false; + PermitRootLogin = lib.mkForce "prohibit-password"; + }; + + services.syncthing = { + enable = true; + dataDir = "/var/lib/syncthing"; + guiAddress = "127.0.0.1:8384"; + openDefaultPorts = false; + overrideDevices = false; + overrideFolders = false; + settings = { + gui = { + insecureAdminAccess = false; + insecureSkipHostcheck = false; + }; + options = { + globalAnnounceEnabled = false; + localAnnounceEnabled = false; + listenAddresses = [ + "tcp://0.0.0.0:22000" + "quic://0.0.0.0:22000" + ]; + natEnabled = false; + relaysEnabled = false; + urAccepted = -1; + }; }; + }; - journald.extraConfig = '' - SystemMaxUse=64M - RuntimeMaxUse=32M - ''; + alisceon.forgejo.domain = "forgejo.alisceon.com"; - nginx.virtualHosts.${siteDomain} = { - serverName = siteDomain; + services.gitea-actions-runner.instances.alisceon-core-podman.labels = [ + "podman" + "x86_64" + "amd64" + ]; + + services.nginx.virtualHosts = { + ${"forgejo.alisceon.com"} = { + serverName = "forgejo.alisceon.com"; forceSSL = true; enableACME = true; - root = publicDir; - locations."/".extraConfig = '' - try_files $uri $uri/ =404; - ''; - }; - }; - - systemd = { - tmpfiles.rules = [ - "d ${repoDir} 0755 alisceon users - -" - "d ${stateDir} 0755 alisceon users - -" - "d ${publicDir} 0755 alisceon users - -" - ]; - - services.update-blogbox-site = { - description = "Pull and publish the Blogbox Hugo site"; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - serviceConfig = { - Type = "oneshot"; - User = "alisceon"; - Group = "users"; - ExecStart = lib.getExe updateBlogboxSite; - Nice = 10; - IOSchedulingClass = "idle"; - LockPersonality = true; - MemoryHigh = "384M"; - MemoryMax = "512M"; - NoNewPrivileges = true; - OOMPolicy = "stop"; - PrivateDevices = true; - PrivateIPC = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectSystem = "strict"; - ReadWritePaths = [ - repoDir - stateDir - ]; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_UNIX" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - SystemCallArchitectures = "native"; - TimeoutStartSec = "15min"; - UMask = "0022"; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + recommendedProxySettings = true; }; }; - - services.blogbox-dyndns = { - description = "Update Namecheap dynamic DNS records for Blogbox"; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - unitConfig.ConditionPathExists = "/etc/blogbox-namecheap-ddns.env"; - serviceConfig = { - Type = "oneshot"; - User = "blogbox-dyndns"; - Group = "blogbox-dyndns"; - ExecStart = lib.getExe updateNamecheapDyndns; - CacheDirectory = "blogbox-dyndns"; - EnvironmentFile = "/etc/blogbox-namecheap-ddns.env"; - LockPersonality = true; - MemoryMax = "128M"; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - OOMPolicy = "stop"; - PrivateDevices = true; - PrivateIPC = true; - PrivateTmp = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RuntimeDirectory = "blogbox-dyndns"; - RuntimeDirectoryMode = "0700"; - SystemCallArchitectures = "native"; - SystemCallErrorNumber = "EPERM"; - SystemCallFilter = "@system-service"; - TimeoutStartSec = "2min"; - UMask = "0177"; - }; - }; - - timers.update-blogbox-site = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "10min"; - OnUnitInactiveSec = "5min"; - Persistent = true; - }; - }; - - timers.blogbox-dyndns = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "5min"; - OnUnitInactiveSec = "10min"; - Persistent = true; + ${"syncthing.alisceon.com"} = { + serverName = "syncthing.alisceon.com"; + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8384"; + recommendedProxySettings = false; + extraConfig = '' + proxy_set_header