From 5fd49b6456c2a8c10861fbc57e9e4f78a0cb63f3 Mon Sep 17 00:00:00 2001 From: "RingOfStorms (Joshua Bell)" Date: Sat, 8 Mar 2025 22:48:25 -0600 Subject: [PATCH] o001 works finally --- hosts/linode/l002/nginx.nix | 29 ----- hosts/oracle/o001/configuration.nix | 29 ++--- hosts/oracle/o001/containers.nix | 63 ----------- hosts/oracle/o001/containers/tests.nix | 39 ------- hosts/oracle/o001/flake.lock | 112 +------------------ hosts/oracle/o001/flake.nix | 7 +- hosts/oracle/o001/hardware-configuration.nix | 47 ++------ hosts/oracle/o001/nginx.nix | 70 ++++++------ hosts/oracle/oracle.nix | 43 ------- hosts/oracle/readme.md | 7 ++ 10 files changed, 60 insertions(+), 386 deletions(-) delete mode 100644 hosts/oracle/o001/containers.nix delete mode 100644 hosts/oracle/o001/containers/tests.nix delete mode 100644 hosts/oracle/oracle.nix diff --git a/hosts/linode/l002/nginx.nix b/hosts/linode/l002/nginx.nix index 6e5d5cf..3cfac9d 100644 --- a/hosts/linode/l002/nginx.nix +++ b/hosts/linode/l002/nginx.nix @@ -151,7 +151,6 @@ }; # STREAMS - # TODO left off trying to get direct ssh working... streamConfig = '' server { listen 3032; @@ -160,37 +159,9 @@ ''; }; - # this breaks on restart on the server side no idea, can no longer ssh in 22 normally - # Convoluted way to get ssh to work for git server while also still allowing - # ssh connections to the machine normally (you can't have nginx bind port 22 since sshd does) - # but sshd allows us to use a ForceCommand that we cna then proxy through - # environment.systemPackages = with pkgs; [ - # # NOTE requires nc which I am getting from somewhere.... would be better to put it here in sys packs? - # (writeScriptBin "proxy-to-git" '' - # #!${pkgs.bash}/bin/bash - # nc 100.64.0.2 6611 - # '') - # ]; - # - # # TODO havent gotten this fully working yet - # - # services.openssh.extraConfig = '' - # Match Host git.joshuabell.xyz - # ForceCommand proxy-to-git - # PermitTTY no - # X11Forwarding no - # PermitTunnel no - # GatewayPorts no - # AllowAgentForwarding no - # ''; - networking.firewall.allowedTCPPorts = [ 80 # web http 443 # web https 3032 # git ssh stream ]; - - networking.firewall.allowedUDPPorts = [ - 4242 # nebula - ]; } diff --git a/hosts/oracle/o001/configuration.nix b/hosts/oracle/o001/configuration.nix index f9a6484..50a0d5e 100644 --- a/hosts/oracle/o001/configuration.nix +++ b/hosts/oracle/o001/configuration.nix @@ -1,24 +1,9 @@ -{ config, lib, pkgs, ... }: - +{ ... }: { - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - system.stateVersion = "25.05"; # Did you read the comment? - # boot.supportedFilesystems = [ "zfs" ]; - - - boot.kernelParams = [ "net.ifnames=0" ]; - networking.useDHCP = false; # deprecated flag, set to false until removed - networking = { - defaultGateway = "10.0.0.1"; - nameservers = [ "9.9.9.9" ]; - interfaces.eth0 = { - ipAddress = "149.130.211.142"; - prefixLength = 24; - }; - }; - - networking.firewall.enable = true; - networking.firewall.allowPing = true; + boot.tmp.cleanOnBoot = true; + zramSwap.enable = false; + networking.hostName = "o001"; + networking.domain = "subnet01171946.vcn01171946.oraclevcn.com"; + services.openssh.enable = true; + system.stateVersion = "23.11"; } diff --git a/hosts/oracle/o001/containers.nix b/hosts/oracle/o001/containers.nix deleted file mode 100644 index 23aad76..0000000 --- a/hosts/oracle/o001/containers.