alisceon/nixos_config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: alisceon:ecde469fe7c83c3ef26e11e72f8c73ceec755893
Branches Tags
alisceon:main
alisceon:development
..
compare: alisceon:56961c34faa0801b6e67d59054ad29a78b775754
Branches Tags
alisceon:main
alisceon:development

No commits in common. "ecde469fe7c83c3ef26e11e72f8c73ceec755893" and "56961c34faa0801b6e67d59054ad29a78b775754" have entirely different histories.
ecde469fe7 ... 56961c34fa

8 changed files with 323 additions and 509 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -175,6 +175,7 @@
system = "x86_64-linux"; system = "x86_64-linux";
nixosModules = serverModules; nixosModules = serverModules;
hmModules = serverHomeModules; hmModules = serverHomeModules;
homeManagerUsers = false;
}; };
}; };
}; };

6
home/modules/programs/ssh.nix
View file

@ -23,12 +23,12 @@
"blogbox-2" = { "blogbox-2" = {
hostname = "10.1.0.11"; hostname = "10.1.0.11";
proxyJump = "alisceon-core"; proxyJump = "alisceon-core";
user = "alisceon"; user = "opc";
}; };
"blogbox-1" = { "blogbox-1" = {
hostname = "10.1.0.10"; hostname = "10.1.0.247";
proxyJump = "alisceon-core"; proxyJump = "alisceon-core";
user = "alisceon"; user = "opc";
}; };
"filurbox" = { "filurbox" = {
hostname = "oci.malice.zone"; hostname = "oci.malice.zone";

2
nixos/hosts/alisceon-core/configuration.nix
View file

@ -6,7 +6,6 @@
../../modules/services/forgejo.nix ../../modules/services/forgejo.nix
../../modules/services/nginx.nix ../../modules/services/nginx.nix
../../modules/services/oci-authorized-keys.nix ../../modules/services/oci-authorized-keys.nix
../../modules/services/oci-secondary-vnics.nix
../../modules/services/tor.nix ../../modules/services/tor.nix
]; ];
@ -70,7 +69,6 @@
defaultShell = "/run/current-system/sw/bin/xonsh"; defaultShell = "/run/current-system/sw/bin/xonsh";
}; };
ociAuthorizedKeys.enable = true; ociAuthorizedKeys.enable = true;
ociSecondaryVnics.enable = true;
}; };
security = { security = {

