ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

many updates, new linode server

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-02-13 00:40:38 -06:00
parent 343f5d7b52
commit e27a4af6d2
20 changed files with 2528 additions and 137 deletions
Download patch file Download diff file Expand all files Collapse all files

7
hosts/linode/l001/configuration.nix Normal file
View file

@ -0,0 +1,7 @@
{
...
}:
{
boot.loader.grub.enable = true;
system.stateVersion = "24.11";
}

1174
hosts/linode/l001/flake.lock generated Normal file
View file

File diff suppressed because it is too large Load diff

93
hosts/linode/l001/flake.nix Normal file
View file

@ -0,0 +1,93 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
deploy-rs.url = "github:serokell/deploy-rs";
ros_neovim.url = "git+https://git.joshuabell.xyz/nvim";
mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common";
};
outputs =
{
self,
nixpkgs,
deploy-rs,
...
}@inputs:
let
configuration_name = "l001";
lib = nixpkgs.lib;
in
{
deploy = {
sshUser = "root";
sshOpts = [
"-i"
"/run/agenix/nix2linode"
];
nodes.${configuration_name} = {
hostname = "172.236.111.33";
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configuration_name};
};
};
};
nixosConfigurations = {
nixos = self.nixosConfigurations.${configuration_name};
"${configuration_name}" =
let
auto_modules = builtins.concatMap (
input:
lib.optionals
(builtins.hasAttr "nixosModules" input && builtins.hasAttr "default" input.nixosModules)
[
input.nixosModules.default
]
) (builtins.attrValues inputs);
in
(lib.nixosSystem {
modules = [
./configuration.nix
./hardware-configuration.nix
./linode.nix
./nginx.nix
./headscale.nix
(
{ pkgs, ... }:
{
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuo6L6V52AzdQIK6fWW9s0aX1yKUUTXbPd8v8IU9p2o nix2linode"
];
mods = {
common = {
disableRemoteBuildsOnLio = true;
systemName = configuration_name;
allowUnfree = true;
primaryUser = "luser";
docker = true;
users = {
luser = {
extraGroups = [
"wheel"
"networkmanager"
];
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuo6L6V52AzdQIK6fWW9s0aX1yKUUTXbPd8v8IU9p2o nix2linode"
];
};
};
};
};
}
)
] ++ auto_modules;
specialArgs = {
inherit inputs;
};
});
};
};
}

33
hosts/linode/l001/hardware-configuration.nix Normal file
View file

@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/42a30f9c-b113-4b14-87b3-a9cfe44adf62";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s5.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

24
hosts/linode/l001/headscale.nix Normal file
View file

@ -0,0 +1,24 @@
{ pkgs, ... }:
{
config = {
# TODO backup /var/lib/headscale data
# TODO https://github.com/gurucomputing/headscale-ui ?
environment.systemPackages = with pkgs; [ headscale ];
services.headscale = {
enable = true;
settings = {
server_url = "https://nexus.joshuabell.xyz";
database.type = "sqlite3";
derp = {
auto_update_enable = true;
update_frequency = "5m";
};
dns = {
magic_dns = true;
base_domain = "net.joshuabell.xyz";
};
};
};
};
}

32
hosts/linode/l001/linode.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, pkgs, ... }:
{
# https://www.linode.com/docs/guides/install-nixos-on-linode/#configure-nixos
boot.kernelParams = [ "console=ttyS0,19200n8" ];
boot.loader.grub.extraConfig = ''
serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
terminal_input serial;
terminal_output serial
'';
boot.loader.grub.forceInstall = true;
boot.loader.grub.device = "nodev";
boot.loader.timeout = 10;
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
settings.PasswordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keys = config.users.users.luser.openssh.authorizedKeys.keys;
networking.usePredictableInterfaceNames = false;
networking.useDHCP = false; # Disable DHCP globally as we will not need it.
# required for ssh?
networking.interfaces.eth0.useDHCP = true;
environment.systemPackages = with pkgs; [
inetutils
mtr
sysstat
];
}

52
hosts/linode/l001/nginx.nix Normal file
View file

@ -0,0 +1,52 @@
{
...
}:
{
security.acme.acceptTerms = true;
security.acme.email = "admin@joshuabell.xyz";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
# default that is put first for fallbacks
# Note that order here doesn't matter it orders alphabetically so `0` puts it first
# I had an issue tha the first SSL port 443 site would catch any https traffic instead
# of hitting my default fallback and this fixes that issue and ensure this is hit instead
"001.linodes.joshuabell.xyz" = {
default = true;
enableACME = true;
forceSSL = true;
locations."/" = {
return = "444"; # 404 for not found or 444 for drop
};
};
"172.236.111.33" = {
locations."/" = {
return = "444";
};
};
"2600:3c06::f03c:95ff:fe1c:84d3" = {
locations."/" = {
return = "444";
};
};
"headscale.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:8080"; # headscale
};
};
};
};
networking.firewall.allowedTCPPorts = [
80 # web http
443 # web https
];
}