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ - config, - ... -}: -{ - - # NOTE some useful links - # nixos containers: https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html - # https://nixos.wiki/wiki/NixOS_Containers - options = {}; - - imports = [ - ./containers/tests.nix - ]; - - config = { - ## Give internet access - # networking.nat.enable = true; - # networking.nat.internalInterfaces = [ "ve-*" ]; - # networking.nat.externalInterface = "eth0"; - - virtualisation.oci-containers.backend = "docker"; - - security.acme.acceptTerms = true; - security.acme.defaults.email = "admin@joshuabell.xyz"; - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts = { - "local.belljm.com" = { - # enableACME = true; - # forceSSL = true; - locations."/".proxyPass = "http://${config.containers.wasabi.localAddress}:80"; - }; - "127.0.0.1" = { - locations."/wasabi/" = { - extraConfig = '' - rewrite ^/wasabi/(.*) /$1 break; - ''; - proxyPass = "http://${config.containers.wasabi.localAddress}:80/"; - }; - locations."/" = { - return = "404"; # or 444 for drop - }; - }; - "_" = { - default = true; - locations."/" = { - return = "404"; # or 444 for drop - }; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - }; -} diff --git a/hosts/oracle/o001/containers/tests.nix b/hosts/oracle/o001/containers/tests.nix deleted file mode 100644 index b4c6659..0000000 --- a/hosts/oracle/o001/containers/tests.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - ... -}: -{ - options = { }; - - config = { - # Random test, visit http://192.168.100.11/ - containers.wasabi = { - ephemeral = true; - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.100.2"; - localAddress = "192.168.100.11"; - config = - { config, pkgs, ... }: - { - system.stateVersion = "24.11"; - services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - networking.firewall = { - enable = true; - allowedTCPPorts = [ 80 ]; - }; - }; - }; - - virtualisation.oci-containers.containers = { - # Example of defining a container, visit http://localhost:8085/ - "nginx_simple" = { - # autoStart = true; this is default true - image = "nginx:latest"; - ports = [ - "127.0.0.1:8085:80" - ]; - }; - }; - }; -} diff --git a/hosts/oracle/o001/flake.lock b/hosts/oracle/o001/flake.lock index 8e22d2d..f536f0f 100644 --- a/hosts/oracle/o001/flake.lock +++ b/hosts/oracle/o001/flake.lock @@ -57,56 +57,6 @@ "url": "https://git.joshuabell.xyz/dotfiles" } }, - "mod_nebula": { - "locked": { - "lastModified": 1737504380, - "narHash": "sha256-fCUUWkXAzsJDdZuGoG4GhAMdGld4J8cvDtzo6SlB9Dg=", - "ref": "mod_nebula", - "rev": "70cea59e9f1f750fd0aee8cde8cd54aee8601336", - "revCount": 5, - "type": "git", - "url": "https://git.joshuabell.xyz/dotfiles" - }, - "original": { - "ref": "mod_nebula", - "type": "git", - "url": "https://git.joshuabell.xyz/dotfiles" - } - }, - "mod_ros_stormd": { - "inputs": { - "ringofstorms-stormd": "ringofstorms-stormd" - }, - "locked": { - "lastModified": 1736544199, - "narHash": "sha256-OWboCDCBHFy+PuWsFVShEqEaLEgVdZR98k9zrNIb+3s=", - "ref": "mod_stormd", - "rev": "765c7f4436db03936960373ff77dc2d41f0c4cd5", - "revCount": 2, - "type": "git", - "url": "https://git.joshuabell.xyz/dotfiles" - }, - "original": { - "ref": "mod_stormd", - "type": "git", - "url": "https://git.joshuabell.xyz/dotfiles" - } - }, - "nix-filter": { - "locked": { - "lastModified": 1710156097, - "narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=", - "owner": "numtide", - "repo": "nix-filter", - "rev": "3342559a24e85fc164b295c3444e8a139924675b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "nix-filter", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1702272962, @@ -124,22 +74,6 @@ } }, "nixpkgs_2": { - "locked": { - "lastModified": 1728888510, - "narHash": "sha256-nsNdSldaAyu6PE3YUA+YQLqUDJh+gRbBooMMekZJwvI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1737299813, "narHash": "sha256-Qw2PwmkXDK8sPQ5YQ/y/icbQ+TYgbxfjhgnkNJyT1X8=", @@ -155,55 +89,11 @@ "type": "github" } }, - "ringofstorms-stormd": { - "inputs": { - "nix-filter": "nix-filter", - "nixpkgs": "nixpkgs_2", - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1735420577, - "narHash": "sha256-2HWEALz0PVJCiP/2iZuDMj4qyukXR5IxNKFxT1NAMlQ=", - "ref": "refs/heads/master", - "rev": "7edf6888a460708889fabea2c762d4dfed4fa64f", - "revCount": 51, - "type": "git", - "url": "ssh://git.joshuabell.xyz:3032/stormd" - }, - "original": { - "type": "git", - "url": "ssh://git.joshuabell.xyz:3032/stormd" - } - }, "root": { "inputs": { "deploy-rs": "deploy-rs", "mod_common": "mod_common", - "mod_nebula": "mod_nebula", - "mod_ros_stormd": "mod_ros_stormd", - "nixpkgs": "nixpkgs_3" - } - }, - "rust-overlay": { - "inputs": { - "nixpkgs": [ - "mod_ros_stormd", - "ringofstorms-stormd", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729218602, - "narHash": "sha256-KDmYxpkFWa0Go0WnOpkgQOypVaQxbwgpEutET5ey1VQ=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "9051466c82b9b3a6ba9e06be99621ad25423ec94", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" + "nixpkgs": "nixpkgs_2" } }, "systems": { diff --git a/hosts/oracle/o001/flake.nix b/hosts/oracle/o001/flake.nix index a3c2df5..abf57d1 100644 --- a/hosts/oracle/o001/flake.nix +++ b/hosts/oracle/o001/flake.nix @@ -5,8 +5,6 @@ mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common"; mod_common.inputs.nixpkgs.follows = "nixpkgs"; - mod_ros_stormd.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_stormd"; - mod_nebula.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_nebula"; }; outputs = @@ -28,7 +26,7 @@ "/run/agenix/nix2oracle" ]; nodes.${configuration_name} = { - hostname = "149.130.211.142"; + hostname = "64.181.210.7"; targetPlatform = "aarch64-linux"; profiles.system = { user = "root"; @@ -63,9 +61,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG90Gg6dV3yhZ5+X40vICbeBwV9rfD39/8l9QSqluTw8 nix2oracle" ]; mods = { - nebula = { - serviceEnabled = false; - }; common = { disableRemoteBuildsOnLio = true; systemName = configuration_name; diff --git a/hosts/oracle/o001/hardware-configuration.nix b/hosts/oracle/o001/hardware-configuration.nix index ea91524..561a4d3 100644 --- a/hosts/oracle/o001/hardware-configuration.nix +++ b/hosts/oracle/o001/hardware-configuration.nix @@ -1,37 +1,14 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - +{ modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "virtio_scsi" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/e0a4976e-ed77-4bda-9474-160d39dc1047"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/D730-6BC3"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.eth0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + }; + fileSystems."