365
nixos/hosts/blogbox/configuration.nix
View file

@ -1,23 +1,121 @@
{ lib, pkgs, modulesPath, ... }: { lib, pkgs, modulesPath, ... }:
let
siteDomain = "blogbox.alisceon.com";
repoDir = "/home/alisceon/blogbox-site";
stateDir = "/var/lib/blogbox";
publicDir = "${stateDir}/www";
updateBlogboxSite = pkgs.writeShellApplication {
name = "update-blogbox-site";
runtimeInputs = [
pkgs.coreutils
pkgs.git
pkgs.hugo
pkgs.rsync
];
text = ''
set -euo pipefail
if [ ! -d ${lib.escapeShellArg repoDir}/.git ]; then
echo "${repoDir} is not a git checkout yet; skipping Hugo publish"
exit 0
fi
install -d -m 0755 ${lib.escapeShellArg stateDir} ${lib.escapeShellArg publicDir}
git -C ${lib.escapeShellArg repoDir} pull --ff-only
git -C ${lib.escapeShellArg repoDir} submodule sync --recursive
git -C ${lib.escapeShellArg repoDir} submodule update --init --recursive
rm -rf ${lib.escapeShellArg stateDir}/hugo-public
hugo \
--source ${lib.escapeShellArg repoDir} \
--destination ${lib.escapeShellArg stateDir}/hugo-public \
--minify \
--cleanDestinationDir
rsync -a --delete ${lib.escapeShellArg stateDir}/hugo-public/ ${lib.escapeShellArg publicDir}/
'';
};
updateNamecheapDyndns = pkgs.writeShellApplication {
name = "update-namecheap-dyndns";
runtimeInputs = [
pkgs.coreutils
pkgs.ddclient
];
text = ''
set -euo pipefail
: "''${NAMECHEAP_DOMAIN:?Set NAMECHEAP_DOMAIN in /etc/blogbox-namecheap-ddns.env}"
: "''${NAMECHEAP_PASSWORD:?Set NAMECHEAP_PASSWORD in /etc/blogbox-namecheap-ddns.env}"
: "''${NAMECHEAP_HOSTS:?Set NAMECHEAP_HOSTS in /etc/blogbox-namecheap-ddns.env}"
config_file="''${RUNTIME_DIRECTORY}/ddclient.conf"
install -m 0600 /dev/null "$config_file"
{
printf 'daemon=0\n'
printf 'cache=/var/cache/blogbox-dyndns/ddclient.cache\n'
printf 'ssl=yes\n'
printf 'protocol=namecheap\n'
printf 'usev4=webv4, webv4=dynamicdns.park-your-domain.com/getip\n'
printf 'server=dynamicdns.park-your-domain.com\n'
printf 'login=%s\n' "$NAMECHEAP_DOMAIN"
printf 'password=%s\n' "$NAMECHEAP_PASSWORD"
printf '%s\n' "$NAMECHEAP_HOSTS"
} > "$config_file"
ddclient -file "$config_file"
'';
};
ensureBlogboxSwapfile = pkgs.writeShellApplication {
name = "ensure-blogbox-swapfile";
runtimeInputs = [
pkgs.coreutils
pkgs.gnugrep
pkgs.util-linux
];
text = ''
set -euo pipefail
if swapon --show=NAME --noheadings | grep -Fxq /swapfile; then
exit 0
fi
if [ ! -f /swapfile ] || [ "$(stat -c %s /swapfile)" -ne 8589934592 ]; then
rm -f /swapfile
install -m 0600 /dev/null /swapfile
fallocate -l 8G /swapfile || dd if=/dev/zero of=/swapfile bs=1M count=8192 status=none
chmod 0600 /swapfile
fi
mkswap -f /swapfile
swapon /swapfile
'';
};
in
{ {
imports = [ imports = [
"${modulesPath}/virtualisation/oci-image.nix" "${modulesPath}/virtualisation/oci-image.nix"
../../modules/services/blogbox.nix
../../modules/services/cloud-init.nix ../../modules/services/cloud-init.nix
../../modules/services/nginx.nix
../../modules/services/oci-authorized-keys.nix ../../modules/services/oci-authorized-keys.nix
]; ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
oci.efi = lib.mkForce false; oci.efi = lib.mkForce false;
virtualisation.diskSize = lib.mkForce (16 * 1024);
virtualisation.diskSize = lib.mkForce (8 * 1024);
networking = { networking = {
hostName = "blogbox"; hostName = "blogbox";