Host $proxy_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + ''; }; }; }; - systemd.services.nixos-upgrade.serviceConfig = { - IOSchedulingClass = "idle"; - MemoryHigh = "512M"; - MemoryMax = "768M"; - Nice = 15; - OOMPolicy = "stop"; - }; - - systemd.services.growpart.serviceConfig = { - IOSchedulingClass = "idle"; - Nice = 15; - TimeoutStartSec = "2min"; - }; - - systemd.services.blogbox-swapfile = { - description = "Create and enable Blogbox swapfile"; - after = [ - "sshd.service" - "systemd-growfs-root.service" - ]; - wantedBy = [ "multi-user.target" ]; + systemd.services.syncthing = { serviceConfig = { - Type = "oneshot"; - ExecStart = lib.getExe ensureBlogboxSwapfile; - IOSchedulingClass = "idle"; - Nice = 19; - RemainAfterExit = true; - TimeoutStartSec = "20min"; + LockPersonality = true; + PrivateIPC = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectHome = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + ReadWritePaths = [ "/var/lib/syncthing" ]; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + "AF_UNIX" + ]; + SystemCallArchitectures = "native"; + UMask = "0077"; }; }; - zramSwap = { - enable = true; - memoryPercent = 50; - }; - - virtualisation = { - containers.enable = lib.mkForce false; - docker.enable = lib.mkForce false; - libvirtd = { - enable = lib.mkForce false; - qemu.swtpm.enable = lib.mkForce false; - }; - podman.enable = lib.mkForce false; - }; + environment.systemPackages = with pkgs; [ + curl + git + htop + jq + vim + wget + ]; system.stateVersion = lib.mkForce "25.11"; } From 8a2e2532bd0c22d2bab1edbcae1811b98e7208e3 Mon Sep 17 00:00:00 2001 From: alisceon Date: Sat, 30 May 2026 16:54:22 +0200 Subject: [PATCH 2/3] first working blogbox done --- home/modules/programs/ssh.nix | 6 +- nixos/hosts/blogbox/configuration.nix | 160 ++++++------------ nixos/modules/profiles/workstation.nix | 1 + .../modules/services/oci-authorized-keys.nix | 6 +- 4 files changed, 64 insertions(+), 109 deletions(-) diff --git a/home/modules/programs/ssh.nix b/home/modules/programs/ssh.nix index 79db2a9..2d17f1b 100644 --- a/home/modules/programs/ssh.nix +++ b/home/modules/programs/ssh.nix @@ -23,12 +23,12 @@ "blogbox-2" = { hostname = "10.1.0.11"; proxyJump = "alisceon-core"; - user = "opc"; + user = "alisceon"; }; "blogbox-1" = { - hostname = "10.1.0.247"; + hostname = "10.1.0.10"; proxyJump = "alisceon-core"; - user = "opc"; + user = "alisceon"; }; "filurbox" = { hostname = "oci.malice.zone"; diff --git a/nixos/hosts/blogbox/configuration.nix b/nixos/hosts/blogbox/configuration.nix index fabab79..c4f6e0d 100644 --- a/nixos/hosts/blogbox/configuration.nix +++ b/nixos/hosts/blogbox/configuration.nix @@ -3,26 +3,20 @@ imports = [ "${modulesPath}/virtualisation/oci-image.nix" ../../modules/services/cloud-init.nix - ../../modules/services/forgejo.nix - ../../modules/services/nginx.nix ../../modules/services/oci-authorized-keys.nix - ../../modules/services/tor.nix ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + oci.efi = lib.mkForce false; + + virtualisation.diskSize = lib.mkForce (8 * 1024); + networking = { hostName = "blogbox"; networkmanager.enable = lib.mkForce false; firewall.allowedTCPPorts = [ 22 - 80 - 443 - 22000 - 24601 - ]; - firewall.allowedUDPPorts = [ - 22000 ]; }; @@ -34,13 +28,29 @@ "virtio_net" "xhci_pci" ]; + kernelParams = lib.mkForce [ + "nvme.shutdown_timeout=10" + "nvme_core.shutdown_timeout=10" + "libiscsi.debug_libiscsi_eh=1" + "crash_kexec_post_notifiers" + "console=tty1" + "console=ttyS0,115200n8" + "earlyprintk=serial,ttyS0,115200" + "loglevel=7" + "systemd.log_target=console" + "systemd.journald.forward_to_console=1" + ]; + kernelPackages = lib.mkForce pkgs.linuxPackages; + loader.grub.configurationLimit = lib.mkForce 3; loader.systemd-boot.configurationLimit = lib.mkForce 3; }; nix = { settings = { - min-free = lib.mkForce (512 * 1024 * 1024); - max-free = lib.mkForce (2 * 1024 * 1024 * 1024); + cores = lib.mkForce 1; + max-jobs = lib.mkForce 1; + min-free = lib.mkForce (256 * 1024 * 1024); + max-free = lib.mkForce (1024 * 1024 * 1024); }; gc = { dates = lib.mkForce "daily"; @@ -49,25 +59,19 @@ }; virtualisation = { + containers.enable = lib.mkForce false; docker.enable = lib.mkForce false; - podman = { - enable = true; - dockerSocket.enable = true; - autoPrune = { - enable = true; - dates = "daily"; - flags = [ "--all" ]; - }; + libvirtd = { + enable = lib.mkForce false; + qemu.swtpm.enable = lib.mkForce false; }; + podman.enable = lib.mkForce false; }; users.users.alisceon.extraGroups = [ "systemd-journal" ]; alisceon = { - cloud-init = { - enable = true; - defaultShell = "/run/current-system/sw/bin/xonsh"; - }; + cloud-init.enable = true; ociAuthorizedKeys.enable = true; }; @@ -80,95 +84,29 @@ }; services.openssh.settings = { + KbdInteractiveAuthentication = false; PasswordAuthentication = false; - PermitRootLogin = lib.mkForce "prohibit-password"; + PermitRootLogin = lib.mkForce "no"; }; - services.syncthing = { - enable = true; - dataDir = "/var/lib/syncthing"; - guiAddress = "127.0.0.1:8384"; - openDefaultPorts = false; - overrideDevices = false; - overrideFolders = false; - settings = { - gui = { - insecureAdminAccess = false; - insecureSkipHostcheck = false; - }; - options = { - globalAnnounceEnabled = false; - localAnnounceEnabled = false; - listenAddresses = [ - "tcp://0.0.0.0:22000" - "quic://0.0.0.0:22000" - ]; - natEnabled = false; - relaysEnabled = false; - urAccepted = -1; - }; - }; + services.journald.extraConfig = '' + SystemMaxUse=64M + RuntimeMaxUse=32M + ''; + + system.autoUpgrade = { + enable = lib.mkForce false; + persistent = lib.mkForce false; }; - alisceon.forgejo.domain = "forgejo.alisceon.com"; - - services.gitea-actions-runner.instances.alisceon-core-podman.labels = [ - "podman" - "x86_64" - "amd64" - ]; - - services.nginx.virtualHosts = { - ${"forgejo.alisceon.com"} = { - serverName = "forgejo.alisceon.com"; - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - recommendedProxySettings = true; - }; - }; - ${"syncthing.alisceon.com"} = { - serverName = "syncthing.alisceon.com"; - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8384"; - recommendedProxySettings = false; - extraConfig = '' - proxy_set_header Host $proxy_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - ''; - }; + systemd = { + services = { + dev-flake-garbage-collect.enable = lib.mkForce false; }; + timers.dev-flake-garbage-collect.enable = lib.mkForce false; }; - systemd.services.syncthing = { - serviceConfig = { - LockPersonality = true; - PrivateIPC = true; - ProcSubset = "pid"; - ProtectClock = true; - ProtectHome = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - ReadWritePaths = [ "/var/lib/syncthing" ]; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - "AF_UNIX" - ]; - SystemCallArchitectures = "native"; - UMask = "0077"; - }; - }; + services.cloud-init.settings.disable_root = true; environment.systemPackages = with pkgs; [ curl @@ -179,5 +117,17 @@ wget ]; + swapDevices = [ + { + device = "/swapfile"; + size = 4096; + } + ]; + + zramSwap = { + enable = true; + memoryPercent = 75; + }; + system.stateVersion = lib.mkForce "25.11"; } diff --git a/nixos/modules/profiles/workstation.nix b/nixos/modules/profiles/workstation.nix index 