many updates, new linode server

components/containers/affine.nix

@@ -53,7 +53,7 @@ in
         user = "root";
         image = "ghcr.io/toeverything/affine-graphql:stable";
         ports = [
-          "10.20.40.104:${toString cfg.port}:${toString cfg.port}"
+          "${toString cfg.port}:${toString cfg.port}"
         ];
         dependsOn = [
           "affine_redis"

components/containers/librechat.nix

@@ -50,7 +50,7 @@ in
         user = "root";
         image = "ghcr.io/danny-avila/librechat-dev:latest";
         ports = [
-          "10.20.40.104:${toString cfg.port}:${toString cfg.port}"
+          "${toString cfg.port}:${toString cfg.port}"
         ];
         dependsOn = [
           "librechat_mongodb"
@@ -74,7 +74,7 @@ in
         ];
         extraOptions = [
           "--network=librechat-network"
-          "--add-host=azureproxy:10.20.40.180"
+          "--add-host=azureproxy:10.20.40.180" # TODO change to T
         ];
       };
 

components/containers/pgadmin.nix

@@ -34,7 +34,7 @@ in
         user = "root";
         image = "dpage/pgadmin4:latest";
         ports = [
-          "10.20.40.104:${toString cfg.port}:${toString cfg.port}"
+          "${toString cfg.port}:${toString cfg.port}"
         ];
         environment = {
           PGADMIN_LISTEN_PORT = toString cfg.port;

components/hm/ssh.nix

@@ -6,6 +6,10 @@ in
   # TODO can I put all IP's in the flake.nix top level settings and pull them in here instead?
   programs.ssh = {
     enable = true;
+    extraConfig = ''
+      Host *
+        SetEnv TERM=xterm-256color
+    '';
     matchBlocks = {
       # EXTERNAL
       "github.com" = {
@@ -16,12 +20,11 @@ in
       };
       "git.joshuabell.xyz" = {
         identityFile = age.secrets.nix2gitjosh.path;
-        port = 3032;
+        user = "git";
       };
       # PERSONAL DEVICES
       "lio" = {
         identityFile = age.secrets.nix2lio.path;
-        hostname = "10.20.40.104";
         user = "josh";
       };
       "lio_" = {
@@ -31,22 +34,18 @@ in
       };
       "oren" = {
         identityFile = age.secrets.nix2oren.path;
-        hostname = "10.20.40.105";
         user = "josh";
       };
       "joe" = {
         identityFile = age.secrets.nix2joe.path;
-        hostname = "10.20.40.102";
         user = "josh";
       };
       "gpdPocket3" = {
         identityFile = age.secrets.nix2gpdPocket3.path;
-        hostname = "10.20.40.103";
         user = "josh";
       };
       "t" = {
         identityFile = age.secrets.nix2t.path;
-        hostname = "10.20.40.180";
         user = "joshua.bell";
         localForwards = [
           # {
@@ -66,7 +65,6 @@ in
       };
       "mbptv" = {
         identityFile = age.secrets.nix2gpdPocket3.path;
-        hostname = "10.20.40.109";
         user = "waka";
         setEnv = {
           TERM = "vt100";
@@ -82,28 +80,23 @@ in
       };
       "nothing1" = {
         identityFile = age.secrets.nix2gpdPocket3.path;
-        hostname = "10.20.40.124";
         user = "TODO";
       };
       "ipad1" = {
         identityFile = age.secrets.nix2gpdPocket3.path;
-        hostname = "10.20.40.125";
         user = "TODO";
       };
       "tab1" = {
         identityFile = age.secrets.nix2gpdPocket3.path;
-        hostname = "10.20.40.120";
         user = "TODO";
       };
       "pixel6" = {
         identityFile = age.secrets.nix2gpdPocket3.path;
-        hostname = "10.20.40.126"; # TODO ON BOARD
         user = "TODO";
       };
       # HOME SERVERS
       "h001" = {
         identityFile = age.secrets.nix2h001.path;
-        hostname = "10.20.40.190";
         user = "root";
       };
       "h001_" = {
@@ -113,10 +106,14 @@ in
       };
       "h002" = {
         identityFile = age.secrets.nix2h002.path;
-        hostname = "10.20.40.191";
         user = "luser";
       };
       # LINODE SERVERS
+      "l001" = {
+        identityFile = age.secrets.nix2linode.path;
+        hostname = "172.236.111.33";
+        user = "root";
+      };
       "l002_" = {
         identityFile = age.secrets.nix2linode.path;
         hostname = "172.234.26.141";
@@ -124,8 +121,7 @@ in
       };
       "l002" = {
         identityFile = age.secrets.nix2linode.path;
-        hostname = "10.20.40.1";
+        user = "root";
-        user = "luser";
       };
     };
   };