networkmanager.enable = lib.mkForce false; networkmanager.enable = lib.mkForce false;
firewall.allowedTCPPorts = [ firewall.allowedTCPPorts = [
22 22
80
443
]; ];
}; };
@ -36,16 +134,59 @@
"crash_kexec_post_notifiers" "crash_kexec_post_notifiers"
"console=tty1" "console=tty1"
"console=ttyS0,115200n8" "console=ttyS0,115200n8"
"earlyprintk=serial,ttyS0,115200"
"loglevel=7"
"systemd.log_target=console"
"systemd.journald.forward_to_console=1"
]; ];
kernelPackages = lib.mkForce pkgs.linuxPackages; kernelPackages = lib.mkForce pkgs.linuxPackages;
loader.grub.configurationLimit = lib.mkForce 3;
loader.systemd-boot.configurationLimit = lib.mkForce 3; loader.systemd-boot.configurationLimit = lib.mkForce 3;
}; };
documentation = {
enable = lib.mkForce false;
man.enable = lib.mkForce false;
doc.enable = lib.mkForce false;
info.enable = lib.mkForce false;
nixos.enable = lib.mkForce false;
};
environment = {
defaultPackages = lib.mkForce [ ];
shells = lib.mkForce [ pkgs.bash ];
systemPackages = lib.mkForce (with pkgs; [
curl
git
hugo
vim
]);
};
programs = {
command-not-found.enable = lib.mkForce false;
fish.enable = lib.mkForce false;
fzf.fuzzyCompletion = lib.mkForce false;
xonsh.enable = lib.mkForce false;
};
users = {
defaultUserShell = lib.mkForce pkgs.bash;
groups.blogbox-dyndns = { };
users.alisceon = {
createHome = true;
extraGroups = lib.mkForce [ "wheel" "systemd-journal" ];
openssh.authorizedKeys.keys = [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPN1Cd2UlHo03Jqgi5Yb4io/3gh/X4wCb8LcmKlpAovQa271CKDBtYOUKn+Fts03g6dBMfaWMty6VGPMGDMONmc= alisceon@electra"
];
shell = lib.mkForce pkgs.bash;
};
users.blogbox-dyndns = {
group = "blogbox-dyndns";
isSystemUser = true;
};
};
alisceon = {
cloud-init.enable = true;
ociAuthorizedKeys.enable = true;
};
nix = { nix = {
settings = { settings = {
cores = lib.mkForce 1; cores = lib.mkForce 1;
@ -59,22 +200,9 @@
}; };
}; };
virtualisation = { system.autoUpgrade = {
containers.enable = lib.mkForce false; persistent = lib.mkForce false;
docker.enable = lib.mkForce false; randomizedDelaySec = lib.mkForce "4h";
libvirtd = {
enable = lib.mkForce false;
qemu.swtpm.enable = lib.mkForce false;
};
podman.enable = lib.mkForce false;
};
users.users.alisceon.extraGroups = [ "systemd-journal" ];
alisceon = {
blogbox.enable = true;
cloud-init.enable = true;
ociAuthorizedKeys.enable = true;
}; };
security = { security = {
@ -85,57 +213,188 @@
sudo-rs.wheelNeedsPassword = false; sudo-rs.wheelNeedsPassword = false;
}; };
services.openssh.settings = { services = {
openssh.settings = {
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
PasswordAuthentication = false; PasswordAuthentication = false;
PermitRootLogin = lib.mkForce "no"; PermitRootLogin = lib.mkForce "prohibit-password";
}; };
services.journald.extraConfig = '' journald.extraConfig = ''
SystemMaxUse=64M SystemMaxUse=64M
RuntimeMaxUse=32M RuntimeMaxUse=32M
''; '';
system.autoUpgrade = { nginx.virtualHosts.${siteDomain} = {
enable = lib.mkForce true; serverName = siteDomain;
persistent = lib.mkForce true; forceSSL = true;
enableACME = true;
root = publicDir;
locations."/".extraConfig = ''
try_files $uri $uri/ =404;
'';
};
}; };
systemd = { systemd = {
services = { tmpfiles.rules = [