/boot" = { device = "/dev/disk/by-uuid/92B6-AAE1"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda3"; fsType = "xfs"; }; + swapDevices = [ { device = "/dev/sda2"; } ]; } diff --git a/hosts/oracle/o001/nginx.nix b/hosts/oracle/o001/nginx.nix index 914a658..f56bb6c 100644 --- a/hosts/oracle/o001/nginx.nix +++ b/hosts/oracle/o001/nginx.nix @@ -1,9 +1,7 @@ { - config, ... }: { - # JUST A TEST TODO remove containers.wasabi = { ephemeral = true; @@ -25,7 +23,7 @@ }; security.acme.acceptTerms = true; - security.acme.email = "admin@joshuabell.xyz"; + security.acme.defaults.email = "admin@joshuabell.xyz"; services.nginx = { enable = true; recommendedGzipSettings = true; @@ -34,46 +32,46 @@ recommendedTlsSettings = true; virtualHosts = { # Redirect self IP to domain - "149.130.211.142" = { + "64.181.210.7" = { locations."/" = { return = "301 https://o001.joshuabell.xyz"; }; }; - # "o001.joshuabell.xyz" = { - # enableACME = true; - # forceSSL = true; - # locations = { - # "/wasabi" = { - # proxyPass = "http://192.168.100.11/"; - # extraConfig = '' - # rewrite ^/wasabi/(.*) /$1 break; - # ''; - # }; - # "/" = { - # # return = "200 'Hello World'"; - # extraConfig = '' - # default_type text/html; - # return 200 ' - # - # - #
- # In the void you roam,
- # A page that cannot be found-
- # Turn back, seek anew. - #
- # - # - # '; - # ''; - # }; - # }; - # }; + "o001.joshuabell.xyz" = { + enableACME = true; + forceSSL = true; + locations = { + "/wasabi" = { + proxyPass = "http://192.168.100.11/"; + extraConfig = '' + rewrite ^/wasabi/(.*) /$1 break; + ''; + }; + "/" = { + # return = "200 'Hello World'"; + extraConfig = '' + default_type text/html; + return 200 ' + + +
+ In the void you roam,
+ A page that cannot be found-
+ Turn back, seek anew. +
+ + + '; + ''; + }; + }; + }; "_" = { default = true; locations."/" = { - return = "444"; # 404 for not found or 444 for drop + return = "404"; # 404 for not found or 444 for drop }; }; }; @@ -83,8 +81,4 @@ 80 # web http 443 # web https ]; - - networking.firewall.allowedUDPPorts = [ - # 4242 # nebula - ]; } diff --git a/hosts/oracle/oracle.nix b/hosts/oracle/oracle.nix deleted file mode 100644 index 8de9867..0000000 --- a/hosts/oracle/oracle.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ pkgs, ... }: -{ - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; - boot.supportedFilesystems = [ "zfs" ]; - boot.kernelParams = [ "net.ifnames=0" ]; - - networking.useDHCP = false; # deprecated flag, set to false until removed - networking = { - defaultGateway = "10.0.0.1"; - nameservers = [ "9.9.9.9" ]; - interfaces.eth0 = { - ipAddress = throw "set your own"; - prefixLength = 24; - }; - }; - - # TODO disable after first startup with ssh keys - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - settings.PasswordAuthentication = false; - }; - - # networking.usePredictableInterfaceNames = false; - # networking.useDHCP = false; # Disable DHCP globally as we will not need it. - # required for ssh? - # networking.interfaces.eth0.useDHCP = true; - - environment.systemPackages = with pkgs; [ - inetutils - mtr - sysstat - gitMinimal - vim - nano - ]; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG90Gg6dV3yhZ5+X40vICbeBwV9rfD39/8l9QSqluTw8 nix2oracle" - ]; -} diff --git a/hosts/oracle/readme.md b/hosts/oracle/readme.md index e3785c0..8e4740a 100644 --- a/hosts/oracle/readme.md +++ b/hosts/oracle/readme.md @@ -9,3 +9,10 @@ Mostly followed: + +- Nixos infect worked well, ran it. It maintains the ssh pub key for root user +- Allow connections in oracle security + - > Networking > Virtual Cloud Networks > __ network __ > __ subnet __ > __ security list __ + - Add TCP all for ports 80/443 just like 22 has +- copy config/hardware config and deploy +-