ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

o001 works finally

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-03-08 22:48:25 -06:00
parent bb9cd5d9c4
commit 5fd49b6456
10 changed files with 60 additions and 386 deletions
Download patch file Download diff file Expand all files Collapse all files

29
hosts/linode/l002/nginx.nix
View file

@ -151,7 +151,6 @@
};
# STREAMS
# TODO left off trying to get direct ssh working...
streamConfig = ''
server {
listen 3032;
@ -160,37 +159,9 @@
'';
};
# this breaks on restart on the server side no idea, can no longer ssh in 22 normally
# Convoluted way to get ssh to work for git server while also still allowing
# ssh connections to the machine normally (you can't have nginx bind port 22 since sshd does)
# but sshd allows us to use a ForceCommand that we cna then proxy through
# environment.systemPackages = with pkgs; [
# # NOTE requires nc which I am getting from somewhere.... would be better to put it here in sys packs?
# (writeScriptBin "proxy-to-git" ''
# #!${pkgs.bash}/bin/bash
# nc 100.64.0.2 6611
# '')
# ];
#
# # TODO havent gotten this fully working yet
#
# services.openssh.extraConfig = ''
# Match Host git.joshuabell.xyz
# ForceCommand proxy-to-git
# PermitTTY no
# X11Forwarding no
# PermitTunnel no
# GatewayPorts no
# AllowAgentForwarding no
# '';
networking.firewall.allowedTCPPorts = [
80 # web http
443 # web https
3032 # git ssh stream
];
networking.firewall.allowedUDPPorts = [
4242 # nebula
];
}

29
hosts/oracle/o001/configuration.nix
View file

@ -1,24 +1,9 @@
{ config, lib, pkgs, ... }:
{ ... }:
{
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
system.stateVersion = "25.05"; # Did you read the comment?
# boot.supportedFilesystems = [ "zfs" ];
boot.kernelParams = [ "net.ifnames=0" ];
networking.useDHCP = false; # deprecated flag, set to false until removed
networking = {
defaultGateway = "10.0.0.1";
nameservers = [ "9.9.9.9" ];
interfaces.eth0 = {
ipAddress = "149.130.211.142";
prefixLength = 24;
};
};
networking.firewall.enable = true;
networking.firewall.allowPing = true;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = false;
networking.hostName = "o001";
networking.domain = "subnet01171946.vcn01171946.oraclevcn.com";
services.openssh.enable = true;
system.stateVersion = "23.11";
}

63
hosts/oracle/o001/containers.nix
View file

@ -1,63 +0,0 @@
{
config,
...
}:
{
# NOTE some useful links
# nixos containers: https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html
# https://nixos.wiki/wiki/NixOS_Containers
options = {};
imports = [
./containers/tests.nix
];
config = {
## Give internet access
# networking.nat.enable = true;
# networking.nat.internalInterfaces = [ "ve-*" ];
# networking.nat.externalInterface = "eth0";
virtualisation.oci-containers.backend = "docker";
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin@joshuabell.xyz";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"local.belljm.com" = {
# enableACME = true;
# forceSSL = true;
locations."/".proxyPass = "http://${config.containers.wasabi.localAddress}:80";
};
"127.0.0.1" = {
locations."/wasabi/" = {
extraConfig = ''
rewrite ^/wasabi/(.*) /$1 break;
'';
proxyPass = "http://${config.containers.wasabi.localAddress}:80/";
};
locations."/" = {
return = "404"; # or 444 for drop
};
};
"_" = {
default = true;
locations."/" = {
return = "404"; # or 444 for drop
};
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
};
}

39
hosts/oracle/o001/containers/tests.nix
View file

@ -1,39 +0,0 @@
{
...
}:
{
options = { };
config = {
# Random test, visit http://192.168.100.11/
containers.wasabi = {
ephemeral = true;
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.2";
localAddress = "192.168.100.11";
config =
{ config, pkgs, ... }:
{
system.stateVersion = "24.11";
services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org";
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 ];
};
};
};
virtualisation.oci-containers.containers = {
# Example of defining a container, visit http://localhost:8085/
"nginx_simple" = {
# autoStart = true; this is default true
image = "nginx:latest";
ports = [
"127.0.0.1:8085:80"
];
};
};
};
}