dev-flake-garbage-collect.enable = lib.mkForce false; "d ${repoDir} 0755 alisceon users - -"
nixos-upgrade.serviceConfig = { "d ${stateDir} 0755 alisceon users - -"
"d ${publicDir} 0755 alisceon users - -"
];
services.update-blogbox-site = {
description = "Pull and publish the Blogbox Hugo site";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = "alisceon";
Group = "users";
ExecStart = lib.getExe updateBlogboxSite;
Nice = 10;
IOSchedulingClass = "idle";
LockPersonality = true;
MemoryHigh = "384M";
MemoryMax = "512M";
NoNewPrivileges = true;
OOMPolicy = "stop";
PrivateDevices = true;
PrivateIPC = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ReadWritePaths = [
repoDir
stateDir
];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
TimeoutStartSec = "15min";
UMask = "0022";
};
};
services.blogbox-dyndns = {
description = "Update Namecheap dynamic DNS records for Blogbox";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
unitConfig.ConditionPathExists = "/etc/blogbox-namecheap-ddns.env";
serviceConfig = {
Type = "oneshot";
User = "blogbox-dyndns";
Group = "blogbox-dyndns";
ExecStart = lib.getExe updateNamecheapDyndns;
CacheDirectory = "blogbox-dyndns";
EnvironmentFile = "/etc/blogbox-namecheap-ddns.env";
LockPersonality = true;
MemoryMax = "128M";
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
OOMPolicy = "stop";
PrivateDevices = true;
PrivateIPC = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RuntimeDirectory = "blogbox-dyndns";
RuntimeDirectoryMode = "0700";
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = "@system-service";
TimeoutStartSec = "2min";
UMask = "0177";
};
};
timers.update-blogbox-site = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "10min";
OnUnitInactiveSec = "5min";
Persistent = true;
};
};
timers.blogbox-dyndns = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5min";
OnUnitInactiveSec = "10min";
Persistent = true;
};
};
};
systemd.services.nixos-upgrade.serviceConfig = {
IOSchedulingClass = "idle"; IOSchedulingClass = "idle";
MemoryHigh = "512M"; MemoryHigh = "512M";
MemoryMax = "900M"; MemoryMax = "768M";
Nice = 15; Nice = 15;
OOMPolicy = "stop"; OOMPolicy = "stop";
}; };
};
timers.dev-flake-garbage-collect.enable = lib.mkForce false; systemd.services.growpart.serviceConfig = {
IOSchedulingClass = "idle";
Nice = 15;
TimeoutStartSec = "2min";
}; };
services.cloud-init.settings.disable_root = true; systemd.services.blogbox-swapfile = {
description = "Create and enable Blogbox swapfile";
environment.systemPackages = with pkgs; [ after = [
curl "sshd.service"
git "systemd-growfs-root.service"
htop
jq
vim
wget
];
swapDevices = [
{
device = "/swapfile";
size = 4096;
}
]; ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = lib.getExe ensureBlogboxSwapfile;
IOSchedulingClass = "idle";
Nice = 19;
RemainAfterExit = true;
TimeoutStartSec = "20min";
};
};
zramSwap = { zramSwap = {
enable = true; enable = true;
memoryPercent = 75; memoryPercent = 50;
};
virtualisation = {
containers.enable = lib.mkForce false;
docker.enable = lib.mkForce false;
libvirtd = {
enable = lib.mkForce false;
qemu.swtpm.enable = lib.mkForce false;
};
podman.enable = lib.mkForce false;
}; };
system.stateVersion = lib.mkForce "25.11"; system.stateVersion = lib.mkForce "25.11";