components/hm/tmux/tmux-reset.conf

@@ -55,7 +55,7 @@ bind C-d detach
 # ==========
 # My options
 set-option -g terminal-overrides ',xterm-256color:RGB'
-set-option -sa terminal-features ',kitty:LRGB'
+set-option -sa terminal-features ',xterm:LRGB'
 set -g detach-on-destroy off
 set -g renumber-windows on
 set -g status-position top

components/nix/tailscale.nix

@@ -0,0 +1,36 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  options.components.tailscale = {
+    useSecretsAuth = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Whether to use secrets authentication for Tailscale";
+    };
+    useHeadscale = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Whether to use headscale login server.";
+    };
+  };
+
+  config = {
+    environment.systemPackages = with pkgs; [ tailscale ];
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      useRoutingFeatures = "client";
+      authKeyFile = lib.mkIf config.components.tailscale.useSecretsAuth config.age.secrets.headscale_auth.path;
+      # https://tailscale.com/kb/1241/tailscale-up
+      extraUpFlags = lib.mkIf config.components.tailscale.useHeadscale [
+        "--login-server=https://headscale.joshuabell.xyz"
+      ];
+    };
+    networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
+    networking.firewall.checkReversePath = "loose";
+  };
+}

hosts/linode/l001/configuration.nix

@@ -0,0 +1,7 @@
+{
+  ...
+}:
+{
+  boot.loader.grub.enable = true;
+  system.stateVersion = "24.11";
+}

hosts/linode/l001/flake.nix

@@ -0,0 +1,93 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+    deploy-rs.url = "github:serokell/deploy-rs";
+
+    ros_neovim.url = "git+https://git.joshuabell.xyz/nvim";
+    mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common";
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      deploy-rs,
+      ...
+    }@inputs:
+    let
+      configuration_name = "l001";
+      lib = nixpkgs.lib;
+    in
+    {
+      deploy = {
+        sshUser = "root";
+        sshOpts = [
+          "-i"
+          "/run/agenix/nix2linode"
+        ];
+        nodes.${configuration_name} = {
+          hostname = "172.236.111.33";
+          profiles.system = {
+            user = "root";
+            path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configuration_name};
+          };
+        };
+      };
+
+      nixosConfigurations = {
+        nixos = self.nixosConfigurations.${configuration_name};
+        "${configuration_name}" =
+          let
+            auto_modules = builtins.concatMap (
+              input:
+              lib.optionals
+                (builtins.hasAttr "nixosModules" input && builtins.hasAttr "default" input.nixosModules)
+                [
+                  input.nixosModules.default
+                ]
+            ) (builtins.attrValues inputs);
+          in
+          (lib.nixosSystem {
+            modules = [
+              ./configuration.nix
+              ./hardware-configuration.nix
+              ./linode.nix
+              ./nginx.nix
+              ./headscale.nix
+              (
+                { pkgs, ... }:
+                {
+                  users.users.root.openssh.authorizedKeys.keys = [
+                    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuo6L6V52AzdQIK6fWW9s0aX1yKUUTXbPd8v8IU9p2o nix2linode"
+                  ];
+                  mods = {
+                    common = {
+                      disableRemoteBuildsOnLio = true;
+                      systemName = configuration_name;
+                      allowUnfree = true;
+                      primaryUser = "luser";
+                      docker = true;
+                      users = {
+                        luser = {
+                          extraGroups = [
+                            "wheel"
+                            "networkmanager"
+                          ];
+                          isNormalUser = true;
+                          openssh.authorizedKeys.keys = [
+                            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuo6L6V52AzdQIK6fWW9s0aX1yKUUTXbPd8v8IU9p2o nix2linode"
+                          ];
+                        };
+                      };
+                    };
+                  };
+                }
+              )
+            ] ++ auto_modules;
+            specialArgs = {
+              inherit inputs;
+            };
+          });
+      };
+    };
+}

hosts/linode/l001/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/42a30f9c-b113-4b14-87b3-a9cfe44adf62";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/f1408ea6-59a0-11ed-bc9d-525400000001"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s5.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/linode/l001/headscale.nix