112
hosts/oracle/o001/flake.lock generated
View file

@ -57,56 +57,6 @@
"url": "https://git.joshuabell.xyz/dotfiles"
}
},
"mod_nebula": {
"locked": {
"lastModified": 1737504380,
"narHash": "sha256-fCUUWkXAzsJDdZuGoG4GhAMdGld4J8cvDtzo6SlB9Dg=",
"ref": "mod_nebula",
"rev": "70cea59e9f1f750fd0aee8cde8cd54aee8601336",
"revCount": 5,
"type": "git",
"url": "https://git.joshuabell.xyz/dotfiles"
},
"original": {
"ref": "mod_nebula",
"type": "git",
"url": "https://git.joshuabell.xyz/dotfiles"
}
},
"mod_ros_stormd": {
"inputs": {
"ringofstorms-stormd": "ringofstorms-stormd"
},
"locked": {
"lastModified": 1736544199,
"narHash": "sha256-OWboCDCBHFy+PuWsFVShEqEaLEgVdZR98k9zrNIb+3s=",
"ref": "mod_stormd",
"rev": "765c7f4436db03936960373ff77dc2d41f0c4cd5",
"revCount": 2,
"type": "git",
"url": "https://git.joshuabell.xyz/dotfiles"
},
"original": {
"ref": "mod_stormd",
"type": "git",
"url": "https://git.joshuabell.xyz/dotfiles"
}
},
"nix-filter": {
"locked": {
"lastModified": 1710156097,
"narHash": "sha256-1Wvk8UP7PXdf8bCCaEoMnOT1qe5/Duqgj+rL8sRQsSM=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "3342559a24e85fc164b295c3444e8a139924675b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "nix-filter",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1702272962,
@ -124,22 +74,6 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1728888510,
"narHash": "sha256-nsNdSldaAyu6PE3YUA+YQLqUDJh+gRbBooMMekZJwvI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1737299813,
"narHash": "sha256-Qw2PwmkXDK8sPQ5YQ/y/icbQ+TYgbxfjhgnkNJyT1X8=",
@ -155,55 +89,11 @@
"type": "github"
}
},
"ringofstorms-stormd": {
"inputs": {
"nix-filter": "nix-filter",
"nixpkgs": "nixpkgs_2",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1735420577,
"narHash": "sha256-2HWEALz0PVJCiP/2iZuDMj4qyukXR5IxNKFxT1NAMlQ=",
"ref": "refs/heads/master",
"rev": "7edf6888a460708889fabea2c762d4dfed4fa64f",
"revCount": 51,
"type": "git",
"url": "ssh://git.joshuabell.xyz:3032/stormd"
},
"original": {
"type": "git",
"url": "ssh://git.joshuabell.xyz:3032/stormd"
}
},
"root": {
"inputs": {
"deploy-rs": "deploy-rs",
"mod_common": "mod_common",
"mod_nebula": "mod_nebula",
"mod_ros_stormd": "mod_ros_stormd",
"nixpkgs": "nixpkgs_3"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"mod_ros_stormd",
"ringofstorms-stormd",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729218602,
"narHash": "sha256-KDmYxpkFWa0Go0WnOpkgQOypVaQxbwgpEutET5ey1VQ=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "9051466c82b9b3a6ba9e06be99621ad25423ec94",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
"nixpkgs": "nixpkgs_2"
}
},
"systems": {

7
hosts/oracle/o001/flake.nix
View file

@ -5,8 +5,6 @@
mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common";
mod_common.inputs.nixpkgs.follows = "nixpkgs";
mod_ros_stormd.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_stormd";
mod_nebula.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_nebula";
};
outputs =
@ -28,7 +26,7 @@
"/run/agenix/nix2oracle"
];
nodes.${configuration_name} = {
hostname = "149.130.211.142";
hostname = "64.181.210.7";
targetPlatform = "aarch64-linux";
profiles.system = {
user = "root";
@ -63,9 +61,6 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG90Gg6dV3yhZ5+X40vICbeBwV9rfD39/8l9QSqluTw8 nix2oracle"
];
mods = {
nebula = {
serviceEnabled = false;
};
common = {
disableRemoteBuildsOnLio = true;
systemName = configuration_name;