1
nixos/modules/profiles/workstation.nix
View file

@ -114,7 +114,6 @@ in
pkgs.plymouth pkgs.plymouth
pkgs.xhost pkgs.xhost
(pkgs.bottles.override { removeWarningPopup = true; }) (pkgs.bottles.override { removeWarningPopup = true; })
pkgs.hydra-check
]; ];
sessionVariables.NIXOS_OZONE_WL = "1"; sessionVariables.NIXOS_OZONE_WL = "1";
}; };

313
nixos/modules/services/blogbox.nix
View file

@ -1,313 +0,0 @@
{
config,
lib,
pkgs,
pkgs-unstable,
...
}:
let
cfg = config.alisceon.blogbox;
user = config.users.users.${cfg.user};
repoDir = "${user.home}/${cfg.repoDirectoryName}";
outputDir = toString cfg.outputDir;
outputParent = dirOf outputDir;
caddyfile = pkgs.writeText "blogbox-Caddyfile" ''
{$BLOGBOX_DOMAIN} {
encode zstd gzip
root * ${outputDir}
file_server
}
'';
publishSite = pkgs.writeShellApplication {
name = "blogbox-publish-site";
runtimeInputs = [
pkgs.coreutils
pkgs.git
pkgs.gnugrep
pkgs-unstable.hugo
];
text = ''
repo_dir="''${BLOGBOX_REPO_DIR:-${repoDir}}"
output_dir="''${BLOGBOX_OUTPUT_DIR:-${outputDir}}"
hugo_args="''${BLOGBOX_HUGO_ARGS:-}"
if [ ! -d "$repo_dir/.git" ]; then
echo "Skipping blog publish: $repo_dir is not an initialized git repository"
exit 0
fi
cd "$repo_dir"
old_rev="$(git rev-parse HEAD 2>/dev/null || true)"
if [ -z "$old_rev" ]; then
echo "Skipping blog publish: unable to resolve HEAD in $repo_dir"
exit 0
fi
if ! git remote get-url origin >/dev/null 2>&1; then
echo "Skipping blog publish: $repo_dir has no origin remote"
exit 0
fi
git fetch --prune --tags origin
upstream="$(git rev-parse --abbrev-ref --symbolic-full-name '@{u}' 2>/dev/null || true)"
if [ -n "$upstream" ]; then
git merge --ff-only "$upstream"
else
git pull --ff-only
fi
new_rev="$(git rev-parse HEAD)"
built_rev_file="$output_dir/.blogbox-built-rev"
if [ -f "$built_rev_file" ] && [ "$old_rev" = "$new_rev" ] && grep -qxF "$new_rev" "$built_rev_file"; then
echo "No blog repository updates since $new_rev; skipping Hugo build"
exit 0
fi
output_parent="$(dirname "$output_dir")"
mkdir -p "$output_parent"
build_dir="$(mktemp -d "$output_parent/.hugo-build.XXXXXX")"
trap 'rm -rf "$build_dir"' EXIT
# shellcheck disable=SC2086
hugo --source "$repo_dir" --destination "$build_dir/public" --cleanDestinationDir $hugo_args
printf '%s\n' "$new_rev" > "$build_dir/public/.blogbox-built-rev"
rm -rf "$output_dir.previous"
if [ -d "$output_dir" ]; then
mv "$output_dir" "$output_dir.previous"
fi
mv "$build_dir/public" "$output_dir"
rm -rf "$output_dir.previous"
trap - EXIT
rm -rf "$build_dir"
echo "Published blog revision $new_rev to $output_dir"
'';
};
updateNamecheap = pkgs.writeShellApplication {
name = "blogbox-namecheap-ddns";
runtimeInputs = [
pkgs.curl
pkgs.gnugrep
];
text = ''
domain="''${NAMECHEAP_DOMAIN:-''${BLOGBOX_DOMAIN:-}}"
host="''${NAMECHEAP_HOST:-@}"
password="''${NAMECHEAP_DDNS_PASSWORD:-''${NAMECHEAP_PASSWORD:-}}"
if [ -z "$domain" ] || [ -z "$password" ]; then
echo "Skipping Namecheap DDNS: BLOGBOX_DOMAIN/NAMECHEAP_DOMAIN or NAMECHEAP_DDNS_PASSWORD is not configured"
exit 0
fi
ip="''${NAMECHEAP_IP:-}"
if [ -z "$ip" ]; then
ip_url="''${NAMECHEAP_IP_URL:-https://dynamicdns.park-your-domain.com/getip}"
ip="$(curl --fail --silent --show-error --max-time 15 "$ip_url")"
fi
response="$(
curl --fail --silent --show-error --get "https://dynamicdns.park-your-domain.com/update" \
--data-urlencode "host=$host" \
--data-urlencode "domain=$domain" \
--data-urlencode "password=$password" \
--data-urlencode "ip=$ip"
)"
printf '%s\n' "$response"
if printf '%s\n' "$response" | grep -qiE '<ErrCount>0</ErrCount>|<Done>true</Done>'; then
exit 0
fi
echo "Namecheap DDNS response did not indicate success"
exit 1
'';
};
in
{
options.alisceon.blogbox = {
enable = lib.mkEnableOption "blogbox static site publishing";
user = lib.mkOption {
type = lib.types.str;
default = "alisceon";