2fadb28..fa0a50f 100644 --- a/nixos/modules/profiles/workstation.nix +++ b/nixos/modules/profiles/workstation.nix @@ -114,6 +114,7 @@ in pkgs.plymouth pkgs.xhost (pkgs.bottles.override { removeWarningPopup = true; }) + pkgs.hydra-check ]; sessionVariables.NIXOS_OZONE_WL = "1"; }; diff --git a/nixos/modules/services/oci-authorized-keys.nix b/nixos/modules/services/oci-authorized-keys.nix index 8b9312b..ac5a866 100644 --- a/nixos/modules/services/oci-authorized-keys.nix +++ b/nixos/modules/services/oci-authorized-keys.nix @@ -84,7 +84,11 @@ in config = lib.mkIf cfg.enable { systemd.services.fetch-oci-authorized-keys = { description = "Fetch OCI metadata authorized_keys for ${cfg.user}"; - wantedBy = [ "multi-user.target" ]; + wantedBy = [ + "sshd.service" + "multi-user.target" + ]; + before = [ "sshd.service" ]; after = [ "network-online.target" ]; wants = [ "network-online.target" ]; serviceConfig = { From ecde469fe7c83c3ef26e11e72f8c73ceec755893 Mon Sep 17 00:00:00 2001 From: alisceon Date: Sat, 30 May 2026 17:17:47 +0200 Subject: [PATCH 3/3] added services to blogbox and added new nic to alisceon-core --- nixos/hosts/alisceon-core/configuration.nix | 2 + nixos/hosts/blogbox/configuration.nix | 13 +- nixos/modules/services/blogbox.nix | 313 ++++++++++++++++++ .../modules/services/oci-secondary-vnics.nix | 126 +++++++ 4 files changed, 452 insertions(+), 2 deletions(-) create mode 100644 nixos/modules/services/blogbox.nix create mode 100644 nixos/modules/services/oci-secondary-vnics.nix diff --git a/nixos/hosts/alisceon-core/configuration.nix b/nixos/hosts/alisceon-core/configuration.nix index 222cfa6..3f1a941 100644 --- a/nixos/hosts/alisceon-core/configuration.nix +++ b/nixos/hosts/alisceon-core/configuration.nix @@ -6,6 +6,7 @@ ../../modules/services/forgejo.nix ../../modules/services/nginx.nix ../../modules/services/oci-authorized-keys.nix + ../../modules/services/oci-secondary-vnics.nix ../../modules/services/tor.nix ]; @@ -69,6 +70,7 @@ defaultShell = "/run/current-system/sw/bin/xonsh"; }; ociAuthorizedKeys.enable = true; + ociSecondaryVnics.enable = true; }; security = { diff --git a/nixos/hosts/blogbox/configuration.nix b/nixos/hosts/blogbox/configuration.nix index c4f6e0d..16c259d 100644 --- a/nixos/hosts/blogbox/configuration.nix +++ b/nixos/hosts/blogbox/configuration.nix @@ -2,6 +2,7 @@ { imports = [ "${modulesPath}/virtualisation/oci-image.nix" + ../../modules/services/blogbox.nix ../../modules/services/cloud-init.nix ../../modules/services/oci-authorized-keys.nix ]; @@ -71,6 +72,7 @@ users.users.alisceon.extraGroups = [ "systemd-journal" ]; alisceon = { + blogbox.enable = true; cloud-init.enable = true; ociAuthorizedKeys.enable = true; }; @@ -95,13 +97,20 @@ ''; system.autoUpgrade = { - enable = lib.mkForce false; - persistent = lib.mkForce false; + enable = lib.mkForce true; + persistent = lib.mkForce true; }; systemd = { services = { dev-flake-garbage-collect.enable = lib.mkForce false; + nixos-upgrade.serviceConfig = { + IOSchedulingClass = "idle"; + MemoryHigh = "512M"; + MemoryMax = "900M"; + Nice = 15; + OOMPolicy = "stop"; + }; }; timers.dev-flake-garbage-collect.enable = lib.mkForce false; }; diff --git a/nixos/modules/services/blogbox.nix b/nixos/modules/services/blogbox.nix new file mode 100644 index 0000000..fe1d695 --- /dev/null +++ b/nixos/modules/services/blogbox.nix @@ -0,0 +1,313 @@ +{ + config, + lib, + pkgs, + pkgs-unstable, + ... +}: +let + cfg = config.alisceon.blogbox; + user = config.users.users.