45
hosts/oracle/o001/hardware-configuration.nix
View file

@ -1,37 +1,14 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "virtio_scsi" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/e0a4976e-ed77-4bda-9474-160d39dc1047";
fsType = "ext4";
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/D730-6BC3";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
fileSystems."/boot" = { device = "/dev/disk/by-uuid/92B6-AAE1"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda3"; fsType = "xfs"; };
swapDevices = [ { device = "/dev/sda2"; } ];
}

70
hosts/oracle/o001/nginx.nix
View file

@ -1,9 +1,7 @@
{
config,
...
}:
{
# JUST A TEST TODO remove
containers.wasabi = {
ephemeral = true;
@ -25,7 +23,7 @@
};
security.acme.acceptTerms = true;
security.acme.email = "admin@joshuabell.xyz";
security.acme.defaults.email = "admin@joshuabell.xyz";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
@ -34,46 +32,46 @@
recommendedTlsSettings = true;
virtualHosts = {
# Redirect self IP to domain
"149.130.211.142" = {
"64.181.210.7" = {
locations."/" = {
return = "301 https://o001.joshuabell.xyz";
};
};
# "o001.joshuabell.xyz" = {
# enableACME = true;
# forceSSL = true;
# locations = {
# "/wasabi" = {
# proxyPass = "http://192.168.100.11/";
# extraConfig = ''
# rewrite ^/wasabi/(.*) /$1 break;
# '';
# };
# "/" = {
# # return = "200 '<html>Hello World</html>'";
# extraConfig = ''
# default_type text/html;
# return 200 '
# <html>
# <body style="width:100vw;height:100vh;overflow:hidden">
# <div style="display: flex;width:100vw;height:100vh;justify-content: center;align-items:center;text-align:center;overflow:hidden">
# In the void you roam,</br>
# A page that cannot be found-</br>
# Turn back, seek anew.
# </div>
# </body>
# </html>
# ';
# '';
# };
# };
# };
"o001.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations = {
"/wasabi" = {
proxyPass = "http://192.168.100.11/";
extraConfig = ''
rewrite ^/wasabi/(.*) /$1 break;
'';
};
"/" = {
# return = "200 '<html>Hello World</html>'";
extraConfig = ''
default_type text/html;
return 200 '
<html>
<body style="width:100vw;height:100vh;overflow:hidden">
<div style="display: flex;width:100vw;height:100vh;justify-content: center;align-items:center;text-align:center;overflow:hidden">
In the void you roam,</br>
A page that cannot be found-</br>
Turn back, seek anew.
</div>
</body>
</html>
';
'';
};
};
};
"_" = {
default = true;
locations."/" = {
return = "444"; # 404 for not found or 444 for drop
return = "404"; # 404 for not found or 444 for drop
};
};
};
@ -83,8 +81,4 @@
80 # web http
443 # web https
];
networking.firewall.allowedUDPPorts = [
# 4242 # nebula
];
}

43
hosts/oracle/oracle.nix
View file

@ -1,43 +0,0 @@
{ pkgs, ... }:
{
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
nix.settings.experimental-features = [ "nix-command" "flakes" ];
boot.supportedFilesystems = [ "zfs" ];
boot.kernelParams = [ "net.ifnames=0" ];
networking.useDHCP = false; # deprecated flag, set to false until removed
networking = {
defaultGateway = "10.0.0.1";
nameservers = [ "9.9.9.9" ];
interfaces.eth0 = {
ipAddress = throw "set your own";
prefixLength = 24;
};
};
# TODO disable after first startup with ssh keys
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
settings.PasswordAuthentication = false;
};
# networking.usePredictableInterfaceNames = false;
# networking.useDHCP = false; # Disable DHCP globally as we will not need it.
# required for ssh?
# networking.interfaces.eth0.useDHCP = true;
environment.systemPackages = with pkgs; [
inetutils
mtr
sysstat
gitMinimal
vim
nano
];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG90Gg6dV3yhZ5+X40vICbeBwV9rfD39/8l9QSqluTw8 nix2oracle"
];
}

7
hosts/oracle/readme.md
View file

@ -9,3 +9,10 @@ Mostly followed: <https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-
# TODO
- check out <https://github.com/elitak/nixos-infect>
- Nixos infect worked well, ran it. It maintains the ssh pub key for root user
- Allow connections in oracle security
- > Networking > Virtual Cloud Networks > __ network __ > __ subnet __ > __ security list __
- Add TCP all for ports 80/443 just like 22 has
- copy config/hardware config and deploy
-