description = "User that owns and updates the blog git repository.";
};
group = lib.mkOption {
type = lib.types.str;
default = "users";
description = "Group for blogbox writable state.";
};
repoDirectoryName = lib.mkOption {
type = lib.types.str;
default = "blogbox-site";
description = "Directory name under the user's home where the runtime git repository lives.";
};
outputDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/blogbox/public";
description = "Stable directory served by Caddy and replaced after successful Hugo builds.";
};
environmentFile = lib.mkOption {
type = lib.types.path;
default = "/etc/blogbox/blogbox.env";
description = "Runtime environment file for non-secret domain and repository settings.";
};
ddnsEnvironmentFile = lib.mkOption {
type = lib.types.path;
default = "/etc/blogbox/namecheap.env";
description = "Runtime environment file for Namecheap dynamic DNS credentials.";
};
publishInterval = lib.mkOption {
type = lib.types.str;
default = "2min";
description = "Interval for git pull and Hugo publish attempts.";
};
ddnsInterval = lib.mkOption {
type = lib.types.str;
default = "5min";
description = "Interval for Namecheap dynamic DNS updates.";
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
80
443
];
environment.etc."blogbox/blogbox.env.example".text = ''
# Required for HTTPS virtual hosting.
BLOGBOX_DOMAIN=example.com
# Optional. Defaults to /home/${cfg.user}/${cfg.repoDirectoryName}.
# BLOGBOX_REPO_DIR=/home/${cfg.user}/${cfg.repoDirectoryName}
# Optional. Defaults to ${outputDir}.
# BLOGBOX_OUTPUT_DIR=${outputDir}
# Optional extra flags passed to hugo. Keep this shell-word-safe.
# BLOGBOX_HUGO_ARGS=--minify
'';
environment.etc."blogbox/namecheap.env.example".text = ''
# Required for Namecheap DDNS.
# NAMECHEAP_DOMAIN defaults to BLOGBOX_DOMAIN from blogbox.env when omitted.
# NAMECHEAP_DOMAIN=example.com
NAMECHEAP_HOST=@
NAMECHEAP_DDNS_PASSWORD=change-me
# Optional. If unset, the updater asks Namecheap for the current public IP.
# NAMECHEAP_IP=203.0.113.10
'';
services.caddy = {
enable = true;
adapter = "caddyfile";
configFile = caddyfile;
environmentFile = cfg.environmentFile;
};
systemd.tmpfiles.rules = [
"d /etc/blogbox 0750 root root -"
"d ${outputParent} 0755 ${cfg.user} ${cfg.group} -"
"d ${outputDir} 0755 ${cfg.user} ${cfg.group} -"
];
systemd.services = {
caddy.unitConfig.ConditionPathExists = cfg.environmentFile;
blogbox-publish-site = {
description = "Pull and publish the blogbox Hugo site";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
EnvironmentFile = [ "-${toString cfg.environmentFile}" ];
Environment = [
"HOME=${user.home}"
"GIT_TERMINAL_PROMPT=0"
];
Nice = 10;
IOSchedulingClass = "idle";
TimeoutStartSec = "10min";
};
script = lib.getExe publishSite;
};
blogbox-namecheap-ddns = {
description = "Update Namecheap dynamic DNS for blogbox";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
DynamicUser = true;
EnvironmentFile = [
"-${toString cfg.environmentFile}"
"-${toString cfg.ddnsEnvironmentFile}"
];
Nice = 10;
IOSchedulingClass = "idle";
TimeoutStartSec = "45s";
};
script = lib.getExe updateNamecheap;
};
blogbox-reload-caddy = {
description = "Restart Caddy after blogbox runtime configuration changes";
serviceConfig.Type = "oneshot";
script = ''
${pkgs.systemd}/bin/systemctl restart caddy.service
'';
};
};
systemd.timers = {
blogbox-publish-site = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "2min";
OnUnitActiveSec = cfg.publishInterval;
RandomizedDelaySec = "20s";
Persistent = true;
};
};
blogbox-namecheap-ddns = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1min";
OnUnitActiveSec = cfg.ddnsInterval;
RandomizedDelaySec = "30s";
Persistent = true;
};
};
};
systemd.paths.blogbox-reload-caddy = {
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathExists = cfg.environmentFile;
PathChanged = cfg.environmentFile;
};
};
};
}

