This is required by the PCI compliance scanner. In order to make this
work I now need to run "nixos-rebuild switch --impure" and I had to add
the unstable channel with "nix-channel --add
https://nixos.org/channels/nixpkgs-unstable nixpkgs-unstable"
I had to add various directives that I borrowed from a previous install.
It's essentially PHP black magic.
I also had to prevent NixOS from overwriting the permissions on the PHP
users home directory so that nginx would serve the static files as well.
I decided to remove the porkbun provider just to simplify things since
DNS validation incurs a much longer wait than HTTP validation. I also
removed the default address stuff since they would need a port and they
shouldn't be required - I pulled them from sovr which is doing more
exotic things with IPv6.
I also disabled systemd.network since I got a warning about networking
conflict.
I moved the firewall directive to the networking file.
At this point the system comes up and nginx is hosting a static page.
This is working on a single IPv6 address of the two we now have
avaliable. Because nginx is still binding to port 80 on all addresses,
we have to test this on port 8081, which is less than ideal. Still, it's
progress.
This is honestly pretty ugly. The issue is that I want two different
IPv6 addresses on this server. I get one address for free as part of my
hosting agreement. The other I have to pay $0.01 per month for. The
address is routable, but it's not provided via cloud-init like the
initial address.
I therefore took the data from /var/lib/cloud/instance/network-config.json
and translated it into this configuration manually. It's dangerous - I
don't know when any of this information may change.
However, it works, and both addresses are now bound to eth0.
Notice that I set the network configuration name to "09-wan". This is
because the previous configuration using cloud-init created a network
configuration at /etc/systemd/network/10-cloud-init that has to be
manually removed or superseded.
I was seeing a stack trace with this at the bottom:
error: cannot look up '<home-manager/nixos>' in pure evaluation mode (use '--impure' to override)
After reading a bit at https://nixos-and-flakes.thiscute.world/nixos-with-flakes/start-using-home-manager
I was able to craft this shape which uses home-manager in a flake and
doesn't have the same problem.
This also changes to directly referencing the local git checkout of my
flake definition which makes it faster and safer to iterate on the
logic.
At this point I am creating a systemd unit file, but it's not correct at
all.
Eli Ribble
Eli Ribble