${cfg.user}; + repoDir = "${user.home}/${cfg.repoDirectoryName}"; + outputDir = toString cfg.outputDir; + outputParent = dirOf outputDir; + + caddyfile = pkgs.writeText "blogbox-Caddyfile" '' + {$BLOGBOX_DOMAIN} { + encode zstd gzip + root * ${outputDir} + file_server + } + ''; + + publishSite = pkgs.writeShellApplication { + name = "blogbox-publish-site"; + runtimeInputs = [ + pkgs.coreutils + pkgs.git + pkgs.gnugrep + pkgs-unstable.hugo + ]; + text = '' + repo_dir="''${BLOGBOX_REPO_DIR:-${repoDir}}" + output_dir="''${BLOGBOX_OUTPUT_DIR:-${outputDir}}" + hugo_args="''${BLOGBOX_HUGO_ARGS:-}" + + if [ ! -d "$repo_dir/.git" ]; then + echo "Skipping blog publish: $repo_dir is not an initialized git repository" + exit 0 + fi + + cd "$repo_dir" + + old_rev="$(git rev-parse HEAD 2>/dev/null || true)" + if [ -z "$old_rev" ]; then + echo "Skipping blog publish: unable to resolve HEAD in $repo_dir" + exit 0 + fi + + if ! git remote get-url origin >/dev/null 2>&1; then + echo "Skipping blog publish: $repo_dir has no origin remote" + exit 0 + fi + + git fetch --prune --tags origin + + upstream="$(git rev-parse --abbrev-ref --symbolic-full-name '@{u}' 2>/dev/null || true)" + if [ -n "$upstream" ]; then + git merge --ff-only "$upstream" + else + git pull --ff-only + fi + + new_rev="$(git rev-parse HEAD)" + built_rev_file="$output_dir/.blogbox-built-rev" + + if [ -f "$built_rev_file" ] && [ "$old_rev" = "$new_rev" ] && grep -qxF "$new_rev" "$built_rev_file"; then + echo "No blog repository updates since $new_rev; skipping Hugo build" + exit 0 + fi + + output_parent="$(dirname "$output_dir")" + mkdir -p "$output_parent" + + build_dir="$(mktemp -d "$output_parent/.hugo-build.XXXXXX")" + trap 'rm -rf "$build_dir"' EXIT + + # shellcheck disable=SC2086 + hugo --source "$repo_dir" --destination "$build_dir/public" --cleanDestinationDir $hugo_args + printf '%s\n' "$new_rev" > "$build_dir/public/.blogbox-built-rev" + + rm -rf "$output_dir.previous" + if [ -d "$output_dir" ]; then + mv "$output_dir" "$output_dir.previous" + fi + + mv "$build_dir/public" "$output_dir" + rm -rf "$output_dir.previous" + trap - EXIT + rm -rf "$build_dir" + + echo "Published blog revision $new_rev to $output_dir" + ''; + }; + + updateNamecheap = pkgs.writeShellApplication { + name = "blogbox-namecheap-ddns"; + runtimeInputs = [ + pkgs.curl + pkgs.gnugrep + ]; + text = '' + domain="''${NAMECHEAP_DOMAIN:-''${BLOGBOX_DOMAIN:-}}" + host="''${NAMECHEAP_HOST:-@}" + password="''${NAMECHEAP_DDNS_PASSWORD:-''${NAMECHEAP_PASSWORD:-}}" + + if [ -z "$domain" ] || [ -z "$password" ]; then + echo "Skipping Namecheap DDNS: BLOGBOX_DOMAIN/NAMECHEAP_DOMAIN or NAMECHEAP_DDNS_PASSWORD is not configured" + exit 0 + fi + + ip="''${NAMECHEAP_IP:-}" + if [ -z "$ip" ]; then + ip_url="''${NAMECHEAP_IP_URL:-https://dynamicdns.park-your-domain.com/getip}" + ip="$(curl --fail --silent --show-error --max-time 15 "$ip_url")" + fi + + response="$( + curl --fail --silent --show-error --get "https://dynamicdns.park-your-domain.com/update" \ + --data-urlencode "host=$host" \ + --data-urlencode "domain=$domain" \ + --data-urlencode "password=$password" \ + --data-urlencode "ip=$ip" + )" + + printf '%s\n' "$response" + + if printf '%s\n' "$response" | grep -qiE '0|true'; then + exit 0 + fi + + echo "Namecheap DDNS response did not indicate success" + exit 1 + ''; + }; +in +{ + options.alisceon.blogbox = { + enable = lib.mkEnableOption "blogbox static site publishing"; + + user = lib.mkOption { + type = lib.types.str; + default = "alisceon"; + description = "User that owns and updates the blog git repository."; + }; + + group = lib.mkOption { + type = lib.types.str; + default = "users"; + description = "Group for blogbox writable state."; + }; + + repoDirectoryName = lib.mkOption { + type = lib.types.str; + default = "blogbox-site"; + description = "Directory name under the user's home where the runtime git repository lives."; + }; + + outputDir = lib.mkOption { + type = lib.types.path; + default = "/var/lib/blogbox/public"; + description = "Stable directory served by Caddy and replaced after successful Hugo builds."; + }; + + environmentFile = lib.mkOption { + type = lib.types.path; + default = "/etc/blogbox/blogbox.env"; + description = "Runtime environment file for non-secret domain and repository settings."; + }; + + ddnsEnvironmentFile = lib.mkOption { + type = lib.types.path; + default = "/etc/blogbox/namecheap.env"; + description = "Runtime environment file for Namecheap dynamic DNS credentials."; + }; + + publishInterval = lib.mkOption { + type = lib.types.str; + default = "2min"; + description = "Interval for git pull and Hugo publish attempts."; + }; + + ddnsInterval = lib.mkOption { + type = lib.types.str; + default = "5min"; + description = "Interval for Namecheap dynamic DNS updates."; + }; + }; + + config = lib.mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + environment.etc."blogbox/blogbox.env.example".text = '' + # Required for HTTPS virtual hosting. + BLOGBOX_DOMAIN=example.com + + # Optional. Defaults to /home/${cfg.user}/${cfg.repoDirectoryName}. + # BLOGBOX_REPO_DIR=/home/${cfg.user}/${cfg.repoDirectoryName} + + # Optional. Defaults to ${outputDir}. + # BLOGBOX_OUTPUT_DIR=${outputDir} + + # Optional extra flags passed to hugo. Keep this shell-word-safe. + # BLOGBOX_HUGO_ARGS=--minify + ''; + + environment.etc."blogbox/namecheap.env.example".text = '' + # Required for Namecheap DDNS. + # NAMECHEAP_DOMAIN defaults to BLOGBOX_DOMAIN from blogbox.env when omitted. + # NAMECHEAP_DOMAIN=example.com + NAMECHEAP_HOST=@ + NAMECHEAP_DDNS_PASSWORD=change-me + + # Optional. If unset, the updater asks Namecheap for the current public IP. + # NAMECHEAP_IP=203.0.113.10 + ''; + + services.caddy = { + enable = true; + adapter = "caddyfile"; + configFile = caddyfile; + environmentFile = cfg.environmentFile; + }; + + systemd.tmpfiles.rules = [ + "d /etc/blogbox 0750 root root -" + "d ${outputParent} 0755 ${cfg.user} ${cfg.group} -" + "d ${outputDir} 0755 ${cfg.user} ${cfg.group} -" + ]; + + systemd.services = { + caddy.unitConfig.ConditionPathExists = cfg.environmentFile; + + blogbox-publish-site = { + description = "Pull and publish the blogbox Hugo site"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + Type = "oneshot"; + User = cfg.user; + Group = cfg.group; + EnvironmentFile = [ "-${toString cfg.environmentFile}" ]; + Environment = [ + "HOME=${user.home}" + "GIT_TERMINAL_PROMPT=0" + ]; + Nice = 10; + IOSchedulingClass = "idle"; + TimeoutStartSec = "10min"; + }; + script = lib.getExe publishSite; + }; + + blogbox-namecheap-ddns = { + description = "Update Namecheap dynamic DNS for blogbox"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + Type = "oneshot"; + DynamicUser = true; + EnvironmentFile = [ + "-${toString cfg.environmentFile}" + "-${toString cfg.ddnsEnvironmentFile}" + ]; + Nice = 10; + IOSchedulingClass = "idle"; + TimeoutStartSec = "45s"; + }; + script = lib.getExe updateNamecheap; + }; + + blogbox-reload-caddy = { + description = "Restart Caddy after blogbox runtime configuration changes"; + serviceConfig.Type = "oneshot"; + script = '' + ${pkgs.systemd}/bin/systemctl restart caddy.service + ''; + }; + }; + + systemd.timers = { + blogbox-publish-site = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "2min"; + OnUnitActiveSec = cfg.publishInterval; + RandomizedDelaySec = "20s"; + Persistent = true; + }; + }; + + blogbox-namecheap-ddns = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1min"; + OnUnitActiveSec = cfg.ddnsInterval; + RandomizedDelaySec = "30s"; + Persistent = true; + }; + }; + }; + + systemd.paths.blogbox-reload-caddy = { + wantedBy = [ "multi-user.target" ]; + pathConfig = { + PathExists = cfg.environmentFile; + PathChanged = cfg.environmentFile; + }; + }; + }; +} diff --git a/nixos/modules/services/oci-secondary-vnics.nix b/nixos/modules/services/oci-secondary-vnics.nix new file mode 100644 index 0000000..6d6b94d --- /dev/null +++ b/nixos/modules/services/oci-secondary-vnics.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.alisceon.ociSecondaryVnics; + + configureSecondaryVnics = pkgs.writeShellApplication { + name = "configure-oci-secondary-vnics"; + runtimeInputs = [ + pkgs.coreutils + pkgs.curl + pkgs.gnugrep + pkgs.iproute2 + pkgs.jq + pkgs.systemd + ]; + text = '' + metadata_url="http://169.254.169.254/opc/v2/vnics" + network_dir="/run/systemd/network" + mkdir -p "$network_dir" + + vnics="$(curl --fail --silent --show-error --max-time 10 \ + -H "Authorization: Bearer Oracle" \ + "$metadata_url")" + + index=0 + configured=0 + + while IFS= read -r vnic; do + index=$((index + 1)) + + mac="$(jq -r '.macAddr // empty' <<< "$vnic" | tr '[:upper:]' '[:lower:]')" + address="$(jq -r '.privateIp // empty' <<< "$vnic")" + cidr="$(jq -r '.subnetCidrBlock // empty' <<< "$vnic")" + gateway="$(jq -r '.virtualRouterIp // empty' <<< "$vnic")" + + if [ -z "$mac" ] || [ -z "$address" ] || [ -z "$cidr" ] || [ -z "$gateway" ]; then + echo "Skipping incomplete OCI VNIC metadata entry: $vnic" + continue + fi + + iface="$( + for candidate in /sys/class/net/*; do + [ -e "$candidate/address" ] || continue + candidate_mac="$(tr '[:upper:]' '[:lower:]' < "$candidate/address")" + if [ "$candidate_mac" = "$mac" ]; then + basename "$candidate" + break + fi + done + )" + + if [ -z "$iface" ]; then + echo "Skipping OCI VNIC $mac: no matching Linux interface" + continue + fi + + if ip -4 address show dev "$iface" | grep -q "inet $address/"; then + echo "OCI VNIC $iface already has $address configured" + continue + fi + + prefix="''${cidr#*/}" + table=$((1000 + index)) + priority=$((1000 + index)) + unit_name="$(systemd-escape --template=20-oci-secondary-vnic@.network "$iface")" + network_file="$network_dir/$unit_name" + + { + printf '%s\n' \ + "[Match]" \ + "MACAddress=$mac" \ + "" \ + "[Link]" \ + "MTUBytes=9000" \ + "" \ + "[Network]" \ + "Address=$address/$prefix" \ + "" \ + "[Route]" \ + "Destination=$cidr" \ + "Scope=link" \ + "Table=$table" \ + "" \ + "[Route]" \ + "Gateway=$gateway" \ + "GatewayOnLink=yes" \ + "Table=$table" \ + "" \ + "[RoutingPolicyRule]" \ + "From=$address/32" \ + "Table=$table" \ + "Priority=$priority" + } > "$network_file" + + echo "Configuring OCI secondary VNIC $iface as $address/$prefix via $gateway in table $table" + networkctl reload + networkctl reconfigure "$iface" + configured=1 + done < <(jq -c '.[]' <<< "$vnics") + + if [ "$configured" = 0 ]; then + echo "No unconfigured OCI secondary VNICs found" + fi + ''; + }; +in +{ + options.alisceon.ociSecondaryVnics.enable = + lib.mkEnableOption "runtime configuration of OCI secondary VNICs from instance metadata"; + + config = lib.mkIf cfg.enable { + systemd.services.configure-oci-secondary-vnics = { + description = "Configure OCI secondary VNICs from instance metadata"; + after = [ + "network-online.target" + "systemd-networkd.service" + ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = lib.getExe configureSecondaryVnics; + }; + }; +}