6
nixos/modules/services/oci-authorized-keys.nix
View file

@ -84,11 +84,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
systemd.services.fetch-oci-authorized-keys = { systemd.services.fetch-oci-authorized-keys = {
description = "Fetch OCI metadata authorized_keys for ${cfg.user}"; description = "Fetch OCI metadata authorized_keys for ${cfg.user}";
wantedBy = [ wantedBy = [ "multi-user.target" ];
"sshd.service"
"multi-user.target"
];
before = [ "sshd.service" ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
serviceConfig = { serviceConfig = {

126
nixos/modules/services/oci-secondary-vnics.nix
View file

@ -1,126 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.alisceon.ociSecondaryVnics;
configureSecondaryVnics = pkgs.writeShellApplication {
name = "configure-oci-secondary-vnics";
runtimeInputs = [
pkgs.coreutils
pkgs.curl
pkgs.gnugrep
pkgs.iproute2
pkgs.jq
pkgs.systemd
];
text = ''
metadata_url="http://169.254.169.254/opc/v2/vnics"
network_dir="/run/systemd/network"
mkdir -p "$network_dir"
vnics="$(curl --fail --silent --show-error --max-time 10 \
-H "Authorization: Bearer Oracle" \
"$metadata_url")"
index=0
configured=0
while IFS= read -r vnic; do
index=$((index + 1))
mac="$(jq -r '.macAddr // empty' <<< "$vnic" | tr '[:upper:]' '[:lower:]')"
address="$(jq -r '.privateIp // empty' <<< "$vnic")"
cidr="$(jq -r '.subnetCidrBlock // empty' <<< "$vnic")"
gateway="$(jq -r '.virtualRouterIp // empty' <<< "$vnic")"
if [ -z "$mac" ] || [ -z "$address" ] || [ -z "$cidr" ] || [ -z "$gateway" ]; then
echo "Skipping incomplete OCI VNIC metadata entry: $vnic"
continue
fi
iface="$(
for candidate in /sys/class/net/*; do
[ -e "$candidate/address" ] || continue
candidate_mac="$(tr '[:upper:]' '[:lower:]' < "$candidate/address")"
if [ "$candidate_mac" = "$mac" ]; then
basename "$candidate"
break
fi
done
)"
if [ -z "$iface" ]; then
echo "Skipping OCI VNIC $mac: no matching Linux interface"
continue
fi
if ip -4 address show dev "$iface" | grep -q "inet $address/"; then
echo "OCI VNIC $iface already has $address configured"
continue
fi
prefix="''${cidr#*/}"
table=$((1000 + index))
priority=$((1000 + index))
unit_name="$(systemd-escape --template=20-oci-secondary-vnic@.network "$iface")"
network_file="$network_dir/$unit_name"
{
printf '%s\n' \
"[Match]" \
"MACAddress=$mac" \
"" \
"[Link]" \
"MTUBytes=9000" \
"" \
"[Network]" \
"Address=$address/$prefix" \
"" \
"[Route]" \
"Destination=$cidr" \
"Scope=link" \
"Table=$table" \
"" \
"[Route]" \
"Gateway=$gateway" \
"GatewayOnLink=yes" \
"Table=$table" \
"" \
"[RoutingPolicyRule]" \
"From=$address/32" \
"Table=$table" \
"Priority=$priority"
} > "$network_file"
echo "Configuring OCI secondary VNIC $iface as $address/$prefix via $gateway in table $table"
networkctl reload
networkctl reconfigure "$iface"
configured=1
done < <(jq -c '.[]' <<< "$vnics")
if [ "$configured" = 0 ]; then
echo "No unconfigured OCI secondary VNICs found"
fi
'';
};
in
{
options.alisceon.ociSecondaryVnics.enable =
lib.mkEnableOption "runtime configuration of OCI secondary VNICs from instance metadata";
config = lib.mkIf cfg.enable {
systemd.services.configure-oci-secondary-vnics = {
description = "Configure OCI secondary VNICs from instance metadata";
after = [
"network-online.target"
"systemd-networkd.service"
];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = lib.getExe configureSecondaryVnics;
};
};
}