@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+{
+
+  config = {
+    # TODO backup /var/lib/headscale data
+    # TODO https://github.com/gurucomputing/headscale-ui ?
+    environment.systemPackages = with pkgs; [ headscale ];
+    services.headscale = {
+      enable = true;
+      settings = {
+        server_url = "https://nexus.joshuabell.xyz";
+        database.type = "sqlite3";
+        derp = {
+          auto_update_enable = true;
+          update_frequency = "5m";
+        };
+        dns = {
+          magic_dns = true;
+          base_domain = "net.joshuabell.xyz";
+        };
+      };
+    };
+  };
+}

hosts/linode/l001/linode.nix

@@ -0,0 +1,32 @@
+{ config, pkgs, ... }:
+{
+  # https://www.linode.com/docs/guides/install-nixos-on-linode/#configure-nixos
+  boot.kernelParams = [ "console=ttyS0,19200n8" ];
+  boot.loader.grub.extraConfig = ''
+    serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
+    terminal_input serial;
+    terminal_output serial
+  '';
+
+  boot.loader.grub.forceInstall = true;
+  boot.loader.grub.device = "nodev";
+  boot.loader.timeout = 10;
+
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "yes";
+    settings.PasswordAuthentication = false;
+  };
+  users.users.root.openssh.authorizedKeys.keys = config.users.users.luser.openssh.authorizedKeys.keys;
+
+  networking.usePredictableInterfaceNames = false;
+  networking.useDHCP = false; # Disable DHCP globally as we will not need it.
+  # required for ssh?
+  networking.interfaces.eth0.useDHCP = true;
+
+  environment.systemPackages = with pkgs; [
+    inetutils
+    mtr
+    sysstat
+  ];
+}

hosts/linode/l001/nginx.nix

@@ -0,0 +1,52 @@
+{
+  ...
+}:
+{
+  security.acme.acceptTerms = true;
+  security.acme.email = "admin@joshuabell.xyz";
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      # default that is put first for fallbacks
+      # Note that order here doesn't matter it orders alphabetically so `0` puts it first
+      # I had an issue tha the first SSL port 443 site would catch any https traffic instead
+      # of hitting my default fallback and this fixes that issue and ensure this is hit instead
+      "001.linodes.joshuabell.xyz" = {
+        default = true;
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          return = "444"; # 404 for not found or 444 for drop
+        };
+      };
+      "172.236.111.33" = {
+        locations."/" = {
+          return = "444";
+        };
+      };
+      "2600:3c06::f03c:95ff:fe1c:84d3" = {
+        locations."/" = {
+          return = "444";
+        };
+      };
+
+      "headscale.joshuabell.xyz" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyWebsockets = true;
+          proxyPass = "http://localhost:8080"; # headscale
+        };
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80 # web http
+    443 # web https
+  ];
+}

hosts/linode/l002/flake.nix

@@ -3,10 +3,11 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
     deploy-rs.url = "github:serokell/deploy-rs";
 
+    ros_neovim.url = "git+https://git.joshuabell.xyz/nvim";
     mod_common.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_common";
     mod_common.inputs.nixpkgs.follows = "nixpkgs";
-    mod_ros_stormd.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_stormd";
+    # mod_ros_stormd.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_stormd";
-    mod_nebula.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_nebula";
+    # mod_nebula.url = "git+https://git.joshuabell.xyz/dotfiles?ref=mod_nebula";
   };
 
   outputs =
@@ -28,7 +29,7 @@
           "/run/agenix/nix2linode"
         ];
         nodes.${configuration_name} = {
-          hostname = "172.234.26.141";
+          hostname = "100.64.0.4";
           profiles.system = {
             user = "root";
             path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${configuration_name};
@@ -55,6 +56,7 @@
               ./hardware-configuration.nix
               ./linode.nix
               ./nginx.nix
+              ../../../components/nix/tailscale.nix
               (
                 { pkgs, ... }:
                 {
@@ -62,6 +64,11 @@
                     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002"
                     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuo6L6V52AzdQIK6fWW9s0aX1yKUUTXbPd8v8IU9p2o nix2linode"
                   ];
+                  components = {
+                    # NOTE we manually onboard this machine since it also hosts headscale itself and I don't want to push
+                    # the key in this config.
+                    tailscale.useSecretsAuth = false;
+                  };
                   mods = {
                     common = {
                       disableRemoteBuildsOnLio = true;

hosts/linode/l002/nginx.nix

@@ -1,5 +1,5 @@
 {
-  config,
+  pkgs,
   ...
 }:
 {
@@ -25,7 +25,7 @@
   };
 
