many updates, new linode server

2025-02-13 00:40:38 -06:00 · 2025-02-13 00:40:38 -06:00 · e27a4af6d2
commit e27a4af6d2
parent 343f5d7b52
20 changed files with 2528 additions and 137 deletions
--- a/hosts/linode/l002/flake.lock
+++ b/hosts/linode/l002/flake.lock
--- a/hosts/linode/l002/flake.nix
+++ b/hosts/linode/l002/flake.nix
@ -3,10 +3,11 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
    deploy-rs.url = "github:serokell/deploy-rs";

+    ros_neovim.url = "git+https://git.joshuabell.xyz/nvim";
    mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common";
    mod_common.inputs.nixpkgs.follows = "nixpkgs";
-    mod_ros_stormd.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_stormd";
-    mod_nebula.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_nebula";
+    # mod_ros_stormd.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_stormd";
+    # mod_nebula.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_nebula";
  };

  outputs =
@ -28,7 +29,7 @@
          "/run/agenix/nix2linode"
        ];
        nodes.${configuration_name} = {
-          hostname = "172.234.26.141";
+          hostname = "100.64.0.4";
          profiles.system = {
            user = "root";
            path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configuration_name};
@ -55,6 +56,7 @@
              ./hardware-configuration.nix
              ./linode.nix
              ./nginx.nix
+              ../../../components/nix/tailscale.nix
              (
                { pkgs, ... }:
                {
@ -62,6 +64,11 @@
                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002"
                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuo6L6V52AzdQIK6fWW9s0aX1yKUUTXbPd8v8IU9p2o nix2linode"
                  ];
+                  components = {
+                    # NOTE we manually onboard this machine since it also hosts headscale itself and I don't want to push
+                    # the key in this config.
+                    tailscale.useSecretsAuth = false;
+                  };
                  mods = {
                    common = {
                      disableRemoteBuildsOnLio = true;
--- a/hosts/linode/l002/nginx.nix
+++ b/hosts/linode/l002/nginx.nix
@ -1,5 +1,5 @@
 {
-  config,
+  pkgs,
  ...
 }:
 {
@ -25,7 +25,7 @@
  };

  security.acme.acceptTerms = true;
-  security.acme.email = "admin@joshuabell.xyz";
+  security.acme.defaults.email = "admin@joshuabell.xyz";
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
@ -37,7 +37,7 @@
      # Note that order here doesn't matter it orders alphabetically so `0` puts it first
      # I had an issue tha the first SSL port 443 site would catch any https traffic instead
      # of hitting my default fallback and this fixes that issue and ensure this is hit instead
-      "0.joshuabell.xyz" = {
+      "002.linodes.joshuabell.xyz" = {
        default = true;
        enableACME = true;
        forceSSL = true;
@ -51,7 +51,7 @@
        forceSSL = true;
        locations."/" = {
          proxyWebsockets = true;
-          proxyPass = "http://10.20.40.104:3080";
+          proxyPass = "http://100.64.0.1:3080";
        };
      };
      "db.joshuabell.xyz" = {
@ -59,31 +59,21 @@
        forceSSL = true;
        locations."/" = {
          proxyWebsockets = true;
-          proxyPass = "http://10.20.40.104:3085";
+          proxyPass = "http://100.64.0.1:3085";
        };
      };
      "gist.joshuabell.xyz" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
-          proxyPass = "http://10.20.40.190:6157";
+          proxyPass = "http://100.64.0.2:6157";
        };
      };
      "git.joshuabell.xyz" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
-          proxyPass = "http://10.20.40.190:6610";
-        };
-      };
-      "nexus.l002.joshuabell.xyz" = {
-        locations."/" = {
-          proxyPass = "http://localhost:42291";
-        };
-      };
-      "nexus.joshuabell.xyz" = {
-        locations."/" = {
-          proxyPass = "http://localhost:42291";
+          proxyPass = "http://100.64.0.2:6610";
        };
      };

@ -153,14 +143,38 @@
    };

    # STREAMS
+    # TODO left off trying to get direct ssh working...
    streamConfig = ''
      server {
        listen 3032;
-        proxy_pass 10.20.40.190:6611;
+        proxy_pass 100.64.0.2:6611;
      }
    '';
  };

+  # Convoluted way to get ssh to work for git server while also still allowing
+  # ssh connections to the machine normally (you can't have nginx bind port 22 since sshd does)
+  # but sshd allows us to use a ForceCommand that we cna then proxy through
+  environment.systemPackages = with pkgs; [
+    # NOTE requires nc which I am getting from somewhere.... would be better to put it here in sys packs?
+    (writeScriptBin "proxy-to-git" ''
+      #!${pkgs.bash}/bin/bash
+      nc 100.64.0.2 6611
+    '')
+  ];
+
+# TODO havent gotten this fully working yet
+
+  services.openssh.extraConfig = ''
+    Match Host git.joshuabell.xyz
+      ForceCommand proxy-to-git
+      PermitTTY no
+      X11Forwarding no
+      PermitTunnel no
+      GatewayPorts no
+      AllowAgentForwarding no
+  '';
+
  networking.firewall.allowedTCPPorts = [
    80 # web http
    443 # web https