1093
hosts/linode/l002/flake.lock generated
View file

File diff suppressed because it is too large Load diff

13
hosts/linode/l002/flake.nix
View file

@ -3,10 +3,11 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
deploy-rs.url = "github:serokell/deploy-rs";
ros_neovim.url = "git+https://git.joshuabell.xyz/nvim";
mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common";
mod_common.inputs.nixpkgs.follows = "nixpkgs";
mod_ros_stormd.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_stormd";
mod_nebula.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_nebula";
# mod_ros_stormd.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_stormd";
# mod_nebula.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_nebula";
};
outputs =
@ -28,7 +29,7 @@
"/run/agenix/nix2linode"
];
nodes.${configuration_name} = {
hostname = "172.234.26.141";
hostname = "100.64.0.4";
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configuration_name};
@ -55,6 +56,7 @@
./hardware-configuration.nix
./linode.nix
./nginx.nix
../../../components/nix/tailscale.nix
(
{ pkgs, ... }:
{
@ -62,6 +64,11 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuo6L6V52AzdQIK6fWW9s0aX1yKUUTXbPd8v8IU9p2o nix2linode"
];
components = {
# NOTE we manually onboard this machine since it also hosts headscale itself and I don't want to push
# the key in this config.
tailscale.useSecretsAuth = false;
};
mods = {
common = {
disableRemoteBuildsOnLio = true;

50
hosts/linode/l002/nginx.nix
View file

@ -1,5 +1,5 @@
{
config,
pkgs,
...
}:
{
@ -25,7 +25,7 @@
};
security.acme.acceptTerms = true;
security.acme.email = "admin@joshuabell.xyz";
security.acme.defaults.email = "admin@joshuabell.xyz";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
@ -37,7 +37,7 @@
# Note that order here doesn't matter it orders alphabetically so `0` puts it first
# I had an issue tha the first SSL port 443 site would catch any https traffic instead
# of hitting my default fallback and this fixes that issue and ensure this is hit instead
"0.joshuabell.xyz" = {
"002.linodes.joshuabell.xyz" = {
default = true;
enableACME = true;
forceSSL = true;
@ -51,7 +51,7 @@
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://10.20.40.104:3080";
proxyPass = "http://100.64.0.1:3080";
};
};
"db.joshuabell.xyz" = {
@ -59,31 +59,21 @@
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://10.20.40.104:3085";
proxyPass = "http://100.64.0.1:3085";
};
};
"gist.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.20.40.190:6157";
proxyPass = "http://100.64.0.2:6157";
};
};
"git.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://10.20.40.190:6610";
};
};
"nexus.l002.joshuabell.xyz" = {
locations."/" = {
proxyPass = "http://localhost:42291";
};
};
"nexus.joshuabell.xyz" = {
locations."/" = {
proxyPass = "http://localhost:42291";
proxyPass = "http://100.64.0.2:6610";
};
};
@ -153,14 +143,38 @@
};
# STREAMS
# TODO left off trying to get direct ssh working...
streamConfig = ''
server {
listen 3032;
proxy_pass 10.20.40.190:6611;
proxy_pass 100.64.0.2:6611;
}
'';
};
# Convoluted way to get ssh to work for git server while also still allowing
# ssh connections to the machine normally (you can't have nginx bind port 22 since sshd does)
# but sshd allows us to use a ForceCommand that we cna then proxy through
environment.systemPackages = with pkgs; [
# NOTE requires nc which I am getting from somewhere.... would be better to put it here in sys packs?
(writeScriptBin "proxy-to-git" ''
#!${pkgs.bash}/bin/bash
nc 100.64.0.2 6611
'')
];
# TODO havent gotten this fully working yet
services.openssh.extraConfig = ''
Match Host git.joshuabell.xyz
ForceCommand proxy-to-git
PermitTTY no
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
'';
networking.firewall.allowedTCPPorts = [
80 # web http
443 # web https

2
hosts/linode/linode.nix
View file

@ -34,6 +34,6 @@
];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuo6L6V52AzdQIK6fWW9s0aX1yKUUTXbPd8v8IU9p2o nix2linode"
];
}

8
hosts/lio/flake.lock generated
View file

@ -235,11 +235,11 @@
"ragenix": "ragenix"
},
"locked": {
"lastModified": 1737492763,
"narHash": "sha256-AMh+4cqU9bhOQ85du76RsJ78ip1yDaiTtModlpREMSI=",
"lastModified": 1739385513,
"narHash": "sha256-AXTDMr+MMfstK91k2ZWsYuU4vbR18DyK3cyiQO6t6C0=",
"ref": "mod_secrets",
"rev": "b45dd1d219a656c52cde4b98c509c36ed1833ae0",
"revCount": 11,
"rev": "dc68d4f568d3bdf7d39af68a81432c77869f5749",
"revCount": 14,
"type": "git",
"url": "https://git.joshuabell.xyz/dotfiles"
},

3
hosts/lio/flake.nix
View file

@ -41,7 +41,7 @@
./hardware-configuration.nix
./containers.nix
(
{ pkgs, ... }:
{ config, pkgs, ... }:
{
imports = [
../../components/nix/lua.nix
@ -49,6 +49,7 @@
../../components/nix/qflipper.nix
../../components/nix/qdirstat.nix
../../components/nix/steam.nix
../../components/nix/tailscale.nix
];
environment.systemPackages = with pkgs; [

9
hosts/oracle/readme.md
View file

@ -1,4 +1,11 @@
Mostly followed: https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/
# Steps
Mostly followed: <https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/>
- kexectools -> kexec-tools
- create mnt/boot after mounting mnt
- copy over oracle.nix and import for first nixos-install
# TODO
- check out <https://github.com/elitak/nixos-infect>