   security.acme.acceptTerms = true;
-  security.acme.email = "admin@joshuabell.xyz";
+  security.acme.defaults.email = "admin@joshuabell.xyz";
   services.nginx = {
     enable = true;
     recommendedGzipSettings = true;
@@ -37,7 +37,7 @@
       # Note that order here doesn't matter it orders alphabetically so `0` puts it first
       # I had an issue tha the first SSL port 443 site would catch any https traffic instead
       # of hitting my default fallback and this fixes that issue and ensure this is hit instead
-      "0.joshuabell.xyz" = {
+      "002.linodes.joshuabell.xyz" = {
         default = true;
         enableACME = true;
         forceSSL = true;
@@ -51,7 +51,7 @@
         forceSSL = true;
         locations."/" = {
           proxyWebsockets = true;
-          proxyPass = "http://10.20.40.104:3080";
+          proxyPass = "http://100.64.0.1:3080";
         };
       };
       "db.joshuabell.xyz" = {
@@ -59,31 +59,21 @@
         forceSSL = true;
         locations."/" = {
           proxyWebsockets = true;
-          proxyPass = "http://10.20.40.104:3085";
+          proxyPass = "http://100.64.0.1:3085";
         };
       };
       "gist.joshuabell.xyz" = {
         enableACME = true;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://10.20.40.190:6157";
+          proxyPass = "http://100.64.0.2:6157";
         };
       };
       "git.joshuabell.xyz" = {
         enableACME = true;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://10.20.40.190:6610";
+          proxyPass = "http://100.64.0.2:6610";
-        };
-      };
-      "nexus.l002.joshuabell.xyz" = {
-        locations."/" = {
-          proxyPass = "http://localhost:42291";
-        };
-      };
-      "nexus.joshuabell.xyz" = {
-        locations."/" = {
-          proxyPass = "http://localhost:42291";
         };
       };
 
@@ -153,14 +143,38 @@
     };
 
     # STREAMS
+    # TODO left off trying to get direct ssh working...
     streamConfig = ''
       server {
         listen 3032;
-        proxy_pass 10.20.40.190:6611;
+        proxy_pass 100.64.0.2:6611;
       }
     '';
   };
 
+  # Convoluted way to get ssh to work for git server while also still allowing
+  # ssh connections to the machine normally (you can't have nginx bind port 22 since sshd does)
+  # but sshd allows us to use a ForceCommand that we cna then proxy through
+  environment.systemPackages = with pkgs; [
+    # NOTE requires nc which I am getting from somewhere.... would be better to put it here in sys packs?
+    (writeScriptBin "proxy-to-git" ''
+      #!${pkgs.bash}/bin/bash
+      nc 100.64.0.2 6611
+    '')
+  ];
+
+# TODO havent gotten this fully working yet
+
+  services.openssh.extraConfig = ''
+    Match Host git.joshuabell.xyz
+      ForceCommand proxy-to-git
+      PermitTTY no
+      X11Forwarding no
+      PermitTunnel no
+      GatewayPorts no
+      AllowAgentForwarding no
+  '';
+
   networking.firewall.allowedTCPPorts = [
     80 # web http
     443 # web https

hosts/linode/linode.nix

@@ -34,6 +34,6 @@
   ];
 
   users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFLBVLiPbhVG+riNNpkvXnNtOioByV3CQwtY9gu8pstp nix2l002"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuo6L6V52AzdQIK6fWW9s0aX1yKUUTXbPd8v8IU9p2o nix2linode"
   ];
 }

hosts/lio/flake.lock

@@ -235,11 +235,11 @@
         "ragenix": "ragenix"
       },
       "locked": {
-        "lastModified": 1737492763,
+        "lastModified": 1739385513,
-        "narHash": "sha256-AMh+4cqU9bhOQ85du76RsJ78ip1yDaiTtModlpREMSI=",
+        "narHash": "sha256-AXTDMr+MMfstK91k2ZWsYuU4vbR18DyK3cyiQO6t6C0=",
         "ref": "mod_secrets",
-        "rev": "b45dd1d219a656c52cde4b98c509c36ed1833ae0",
+        "rev": "dc68d4f568d3bdf7d39af68a81432c77869f5749",
-        "revCount": 11,
+        "revCount": 14,
         "type": "git",
         "url": "https://git.joshuabell.xyz/dotfiles"
       },

hosts/lio/flake.nix

@@ -41,7 +41,7 @@
               ./hardware-configuration.nix
               ./containers.nix
               (
-                { pkgs, ... }:
+                { config, pkgs, ... }:
                 {
                   imports = [
                     ../../components/nix/lua.nix
@@ -49,6 +49,7 @@
                     ../../components/nix/qflipper.nix
                     ../../components/nix/qdirstat.nix
                     ../../components/nix/steam.nix
+                    ../../components/nix/tailscale.nix
                   ];
 
                   environment.systemPackages = with pkgs; [

hosts/oracle/readme.md

@@ -1,4 +1,11 @@
-Mostly followed: https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/
+# Steps
+
+Mostly followed: <https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/>
+
 - kexectools -> kexec-tools
 - create mnt/boot after mounting mnt
 - copy over oracle.nix and import for first nixos-install
+
+# TODO
+
+- check out <https://github.com/elitak/nixos-infect>